Re: sshd & pam & getpwnam()
On Sun, 20 Jun 2004, Alexey Zagarin wrote: Hello! Does anybody know, why sshd call getpwnam() even if user is authenticating via PAM? This broke remote authentication (RADIUS, TACACS+) when user doesn't exist in local password database. This is typical behavior for most account based PAM applications I've seen. sshd in particular expects the user to have an system account, even if the user has already been auth'd via PAM. It makes sense from sshd's standpoint because it must read information from the users home directory (which it gets from getpwnam). On another note, I've yet to understand why PAM aware applications don't do a pam_get_user (or equivalent) after PAM authentication has been accepted as the PAM module. This would allow the PAM module to say "user 'bob' you are authenticated, but your REAL username should be 'id02345'". Sort of a username substitution. I've had to patch the stock FTP server and c-client to do this exact thing on our servers at work. Nick Rogness <[EMAIL PROTECTED]> - How many people here have telekenetic powers? Raise my hand. -Emo Philips ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Where is FreeBSD going?
On Wed, 7 Jan 2004, Ryan Sommers wrote: > On Wed, 2004-01-07 at 20:29, Nick Rogness wrote: > > 1) Allow for paid development for a specific bug/feature > > > > - Setup some program that allows users like myself to pay for a > > developers time to fix a specific bug. The company I work for > > would easily pay serious dollars to fix our SMP problems with 4.X. > > Unfortunetly, getting someone's attention that has a great > > understanding of the OS is hard to find without rude remarks and > > what-not. > > > > You could even extend it as far as saying we will promote this PR > > to the top of the list of tasks if you pay us XX dollars. Or > > maybe, the more you pay the higher you go. > > > > This would reassure the user base that things CAN get done if > > needed and also let the developer/bug fixer feel like they can > > make money and have some fun. It will also bring in money for the > > project as part of that money could go back into the Project. > > > > You could easily setup a "pool" mailling list (like -requests) > > which someone like myself would email a request with the problem > > description (or PR). If a developer is interested in tackling the > > problem for money, we could privately negotiate a price. > > > > The same can be done for driver development and others. Make it a > > "Donation for a specific request". I don't want to give money to > > some Foundation where money can be thrown around in the wrong > > areas. I want to pay the developer personally for their efforts. > > ( I feel the same should be done with our taxes as well ;-) > > > > I really don't like the idea of making this a "policy," or even some > official part of the project. I think this might discourage some from > contributing in hopes to be paid for it. I think a better solution for > companies looking for this would be to post to the jobs@ mailing list > noting that it is a temp job. The point was not to take away from contributing developers only to pay someone who is familiar with the problem. I don't want to have to hire someone that doesn't have a clue on the problem and takes 6 months to even become familiar with a specific PR. I don't see anything wrong with paying someone who is working on my PR. Even it is a small amount. I'm not a company and can't afford to hire a programmer to develop a driver for me personally. However, if someone is working on a driver already and is time contstrained, I would pay some money to help relieve some of the time stress involved. I gave suggestions for keeping developers happy and efficient. Money is the only REAL answer. Perhaps this could be done through a company that contracts just FreeBSD developers. I know of no such company. I guess I will have to be satisfied with -jobs for now. > > I don't think giving priority to paying entities is a path the project > should tread down. If someone needs FreeBSD developer work they should > look for someone to hire. Something like this might also jeopardize the > project's "not for profit" status. I think the jobs@ mailing list would > be a better start. (I'm going to be looking for a full time job in about > 11 months and if I got one where I got to code/administer BSD I'd feel I > was in Heaven.) :-) Agreed. -- Nick Rogness <[EMAIL PROTECTED]> - How many people here have telekenetic powers? Raise my hand. -Emo Philips ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Where is FreeBSD going?
