Just tried to build a new kernel in 9.0-BETA3 with the IPFIREWALL
option, and found that the build halts with a compiler error. The
error occurs at netinet/ipfw/ip_fw_pfil.c, line 185, where the
compiler complains that the variable "len" is used before
intialization. Problem occurs on both i386
Any word regarding timing of FreeBSD 9.0-RC1? Building machines,
and would like to build with at least a release candidate rather than a beta.
--Brett Glass
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd
Thank you! Did not know to look for this in the source tree; now I
know.
--Brett Glass
At 04:24 PM 10/16/2011, Andrew Thompson wrote:
>On 17 October 2011 11:22, Brett Glass wrote:
>> Any word regarding timing of FreeBSD 9.0-RC1? Building machines, and would
>> like to build
w bugs that I'd like to avoid, as does
8.2-RELEASE. Recommendations?
--Brett Glass
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
So far, it
seems like the best option, but I'd be interested in other suggestions.
--Brett Glass
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
ikely to be a showstopper (so long as the
first won't cause me networking problems I haven't observed yet),
but both are probably worth looking into.
--Brett Glass
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/li
figuration
in a declaratory rather than a procedural environment, because
there are so many contingencies and possible combinations of
parameters. But there doesn't seem to be any combination of
variables I can assign in rc.conf that doesn't cause errors
At 11:36 AM 12/11/2011, Ben Kaduk wrote:
>Did you take the change to /etc/ttys going from cons25 to xterm 'type'?
I didn't have to change it; it was that way when the OS was installed.
Problem seems to be that the behavior (specifically, reverse video on the
25th line) doesn't quite match the x
At 12:34 PM 12/13/2011, Ben Kaduk wrote:
>If I remember correctly, your original message mentioned seeing this
>issue in emacs; have you tried reproducing it in a simpler test case?
No; when we hit the bug, we moved to SSH with a VT100 emulator so that
we could configure the system. But the syst
ters and lines (Ctrl-D and Ctrl-K),
etc. It's very obvious.
>Does it only happen on the console, or also when using a regular xterm?
I do not use regular xterms, so I can't answer that, alas.
--Brett Glass
___
freebsd-stable@fr
Everyone:
I've just noted that as of this month, there is no release of
FreeBSD -- on any branch -- whose EOL is less than a year away.
Should there not be at least one release with extended support?
--Brett Glass
___
freebsd-stable@freebs
ctual progress toward a release? There appears to be no
"to do" list (as there was for previous releases), and therefore
no way to easily keep abreast of progress, snags, etc.
--Brett Glass
___
freebsd-stable@freebsd.org mailing list
http://lists.free
Happy Thanksgiving to everyone in the US (and elsewhere as well)!
I encountered a strange bug when I was "trimming" the GENERIC FreeBSD
RELEASE-8.0 kernel to omit drivers for hardware that would not be used on one
target platform. I removed all of the USB Ethernet drivers except for "udav"
(Davico
-- or, if this is not
practical, quickly release a FreeBSD 8.1 which will be supported
for at least that long?
--Brett Glass
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any
Please MFC support for ASIX AX88172A USB Ethernet to 7.3-RELEASE;
see
http://www.freebsd.org/cgi/query-pr.cgi?pr=140923
for information. Note that the AX88172 driver works with the
newer AX88172A chip, which has replaced it; the system simply needs
to be told that it does.
--Brett Glass
Everyone:
Will FreeBSD 7.1 be released in time to use it as an upgrade to
close the BIND cache poisoning hole? We'd like to upgrade affected
servers to the latest FreeBSD at the same time that we upgrade
BIND if possible.
--Brett Glass
___
fr
note saying that 7.1-RELEASE is scheduled
for August.
I'm sure that a lot of folks are in the same boat as I: they'd
like to start with a complete release that doesn't need patching
and recompiling.
--Brett Glass
At 09:02 PM 7/19/2008, Xin LI wrote:
>Yes. FreeBSD 7-STA
At 09:28 PM 7/19/2008, Subhro wrote:
You need to understand the release engineering process of FreeeBSD.
I've been watching it (and testing release candidates) since 2.x, so
I think I may possibly have some understanding of it by now. ;-)
The release edition is essential created from the sta
x27;re just doing a caching
resolver you don't have to touch it once you get it configured.
Of course, all solutions that randomize ports are really just "security by
obscurity," because by shuffling ports you're hiding the way to poison your
cache... a little.