On Tue, 6 Jan 2004, Mark Linimon wrote: > > > In short, you can put all the effort you want in, but -core > > and many with a commit bit will resent you for it, because > > you're just a user. > > What you may be interpreting as resentment may actually just > be frustration at being once again in the middle of being > told "things are broken" without concrete suggestions about > how it can be fixed. Please come up with some kind of > definite proposal that you think would alleviate your, and > others', concerns; and post it and let us discuss it. Keep > in mind that as you do so it's a volunteer project, and you > have to address the interests of the current volunteers too. > Perhaps you can suggest a way to bring more volunteers in > without losing any of the existing ones. I certainly don't > have any answers to these kinds of questions; let me take > a look at yours. You asked for suggestions/proposals for discussion so I came up with a few: 1) Allow for paid development for a specific bug/feature - Setup some program that allows users like myself to pay for a developers time to fix a specific bug. The company I work for would easily pay serious dollars to fix our SMP problems with 4.X. Unfortunetly, getting someone's attention that has a great understanding of the OS is hard to find without rude remarks and what-not. You could even extend it as far as saying we will promote this PR to the top of the list of tasks if you pay us XX dollars. Or maybe, the more you pay the higher you go. This would reassure the user base that things CAN get done if needed and also let the developer/bug fixer feel like they can make money and have some fun. It will also bring in money for the project as part of that money could go back into the Project. You could easily setup a "pool" mailling list (like -requests) which someone like myself would email a request with the problem description (or PR). If a developer is interested in tackling the problem for money, we could privately negotiate a price. The same can be done for driver development and others. Make it a "Donation for a specific request". I don't want to give money to some Foundation where money can be thrown around in the wrong areas. I want to pay the developer personally for their efforts. ( I feel the same should be done with our taxes as well ;-) 2) Setup a mailling list for just new developer questions. - A mailling list where someone can ask a stupid programming question without being ridiculed would be nice. Some of us know how to code but are intimidated to ask as most times some a$$hole always responds with some crack. This happens often on -questions and puts a bad taste in my mouth. Of course, this would assume that only some very tolerant -hackers would want to subscribe to and help answering questions. This would/could bring in more development. 3) Simple but time consuming requests from developers - Isn't it possible to have developers pass off some of their simple tasks to others? Think of it like a "pet dog". Your dog may be able fetch your newspaper but he couldn't read it. Still fetching the newspaper takes time! The requests I see are usually Jr. kernel type requests. Everyone wants to contribute at the kernel level but that takes a lot of knowhow and experience working with fbsd's kernel. Let users get involved with simple (stupid) tasks which are time consuming. Now define "simple"... 4) More FreeBSD (Con) promotion - I see little news about FreeBSD anymore. Not sure what to do here. I can tell you that people need to be told what to do. If someone needs some help with promoting FreeBSD, the've gotta ask. - Where the hell is the FreeBSDCon website? Keep the current development talks at FreeBSDCon but add more user/admin type talks (not sure what it was last year cause I can't find the website). Promote it better...don't have the money? read #5 5) Other contributions - There have got to be things not related to development that can help the FreeBSD project out. A large user base that wants to contribute but can't code worth a hoot can contribute in other ways, e.g. FreeBSD Con promotion-flyers,website logos, news articles. I could go on for hours about trivial things I'm sure people would contribute. Just a coup
Re: Changing the NAT IP on demand?
On Sun, 5 Oct 2003, Wes Peters wrote: > On Sunday 05 October 2003 01:02 am, Nick Rogness wrote: > > On Sat, 4 Oct 2003, Leo Bicknell wrote: > > > I'm considering options for a new project, and I think I've > > > discovered what I think is the best idea, but I don't think current > > > software supports the config. I'd like to get some confirmation, > > > and comments on if it would be hard to implement. > > > > > > Consider: > > > > > > > > > ISP #1---\ > > > \ > > > FreeBSD BoxLAN > > > / > > > ISP #2---/ > > > > > > In this case the LAN would be 1918 space, the two ISP's would each > > > provide a public IP for the FreeBSD box. > > > > > > Now, NAT would be required. What I want to do is write an external > > > application to decide the performance of ISP #1 and ISP#2, and > > > somehow tell NAT which outside address to use. > > > > > > That, by itself, is not hard. Here's the trick. I want the switch > > > to be seamless. That is, if NAT is translating to ISP #1 and the > > > application says switch to #2 the existing translations to #1 (until > > > they go away naturally) should be kept, while new ones go to #2. > > > > > > The only ways I know to change the outside address seem to tear > > > down all existing connections. > > > > > > Is it possible to make this work today? Would it be hard to fix if > > > it doesn't work today? > > > > This can simply not work without resetting connections. The > > socket pair on the "outside" would break as your outside traffic > > switches from one to the other (src/dst would change). There is > > no fix, as this breaks basic IP principals. > > That's not at all what Leo was asking. Sorry bout that, didn't read carefully enough. I understand the question now after more careful reading. > > Leo, you may be able to do this with ipfilter's ipnat. Nat rules are > traditionally processed with 'ipnat -CF', the -C clears the rules and > the -F option clears the currently active NAT mappings. You should > experiment with rewriting the rules and instantiating them with -C only. > This should leave the existing stateful mappings to the formerly > preferred interface while creating all new mappings on the newly > preferred interface. In addition to keeping your NAT translations (as suggested by Wes), you need to also keep routes for those entries as well, so that preserved traffic remains to route out the right ISP even if a switch occurs. The reason for this is simple. When you switch the route(s) to the other ISP (which you would have to do), your existing translations would get routed out to the wrong ISP. You would need to keep routes for existing translations to make sure they leave the proper 'old' interface. This would not be necessary if each ISP allowed you to use either public IP on each others network (not likely). Nat (AFAIK) does not determine which interface to leave. You can change the source address in the packet to anything you want, this will not tell it to leave 'interace_to_ISP#1' or 'interface_to_ISP#2'. That is a decision made using the routing table. Your app would have to keep track of these NAT things and also add and remove routes from the routing table. That is, if everything is going out ISP#1 and you decide to switch to ISP#2 you would need to: 1) Keep exisiting NAT translation(s) like suggested by Wes. 2) Add routing table entry for each of the NAT translations you want to preserve to ISP#1 3) Switch default routing to ISP#2 4) When sessions are finsihed and NAT translations removed to ISP#1, the route(s) that pertain to those NAT translations would need to be removed. Nick Rogness <[EMAIL PROTECTED]> - How many people here have telekenetic powers? Raise my hand. -Emo Philips ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Changing the NAT IP on demand?
On Sat, 4 Oct 2003, Leo Bicknell wrote: > > I'm considering options for a new project, and I think I've discovered > what I think is the best idea, but I don't think current software > supports the config. I'd like to get some confirmation, and comments on > if it would be hard to implement. > > Consider: > > > ISP #1---\ > \ > FreeBSD BoxLAN > / > ISP #2---/ > > In this case the LAN would be 1918 space, the two ISP's would each > provide a public IP for the FreeBSD box. > > Now, NAT would be required. What I want to do is write an external > application to decide the performance of ISP #1 and ISP#2, and > somehow tell NAT which outside address to use. > > That, by itself, is not hard. Here's the trick. I want the switch > to be seamless. That is, if NAT is translating to ISP #1 and the > application says switch to #2 the existing translations to #1 (until > they go away naturally) should be kept, while new ones go to #2. > > The only ways I know to change the outside address seem to tear down > all existing connections. > > Is it possible to make this work today? Would it be hard to fix if > it doesn't work today? This can simply not work without resetting connections. The socket pair on the "outside" would break as your outside traffic switches from one to the other (src/dst would change). There is no fix, as this breaks basic IP principals. A suggestion to make this kinda work would be to get a range that ISP#1 && ISP#2 would both allow you to route in/out. Then you would have to write some app that routes your traffic out either ISP, keeping the same "outside" range. So you get a range (or single IP), call it X.X.X.X. This is your external (non 1918) address. When packets leave your FreeBSD machine destined for the Internet, the source IP would be X.X.X.X. Since both ISP's allow source IP X.X.X.X out, it is only a matter of determining which ISP to send the traffic out to. This would be done by modifying the routing table (or with fw forwarding of some sort). The inverse is true with traffic inbound from the Internet to X.X.X.X. However, if you are going to go through this type of trouble, you might as well just route peer with the ISPs via BGP or whatnot. Nick Rogness <[EMAIL PROTECTED]> - How many people here have telekenetic powers? Raise my hand. -Emo Philips ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Filesystem corruption
On Sat, 9 Nov 2002, Poul-Henning Kamp wrote:
> In message <[EMAIL PROTECTED]>, Larry Sica wri
> tes:
> >-BEGIN PGP SIGNED MESSAGE-
> >Hash: SHA1
> >
> >Not sure if hackers is the correct place to ask about this but...
> >
> >On Friday, November 8, 2002, at 06:28 PM, Nick Rogness wrote:
> >
> >>
> >> We have a server that is doing some wierd things. /var/mail filesystem
> >> (/dev/idad2s1e) is reporting errors during certain tasks (like dump).
> >> It does fsck clean umounted. I have yet to see this type of error and
> >> can't tell whether this is a bug or a hardware problem:
> >>
> >> Nov 8 15:41:20 pop1 /kernel: dscheck(#idad/0x20014): negative b_blkno
> >> -791620152
> >> Nov 8 15:41:20 pop1 /kernel: dscheck(#idad/0x20014): negative b_blkno
> >
> >I've seen mention of this before, not sure what the fix was. I heard
> >about this a few years ago on some quantam drives, the guy updated his
> >firmware and it went away iirc. Does it do this only when you dump or
> >under other circumstances? If other circumstances, which ones?
>
> The fix is to not run dump(8) on a live filesystem. You should
> either use a snapshot or umount the device.
I've been running dump for years on live filesystems with FreeBSD
and never had a problem. I was not aware of any snapshot feature
available for 4.X-STABLE (only 5.0)?
umounting a live filesystem to back it up is not a solution. What
should I be using to backup a live filesystem?