--Brett G
I need to build up a few servers and routers, and am wondering how
FreeBSD 9.1 is shaping up. Will it be likely to be more stable and
robust than 9.0-RELEASE? Are there issues that will have to wait
until 9.2-RELEASE to be fixed? Opinions welcome.
--Brett Glass
I need to build up a few servers and routers, and am wondering how
FreeBSD 9.1 is shaping up. Will it be likely to be more stable and
robust than 9.0-RELEASE? Are there issues that will have to wait
until 9.2-RELEASE to be fixed? Opinions welcome.
--Brett Glass
systems.
--Brett Glass
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
At 04:32 PM 11/3/2012, Karl Denninger wrote:
It is utter insanity to enable, by default, filesystem options
that break the canonical backup solution in the handbook ("dump",
when used with "-L", which it must be to dump a live filesystem SAFELY.)
I have not used "dump" in many, many years. So
xist? Or have the committers
simply neglected to close them?
--Brett Glass
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
one of the most robust
and stable releases ever, and I used it for many years.
--Brett Glass
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-
elease? Does the
FreeBSD project need a fresh server to be donated to handle the release?
--Brett Glass
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
ain. But I am
glad that this is not the holdup. I just need to plan my time so that I get
a vacation SOMETIME this season and also keep my commitments. Alas, there
have been no updates to the projected schedule or to the "To Do" list to
help me
uite used to getting "something for nothing".
>
>This isn't an attack at you Brett; this is more of a general observation.
I hope it's not. In my previous message, I offered to donate a server. Along
with some bandwidth, if that's useful.
--Brett Glass
___
s
of code (and I have made quite a few) have been passed quietly through
committers so as to avoid this. Maybe the situation is better now; I don't
know.
As for monetary donations: We are not a large corporation, and so could only
make relatively small ones as opposed to more v
regarding status and projected schedules. ;-)
--Brett Glass
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
than it is of a collaborative open source project.
And it is important to have targets.
Transparency is vital. I do not mind justified schedule slippages,
so long as I can track progress and plan appropriately. It is when I
(and everyone else) are in the dark that things get difficult.
--Brett
Building up some servers with 9.1 (latest patch level), but want to
switch to 9.2 ASAP if it is solid. How goes the build? Remaining
TODOs? Estimated release date?
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/f
re or hardware defects in individual
systems, so I am eager to hear how the new release is working for everyone.
--Brett Glass
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any ma
the complaint. Is there a reason why
I should generate such a file? Or, if I don't really need to do so,
is there a way to suppress the message?
--Brett Glass
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebs
51 PM 3/23/2019, you wrote:
On Sat, Mar 23, 2019 at 6:27 PM Brett Glass
<<mailto:br...@lariat.net>br...@lariat.net> wrote:
Everyone:
I've been building custom kernels for FreeBSD 12.0, and have noticed
a message on the console, during boot, that I haven't seen from prior
This would be for a 386-architecture machine. Recommendations?
Also, when is 6.3-RELEASE (which will hopefully incorporate
a bunch of MFCed improvements from CURRENT) likely to happen?
--Brett Glass
___
freebsd-stable@freebsd.org mailing list
Since I am not a FreeBSD developer (though I've fed folks snippets
of code to incorporate from time to time), I don't have a full time
"build" server. Where is the best way to download a daily/weekly
snapshot? ftp.freebsd.org seems only to have one snapshot per
month, and does not have one for this
;t been updated in awhile and doesn't show the
usual "to do" lists or schedules Can someone give us an
estimated timeframe?
--Brett Glass
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-s
e and other
Netgraph code that was developed for it are there
--Brett Glass
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ng the latest version of
bridge(4) brought in.
--Brett Glass
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
At 08:40 AM 10/31/2007, Alexander Motin wrote:
>Brett Glass wrote:
>>> ng_nat is part of 6-STABLE
>>
>> I've checked, and there is indeed a version there. But it's a
>> much older version without many useful option flags. ng_car
>> is not there a
hrough the server, but I want them all
to be able to communicate with the server.
--Brett Glass
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
As you
can guess from this and other requests, I'm looking to revise the configuration
on some specialized networking boxen so that NAT, bandwidth control, and LAN
isolation are handled in the kernel rather than in user space.
--Brett Glass
ven with SoftUpdates turned on, the cache
volume mounted with -noatime, and aufs (which uses kqueues -- a
FreeBSD invention -- to optimize multithreaded disk access), the
benchmark shows FreeBSD losing out. Why?