Nick Rogness <[EMAIL PROTECTED]>
-
"Wouldn't it be great if we could answer people with a
kick to the crotch?" [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
Filesystem corruption
We have a server that is doing some wierd things. /var/mail filesystem (/dev/idad2s1e) is reporting errors during certain tasks (like dump). It does fsck clean umounted. I have yet to see this type of error and can't tell whether this is a bug or a hardware problem: Nov 8 15:41:20 pop1 /kernel: dscheck(#idad/0x20014): negative b_blkno -791620152 Nov 8 15:41:20 pop1 /kernel: dscheck(#idad/0x20014): negative b_blkno -791620151 Nov 8 15:41:20 pop1 /kernel: dscheck(#idad/0x20014): negative b_blkno -791620150 Nov 8 15:41:20 pop1 /kernel: dscheck(#idad/0x20014): negative b_blkno -791620149 Nov 8 15:41:20 pop1 /kernel: dscheck(#idad/0x20014): negative b_blkno -791620148 Nov 8 15:41:20 pop1 /kernel: dscheck(#idad/0x20014): negative b_blkno -791620147 Machine and Error information listed below: ida0: port 0x4000-0x40ff mem 0xc6ff-0xc6ff00ff irq 5 at device 0.0 on pci5 ida0: drives=3 firm_rev=4.50 idad0: on ida0 idad0: 17363MB (35561280 sectors), blocksize=512 idad1: on ida0 idad1: 52091MB (106683840 sectors), blocksize=512 idad2: on ida0 idad2: 104195MB (213392160 sectors), blocksize=512 pop1# uname -a FreeBSD pop1 4.7-STABLE FreeBSD 4.7-STABLE #2: Thu Oct 31 09:28:08 MST 2002 root@pop1:/usr/src/sys/compile/LOCAL i386 pop1# mount /dev/idad0s1a on / (ufs, local) /dev/idad0s1g on /usr (ufs, local, soft-updates) /dev/idad1s1e on /usr/home (ufs, local, nodev, nosuid, with quotas, soft-updates) /dev/idad0s1e on /var (ufs, local, soft-updates) /dev/idad0s1f on /var/spool (ufs, local, nodev, nosuid, soft-updates) /dev/idad2s1e on /var/mail (ufs, local, nodev, nosuid, with quotas, soft-updates) mfs:26 on /tmp (mfs, asynchronous, local, nodev, nosuid) procfs on /proc (procfs, local) pop1# df Filesystem1K-blocks UsedAvail Capacity Mounted on /dev/idad0s1a 103214287194 862378 9%/ /dev/idad0s1g 6112686 1255342 436833022%/usr /dev/idad1s1e 52512106 10068846 3824229221%/usr/home /dev/idad0s1e 2064302 335346 156381218%/var /dev/idad0s1f 2064302 658416 124074235%/var/spool /dev/idad2s1e 105027110 24646574 7197836826%/var/mail mfs:26 515598 36 474316 0%/tmp procfs440 100%/proc pop1# dump 0af /dev/nrsa0 /var/mail DUMP: Date of this level 0 dump: Fri Nov 8 15:38:19 2002 DUMP: Date of last level 0 dump: the epoch DUMP: Dumping /dev/idad2s1e (/var/mail) to /dev/nrsa0 DUMP: mapping (Pass I) [regular files] DUMP: mapping (Pass II) [directories] DUMP: estimated 24476457 tape blocks. DUMP: dumping (Pass III) [directories] DUMP: dumping (Pass IV) [regular files] DUMP: read error from /dev/idad2s1e: Invalid argument: [block -1245853416]: count=1024 DUMP: read error from /dev/idad2s1e: Invalid argument: [sector -1245853416]: count=512 DUMP: DUMP: read error from /dev/idad2s1e: Invalid argument: [block -1245853414]: count=10240 read error from /dev/idad2s1e: Invalid argument: [sector -1245853415]: count=512 DUMP: read error from /dev/idad2s1e: Invalid argument: [sector -1245853414]: count=512 DUMP: read error from /dev/idad2s1e: Invalid argument: [sector -1245853413]: count=512 DUMP: read error from /dev/idad2s1e: Invalid argument: [sector -1245853412]: count=512 DUMP: read error from /dev/idad2s1e: Invalid argument: [sector -1245853411]: count=512 DUMP: read error from /dev/idad2s1e: Invalid argument: [sector -1245853410]: count=512 DUMP: read error from /dev/idad2s1e: Invalid argument: [sector -1245853409]: count=512 DUMP: read error from /dev/idad2s1e: Invalid argument: [sector -1245853408]: count=512 DUMP: DUMP: read error from /dev/idad2s1e: Invalid argument: [sector -1245853407]: count=512 read error from /dev/idad2s1e: Invalid argument: [block -1245853394]: count=5120 Nick Rogness <[EMAIL PROTECTED]> - "Wouldn't it be great if we could answer people with a kick to the crotch?" [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: gif(4) tunnel through MSN DSL modem
On Tue, 11 Jun 2002, John Nielsen wrote: > > On Tue, 11 Jun 2002, John Nielsen wrote: > > > > > > > > My best guess would be that the modem is doing some anti-spoofing > > between it's interfaces to prevent packets coming from the inside > > having it's outside IP. You will be able to tell if NO ipencap > > packets are received on the remote BSD machine. > > Could you elaborate on this? Since that does seem to be the problem (or at > least a strong candidate), what would I have to do to work around this? I > don't suppose it's possible to create a gif tunnel inside an ssh tunnel, is > it? Well it's simple. The modem has 2 interfaces, one with the public_ip and one with the private_ip (which connects to your network). To prevent spoofing, the modem could only allow traffic from certain private IP's and/or not allow packets with it's public address in/out via it's private interface. Nick Rogness <[EMAIL PROTECTED]> - Don't mind me...I'm just sniffing your packets To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: gif(4) tunnel through MSN DSL modem
On Tue, 11 Jun 2002, John Nielsen wrote:
> Hi folks,
>
> I tried this on -questions without any luck, so I'm hoping for a better
> response here . :)
>
> I remotely administer a FreeBSD 4.5 machine that is connected to the
> internet through and MSN DSL modem. This modem does NAT (for a single
> client) rather than bridging the connection. So the FreeBSD machine
> thinks its public address is 192.168.1.2 (when in reality the modem is
> the only device with a public address). This machine is itself doing
> NAT, acting as a firewall and gateway for a private network.
Why run nat on the internal machine? No need to do nat
twice. Just do basic routing between interfaces unless you need
this functionality.
>
> I would like to establish a gif(4) tunnel between this machine and my
> firewall here in order to link the two private networks into one
> virtual network. I have done this before with two machines that were
> directly connected to the internet, but in this case the DSL modem on
> the far end seems to be fouling things up. The modem seems to be
> passing everything through, but I haven't gotten gif to work.
>
> Any ideas? Here's what I've tried--this is how I'd set it up if the
> DSL modem weren't in the way.
>
Are you receiving any packets on the remote BSD machine that are
of type ipencap? Either log it via ipfw log or use a packet
sniffer (like tcpdump or snort) to evaluate these packets.
> [excerpts from rc.conf on far (DSL) end]
> # Private interface
> ifconfig_xl0="inet 192.168.6.1 netmask 255.255.255.0"
> # "Public" interface -- 192.168.1.2 netmask 255.255.255.252"
> ifconfig_ed0="DHCP"
> gif_interfaces="gif0"
> gifconfig_gif0="DSL.public.ip myend.public.ip"
> ifconfig_gif0="192.168.6.1 192.168.0.1"
> static_routes="john"
> route_john="-net 192.168.0 -interface gif0"
>
> [excerpts from rc.conf on this {my) end]
> # Private interface
> ifconfig_ep0="inet 192.168.0.1 netmask 255.255.255.0"
> # Public interface
> ifconfig_ed0="DHCP"
> gif_interfaces="gif0"
> gifconfig_gif0="myend.public.ip DSL.public.ip"
> ifconfig_gif0="192.168.0.1 192.168.6.1"
> static_routes="DSL"
> route_DSL="-net 192.168.6 -interface gif0"
>
> I've tried both the modem's (real) public address and 192.168.1.1 (the
> public interface's address) for DSL.public.ip, but neither seems to
> work. Can this be made to work? Can gif be hacked so it will work?
You will need to use the DSL's public IP probably.
>
> I can't justify switching to a more expensive provider just so this
> tunnel will work, since it will mostly be a convenience for me and not
> the client. As far as I know, there's no way to modify any settings on
> the DSL modem itself. I do have full access to both FreeBSD machines.
> Again, any suggestions or even a detailed description of why this
> won't work would be appreciated.
>
My best guess would be that the modem is doing some anti-spoofing
between it's interfaces to prevent packets coming from the inside
having it's outside IP. You will be able to tell if NO ipencap
packets are received on the remote BSD machine.
On the other hand, If you are receiving these ipencap packets on
the remote side, something else is going on (like nat
interrupting).
Nick Rogness <[EMAIL PROTECTED]>
- Don't mind me...I'm just sniffing your packets
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
Re: Meet fish (read on)
On Wed, 27 Feb 2002, Miguel Mendez wrote: > Hi there hackers, > > Some time ago, Terry proposed the creation of a graphical rc.conf > editing tool. While the idea of mimicing the rededit program did not > appeal much, I find it interesting to have a graphical tool for > rc.conf management, specially for people who has just started using > FreeBSD. > > So what I'm presenting here is the bare bones skeleton of the tool I'm > working on, so you can taste what it will look like when I finish it. > > What works now: > > - /etc/defaults/rc.conf parsing > - GTK UI creation for both booleans and strings > - Passes efence test, so no funny pointers in there. > > TODO: > - parse and merge /etc/rc.conf > - Write callbacks > > I'm totally open to feedback and suggestions, I'm specially interested > in knowing what the community feeling about this tool is, is it useful > or do you thing is a waste of time to code such tool? What about going > one step further and add something like the admin tool in Solaris? Why make it in gtk only? I would detect if display is defined and if not run a util similar to /stand/sysinstall. Nick Rogness <[EMAIL PROTECTED]> - Don't mind me...I'm just sniffing your packets To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: natd ignores "natd_flags"?