--Brett Glass
___
freebsd-stable
peeds up if you try mounting the volume -async, maintaining a
similar advantage. And mounting the volume -async is a bit dangerous, because
the cache can become very inconsistent during a crash SoftUpdates is
generally what's recommended.
--Brett Glass
__
At 07:14 AM 12/24/2007, Scott Long wrote:
>Brett,
>
>There could be several problems here:
>
>1. WITNESS, INVARIANTS, malloc debugging. Are any of these turned on for you?
> I don't recall if malloc debugging got turned off yet for the
>7.0 snapshots.
I nuked debugging when I recompiled the ker
asing
the size of Squid's "CACHE_MEM" memory pool (which is used for "hot" objects
and objects in transit). Squid tends to crash horribly if this pool isn't
kept quite big.
--Brett Glass
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
At 10:12 AM 12/24/2007, Scott Long wrote:
>It's not the same kind of hashing. The kind of "hashing" that squid
>does on the filesystem is sub optimal for UFS performance.
Squid doesn't do any "hashing" on the file system, as far as I know.
It does, of course, have a hashed directory of cached We
Scott, Adrian:
Even more interesting would be a storage schema for caches that rests
on top of FreeBSD's GEOM facility. One could bypass all filesystems
but still take advantage of the driver architecture.
--Brett Glass
At 06:09 AM 12/26/2007, Scott Long wrote:
>Yes, Squid is t
At 08:32 AM 12/26/2007, Adrian Chadd wrote:
>The biggest bonuses to gain high throughput with web caches, at least
>with small objects, is to apply temporal locality to them and do IO in
>$LARGE chunks.
By "temporal locality" I assume you mean that you expect items that
are fetched at the same t
Please commit the fixes for PRs bin/130159 and bin/131250 prior
to FreeBSD RC1. These are critical for the use of userland ppp
as a server, especially if it is performing proxy ARP.
--Brett Glass
___
freebsd-stable@freebsd.org mailing list
http
All:
How's the release coming? I have heard that there were some
showstoppers involving file systems; have they been addressed?
I am sticking with 10.3 for production machines, but have a
customer who wants an 11.0 machine when it comes out.
--Brett
So do I. However, there have been no updates from the person you mention
in a week, so I believe it's quite reasonable to inquire as to the progress
of the release.
--Brett Glass
At 09:50 PM 9/7/2016, you wrote:
I find reading the freebsd-stable@freebsd.org list, particularly the
mes
do this doesn't constitute a
"fork" and is of enough value to warrant a bit of developer time
(though obviously different developers will take different amounts
of interest in maintaining "classic" releases).
--Brett Glass
else besides me like to see a 5.3.1 minor release
sometime around, say, February?
--Brett Glass
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
random sample of it
on a random day, due to the many difficulties that this can cause.
--Brett Glass
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
At 06:14 PM 12/19/2004, Colin Percival wrote:
>No, but quite a few people would like to see a 5.4 minor release
>sometime around, say, late February or early March.
That would work too. It's a slightly shorter than usual time between point
releases, but then, a lot of progress is being made be
It's the C language. While it's claimed to be "portable," it really doesn't
address integer size and endianism well enough.
Oddly enough, even FORTRAN did a better job. You could declare a variable
to be INTEGER*4 and that would be that, regardless of architecture.
Which ports were causing you he
a chipsets) be in 5.4?
--Brett Glass
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ow things are progressing. When are we
likely to see an RC2? Given the many changes to the code since RC1,
will there be an RC3? When will the calendar and "to do" list be
updated? And will we see a release by, say, Valentine's Day?
--Brett Glass
ushed; I'm asking that the
projections, to-do lists, etc. be updated so that we who are anticipating
it have some idea of the RE team's plans going into the new year. Even if
the release date is in February, that's fine -- just so it makes for a
better product and we can anticipate
since it normally errs
on the side of expiring pages too quickly.
--Brett Glass
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
s the one
in 4.x, though I hope this will change). So, we'd like to upgrade them to
a patch level that includes all recent security fixes. Are ISOs available?
--Brett Glass
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailma
a cvsup from official freebsd mirrors.
True. But this requires assembling a system to do it, and then waiting hours
while I build the world and "make release". I was hoping that there was a
snapshot server up, as there was in Japan a few years ago.
--Brett Glass
their machines vulnerable.