On Mon, 10 Dec 2001, Mike D wrote: > > [I think this question should be redirected to -questions or -net, but > > anyway...] -Moved to questions. Nick Rogness <[EMAIL PROTECTED]> - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
New PAM module question
Please direct me to the right mailling list if this is out of scope... I have just completed a new pam module (pam_vuser) for the intended purpose of substituting real usernames for virtual username/passwords typed in at login time. The module does the following: 1) End users attempt to login to a service with [EMAIL PROTECTED] 2) pam_vuser looks up [EMAIL PROTECTED] in a mysql DB MySQL DB looks like: Virtual UserReal UID - [EMAIL PROTECTED] --> id1 [EMAIL PROTECTED]--> id2 ... [EMAIL PROTECTED] --> idX 3) pam_vuser retrieves Real UserID from DB 4) pam_vuser checks real_uid with system passwd (Make sure user exists): getpwnam(real_user) 5) pam_vuser checks pwd password to match against what the the end user typed in 6) If the passwords match, pam_vuser does a: pam_set_item(pamh,PAM_USER,real_user); return (PAM_SUCCESS); Of course, there are other things that are going on but are out of scope for this message. The idea was to tie all of the services, IMAP, POP, SSH, FTP into this module so we could support multiple username/domains and have duplicate usernames. This module works great for telnet/login. However, I've ran into a hitch with other Applications. Most pam-aware applications seem to do the following: 1) Application passes username,pass to pam_module 2) pam_module returns PAM_SUCCESS after authenticating 3) App (usually) then does getpwnam on the username passed from the end user in step #1 4) Application then proceeds with username and does it's duty As you can see this is a problem for my module. Since my module changes the username in question, the app never checks for the username after the PAM_SUCCESS is returned. What I really need the Application to do after step #2 is to: pam_get_item(pamh,PAM_USER,new_username); Then proceed onto step #3 with the new_username provided from my module. So anyway, onto my question. Do I have to patch all of the above applications in order for them to get the username before setting them up? Or is there a better way...? ANy help would be greatly appreciated. Nick Rogness <[EMAIL PROTECTED]> - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Nat through two DSL
On Fri, 7 Dec 2001, Nick Rogness wrote: > On Fri, 7 Dec 2001, Lars Eggert wrote: > > > rick norman wrote: > > > > > What would be nice would be to load balance on a per connection > > > basis, not a per packet basis, between the two modems. > > > Any ideas how to do this ? > > > > > > Not with the current mechanisms in FreeBSD. You'd need a simple policy > > routing engine (actually, policy forwarding). A prototype based on tun > > devices shouldn't be too hard to put together. Basically, you'd want > > to pick one of your links based on destination address and optionally > > the port pair. > > > An idea on how you would do pseudo load-balancing, would be: > Damn it, fat fingered it...corrections to firewall: ipfw add 500 divert natd1 ip from $NET to 0.0.0.0/1 out via $DSL_INT#1 ipfw add 550 divert natd1 ip from 0.0.0.0/1 to any in via $DSL_INT#1 ipfw add 560 fwd $DSL-2 ip from $NET to 128.0.0.0/1 out via $DSL_INT#1 ipfw add 570 divert natd2 ip from any to any via $DSL_INT#2 > > Where: > - $DSL_INT#1 is the default gateway interface. > - $DSL_INT#2 is the interface of the second dsl Service > - $DSL-2 is the IP of the gateway to the second dsl Service > - $NET is your local network IP subnet. > > What the above is doing is sending anything TO 1-127.X.X.X out dsl service 1 and sending 128-256.X.X.X out dsl service 2. Nick Rogness <[EMAIL PROTECTED]> - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Nat through two DSL
On Fri, 7 Dec 2001, Lars Eggert wrote: > rick norman wrote: > > > What would be nice would be to load balance on a per connection > > basis, not a per packet basis, between the two modems. > > Any ideas how to do this ? > > > Not with the current mechanisms in FreeBSD. You'd need a simple policy > routing engine (actually, policy forwarding). A prototype based on tun > devices shouldn't be too hard to put together. Basically, you'd want > to pick one of your links based on destination address and optionally > the port pair. An idea on how you would do pseudo load-balancing, would be: ipfw add 500 divert natd1 ip from $NET to 0.0.0.0/1 out via $DSL_INT#1 ipfw add 500 divert natd1 ip from 0.0.0.0/1 to any in via $DSL_INT#1 ipfw add 250 fwd $DSL-2 ip from $NET to 128.0.0.0/1 out via $DSL_INT#1 ipfw add 550 divert natd2 ip from any to any via $DSL_INT#2 Where: - $DSL_INT#1 is the default gateway interface. - $DSL_INT#2 is the interface of the second dsl Service - $DSL-2 is the IP of the gateway to the second dsl Service - $NET is your local network IP subnet. What the above is doing is sending anything from 1-127.X.X.X out dsl service 1 and sending 128-256.X.X.X out dsl service 2. It's not the best way to do it because more traffic may be going to the lower or upper X.X.X.X in which case it would not be symmetrical load balancing. I would be interested to see some measurements to see how this works for people. PS. I don't know if the above will work, but the firewall rules seem to imply it wouldhaven't tested it though. Nick Rogness <[EMAIL PROTECTED]> - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Nat through two DSL
On Fri, 7 Dec 2001, Lars Eggert wrote: > Nick Rogness wrote: > > > Load sharing is not possible on a per packet basis when running > > NAT on the outside interfaces. The source address for each packet > > will be different. > > > What prevents you from picking one source address for packets going > out both interfaces? Your return packets won't be striped then of > course. (Which could make this scheme ineffective, assuming "client" > machines receive much more than they send.) Well, you can. But the upstream provider has to be allowing you to route the other ADSL's IP through their networkprobably not going to happen...unless you have some sort of BGP arrangement with them. If you have BGP arrangements with them this would be a moot point. Nick Rogness <[EMAIL PROTECTED]> - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Nat through two DSL
On Fri, 7 Dec 2001, Lars Eggert wrote: > Steve Ames wrote: > > >>>I want to load share between two ADSL modems using a NAT/Firewall. > ... > > > >>>The ADSL are 500k links and I want to load share on session by session. > >>>Can I do NAT between an inside interface and two outside interfaces > >>>acting in a round robin fashion? > >>> > >>This may not be the good idea you'd think on first glance. If one of the > >>paths has a slightly different RTT (and they're pretty much guaranteed > >>to), you'll see out-of-order delivery at the receiver. I remember seeing > >>some study that showed that TCP doesn't react too nicely under such > >>conditions (it works, but not at peak performance). > >> > > > > Is it even possible to do use two upstream paths for redundancy? I tried > > (very briefly while I had two broadband connections while switching from > > one to the other) to get that to work and wasn't very successful. > > Redundancy is a different issue from load-sharing. > > If you want to switch between a primary and a backup link there are a > number of ways to do this. > > However, Anders was trying to stripe packets over both links (not > technically a problem) to increase throughtput. When running TCP over a > striped link, you may not see the performance gain you'd expect. > Load sharing is not possible on a per packet basis when running NAT on the outside interfaces. The source address for each packet will be different. Let's say in the most simple case the BSD machine is alternating packets out each interface for a common destination, the source address for the packets will be different, hence the destination machine will be receiving packets from both nat address...which are different. On a per session basis, you may be able to work with ipfw fwd (which does policy based forwarding) and the ipfw probability work done by Luigi. man ipfw for more info. As far as redundancy, there are a couple of options. BOth will not be easy with your setup. Nick Rogness <[EMAIL PROTECTED]> - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Driver help
The company I work for is willing to pay for someone to write a Compaq Fibe Channel driver for FreeBSD. Please write me personally if you are interested. Nick Rogness <[EMAIL PROTECTED]> - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: DSL connectivity & ISDN backup
On Thu, 9 Aug 2001, Eric Masson wrote: Answered on -questions... Nick Rogness <[EMAIL PROTECTED]> - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: /etc/rc.network and natd_enable
On Fri, 4 May 2001, Nick Rogness wrote: > On Fri, 4 May 2001, Ruslan Ermilov wrote: > > > > > Damn! And if someone enters an IP as natd_interface...does the > firewall rules error out? (haven't tried it but looks as if it > would) I take that back...it should work ok...sorry for the slip up. > > I would suspect that if the user doesn't specify natd_interface in > rc.conf that he would have to be aware that the firewall rule for > nat did not get added. I don't necessarily think that's a bad > thing...but maybe it is. Nick Rogness <[EMAIL PROTECTED]> - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: /etc/rc.network and natd_enable
On Fri, 4 May 2001, Ruslan Ermilov wrote:
> On Thu, May 03, 2001 at 05:17:17PM -0500, Nick Rogness wrote: > > In
> 4.2-STABLE, /etc/rc.network has entries to turn on natd. However,
> natd > does not get enabled if you don't specify natd_interface.
> WHat if you you > have setup stored in a configuration file and do not
> wish to supply an
> > interface flag in /etc/rc.conf? Well, natd does not turn on!
> >
> > Would it make more sense to do something like (psuedo-ish code):
> >
> > if (natd_enable = YES)
> >
> > if (natd_interface defined)
> > natd -n $natd_interface $natd_flags
> > elif (natd_flags defined)
> > natd $natd_flags
> > fi
> > fi
> >
> >
> > It would allow for people to not specify a natd_interface but still
> be > able to run natd out of rc.conf. What does everyone think of
> this?