--Brett Glass
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
to get 4.11. We can't be on
the cutting edge all of the time when we're making production
servers. In some cases, what we need is a tried-and-true version
with bug fixes.
--Brett Glass
At 11:04 AM 5/16/2006, Colin Percival wrote:
If you absolutely must run FreeBSD 4.11, install th
Well, y'know, if they could release a FreeBSD 2.2.9 (as was done last month), it
shouldn't be a problem to do a 4.12 release as a "last gasp" to tide us over
until September. (Hopefully, Colin and the "summer of code" folks can
work on performance enhancements to the network stack, UFS2, and the h
fering to help
me with my, er, performance problems. ;-)
Seriously: The problem is that in my tests 6.x does not surpass Linux in
performance, while 4.11 does.
--Brett Glass
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/l
At 09:39 AM 4/18/2005, Steve Ames wrote:
>Nothing stops someone other than the normal RE team from rolling something
>release-esque (like a 4.X snapshot) and requesting that it be made available
>for download on the FreeBSD sites or rolling your own release for
>internal use.
Perhaps. But
At 10:00 AM 4/18/2005, Steve Ames wrote:
>> Perhaps. But then, all of the software that recognizes "official" releases
>> and does things like download ports, etc. won't work.
>
>It would recognize it as 4.11.
Actually, it tends not to recognize it at all. If the string doesn't
say "4.11-RELEAS
At 11:20 AM 4/18/2005, Steve Ames wrote:
>Ah. Packages and /stand/sysinstall. Yeah. I haven't installed a package from
>sysinstall in YEARS so I probably wouldn't have noticed that. Getting
>security updates for packages using sysinstall is a total lose. cvsup and
>portupgrade are my tools of choi
At 11:24 AM 4/18/2005, Colin Percival wrote:
>I usually choose to allow users to shoot their own feet if they want, but
>since I wrote FreeBSD Update primarily for the benefit of less experienced
>FreeBSD users I decided that some anti-foot-shooting mechanisms were a
>good idea.
I understand. How
around for release? And, again,
when is the likely release date?
--Brett Glass
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
At 06:34 PM 10/15/2005, David Syphers wrote:
>http://www.freebsd.org/releases/6.0R/todo.html
>
>Linked to from the schedule page...
Been there. Want to get folks' opinions, and also more detail
than is likely to appear on th epage.
--Brett
___
freebsd
ia) or if it pays to install PCI NICs for
speed and stability.
--Brett Glass
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
At 08:13 PM 10/17/2005, Mike Tancsa wrote:
One thing we're looking at doing is deploying some single-core AMD64s.
Some of the motherboards use the NVidia NForce chipsets, so we
need to know if the nve driver works
I have seen lots of problem reports with the nve. A board that
works well for
ally has).
My humble opinion, for what it's worth, is that the GENERIC kernel
configuration should be very heavily commented and documented and
that the DEFAULT file will then be completely unnecessary.
Just my $0.02.
--Brett Glass
___
freebsd
other than GENERIC),
one has to remove dozens of lines from the configuration file.
Sometimes a hundred or more. But this is simple enough; one
just deletes the lines. Having to WRITE a line to disable each
of the undesired ones is orders of magnitude more difficult --
unnecessarily so.
--
entries to
produce a kernel configuration.
I hadn't tried this Thanks to the people who have pointed out
that target in the Makefile.
--Brett Glass
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ndard Time. What could be going on? Is this
a known problem?
--Brett Glass
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
, and yet have never seen this behavior.
By the way, the "date" command does report the correct time. It's cron
that seems to be getting the time wrong.
--Brett Glass
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/ma
At 09:08 PM 11/25/2005, Joseph Koshy wrote:
>> Just created a server using FreeBSD 6.0, and it's quite
>> stable and fast. One glitch, though: Jobs scheduled to
>> run at midnight via /etc/crontab are running at 6 PM
>> (midnight GMT). I've double checked, and the CMOS clock
>> is set to local ti
At 05:40 PM 11/26/2005, Jon Dama wrote:
>What is the output of
>
>date vs date -u
>
>on your system?
>
>What's the value of machdep.adjkerntz ?
www# date
Sat Nov 26 17:53:20 MST 2005
www# date -u
Sun Nov 27 00:53:22 UTC 2005
www# sysctl -a | grep kerntz
machdep.adjkerntz: 25200
>Is /etc/localti
At 09:14 PM 11/26/2005, Peter Jeremy wrote:
>On Sat, 2005-Nov-26 15:07:26 -0700, Brett Glass wrote:
>>By the way, the "date" command does report the correct time. It's cron
>>that seems to be getting the time wrong.
>
>You haven't accidently created a l
In
http://www.freebsd.org/cgi/query-pr.cgi?pr=26299
I've proposed changes to the Makefile in /etc/mail that I think makes it
easier to reconfigure sendmail.
Right now, to change sendmail.cf, one edits "freebsd.mc" and rebuild
sendmail.cf from it (unless one has changed /etc/make.conf, which m
At 02:38 PM 1/5/2002, Jordan Hubbard wrote:
>Of course, collecting log data for analysis from syslog is pretty
>low-tech when it comes to detecting and/or stopping attacks in
>real-time and I'd hope this wouldn't be encouraged as a general
>practice.
I can't see any reason not to use syslogd,
At 03:01 PM 1/6/2002, Arthur W. Neilson III wrote:
>recently we setup msyslog-1.08a on a number of freebsd and solaris
>based boxes, syslogging to a mysql backend.
I'd be concerned about the overhead of a full-fledged SQL database
Seems like overkill to me.
Also, I believe that "msyslog"
At 05:10 PM 1/6/2002, Arthur W. Neilson III wrote:
>msyslog is pretty cool, it's modular and has a bunch of different input
>modules for tcp, udp, streams and unix domain sockets also output
>modules for mysql, postgres, peo (hash protection) and regex. it is worth exploring
>and actually is B
Thank you for pointing this out! It may indeed be what's wedging
Apache 2.x.
I may still downgrade to 1.3.26, though. The process size is
smaller, and the only truly major difference between 1.3.x and
2.x is the new threading model, which FreeBSD can't use because
pthreads are still a kludge.
--
of August 23rd?
--Brett Glass
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-stable" in the body of the message
Any chance of slipping in a fix for the GNU tar "malicious archive" bug
before 4.7 ships?
--Brett Glass
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-stable" in the body of the message
act, trust them with anything).
--Brett Glass
At 09:54 AM 9/27/2003, Murray Stokely wrote:
>On Wed, Sep 24, 2003 at 08:35:55PM -0600, Brett Glass wrote:
>> I'm waiting for the release of 4.9 to do some system upgrades (I've
>> patched the machines in the meantime, but
At 09:13 PM 12/4/2003, Igor Pokrovsky wrote:
>I've seen the same message about softupdates, but it appeared after unexpected
>power problems, when computer turned off without syncs and umounts.
In this case, it occurred after a crash... which likewise occurred
without a sync or umount. The machin
At 02:09 PM 1/20/2000 , jamiE rishaw - master e*tard wrote:
>I have a copy of this, which I am not giving out. I will probably
>fire one off to jkh for sanity,
I've been a good boy, so I hope that, er, Sanity doesn't come down the
chimney of any of the systems I administer before there's a pat
Hmmm. I haven't started at the stack to see if this is feasible,
but can't the code that implements IPFW's "established" keyword
be used to discard the ACK if it isn't associated with an
active session?
--Brett
At 05:34 PM 1/20/2000 , Warner Losh wrote:
>It is a remote exploit.
>
>Warner
That means that the code path that validates the ACK in the kernel
must be long. Long enough so that you can hose the CPU over, say,
a T1. How does one short-circuit this?
--Brett
At 05:34 PM 1/20/2000 , Warner Losh wrote:
>It is a remote exploit.
>
>Warner
To Unsubscribe: send mail to [E
Darren:
Glad to see you are in on this discussion.
The code you use for the "keep state" option in IPFilters might be
able to recognize that the ACK does not belong to an existing
connection. Could a fast check be implemented as a rule under
IPFilters? (If it could, it's probably a one-liner, b
Oops I've answered my own question. IPFW's "established" keyword
only checks the RST or ACK bits; it can't tell if a session is
REALLY established or not. Only a firewall that can save state
(such as IPFilters), or the kernel itself, can do this.
It'd be neat if we could use IPFilters to do a
At 06:03 PM 1/20/2000 , Darren Reed wrote:
>If you're using "flags S keep state" or "flags S/SA keep state",
>then as far as I'm aware, having read the code, you are safe.
This might be a workaround. What rule(s) would have to follow it
to block the ACK?
>I'm intrigued to know what the bug is.
99 matches
Mail list logo