> > > I guess you pay the penalty if someone doesn't setup the flags
> properly > but I guess you could write that off as a config error
> anyways.
> >
> ${natd_interface} is required to set up the ``divert natd'' rule
> from /etc/rc.firewall.
>
Damn! And if someone enters an IP as natd_interface...does the
firewall rules error out? (haven't tried it but looks as if it
would)
I would suspect that if the user doesn't specify natd_interface in
rc.conf that he would have to be aware that the firewall rule for
nat did not get added. I don't necessarily think that's a bad
thing...but maybe it is.
Nick Rogness <[EMAIL PROTECTED]>
- Keep on Routing in a Free World...
"FreeBSD: The Power to Serve!"
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
/etc/rc.network and natd_enable
In 4.2-STABLE, /etc/rc.network has entries to turn on natd. However, natd does not get enabled if you don't specify natd_interface. WHat if you you have setup stored in a configuration file and do not wish to supply an interface flag in /etc/rc.conf? Well, natd does not turn on! Would it make more sense to do something like (psuedo-ish code): if (natd_enable = YES) if (natd_interface defined) natd -n $natd_interface $natd_flags elif (natd_flags defined) natd $natd_flags fi fi It would allow for people to not specify a natd_interface but still be able to run natd out of rc.conf. What does everyone think of this? I guess you pay the penalty if someone doesn't setup the flags properly but I guess you could write that off as a config error anyways. Nick Rogness <[EMAIL PROTECTED]> - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: ipfw routing/netmask problem
On Mon, 30 Apr 2001, John Wilson wrote: Moved to -net. Nick Rogness <[EMAIL PROTECTED]> - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: ipfw routing/netmask problem
On Mon, 30 Apr 2001, John Wilson wrote: This probably belongs on freebsd-net or freebsd-questions. > > I have 30 IP addresses assigned to me by my ISP, for the sake of this > example let's say I've got 90.91.92.0/27. The FreeBSD box has 2 > interface cards, fxp0 and fxp1, fxp0 connected to the router, fxp1 to > the ethernet switch. OK. > > The router is 90.91.92.1, fxp0 is 90.91.92.2, netmask 255.255.255.252 > (broadcast 90.91.92.3) > Is the netmask on the router set as a /30 as well? > fxp1 is bound to several IPs, 192.168.1.254 and 192.168.2.254 for two > different types of NAT clients, and 90.91.92.4 for the DMZ. Define "2 different types of NAT clients". Your DMZ is not on a seperate network of your private network? By doing that you are getting rid of the whole concept of having a DMZ. ALso, run private address space on the DMZ OR Set the address of the DMZ to be 90.91.92.17/28...see below for more details. > > The intention is that NAT clients use 192.168.1.254 (or 192.168.2.254) > as their default gateway, and DMZ clients use 90.91.92.4. > > The question is how to choose a netmask for fxp1 that would exclude > the default gateway (90.91.92.1), so the machine would route via fxp0. > > Is there a way to save IPs (I need at least 12 DMZ IPs), while > achieving the same goal? You have 2 options here. 1) Setup proxy arp on your outside interface. Binding the whole /27 address range (with exception of the router's IP) to your BSD machine. Make natd translations accordingly. 2) Setup your DMZ using 90.91.92.16/28 IP range which gives you enough IP's to play with, and leaves the 90.91.92.4/30 and 90.91.92.8/29 subnet's to play with. Add the routes in the router to route the subnets to your BSD machine's IP. Make natd translations accordingly if you decide to run private address space for your DMZ, if not no additional work needs to be done. Nick Rogness <[EMAIL PROTECTED]> - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
natd divert injecting clarifications
Just to be sure I have it right. When the kernel diverts the packet to natd, via ipfw: 1) kernel sends packet to natd 2) natd read() the packet 3) natd screws with it (changes dest addr,etc) 4) natd write() the packet 5) kernel reinjects the packet back into the firewall That's what I could get out of divert(4) and some of the natd source. Bare with me...I'm a novice programmer. Is this correct? Nick Rogness <[EMAIL PROTECTED]> - Keep on routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: multiple IP addresses in /etc/hosts
On Thu, 8 Feb 2001, Eric Fiterman wrote:
> Hi:
>
> Is it possible to have an application like ping or telnet iterate
> through IP addresses for a given hostname, if a previous attempt fails?
>
> For example:
>
> in /etc/hosts:
> ---
> 0.0.0.1 testhost
> 0.0.0.2 testhost
> 0.0.0.3 testhost
> ---
>
> If I attempt to 'ping testhost', and the first entry (0.0.0.1) fails, is
> there anything to configure which would allow an automatic attempt to
> ping 0.0.0.2? Is this possible?
AFAIK, not with /etc/hosts. You could do round-robin DNS with
named but it will never be 100% of what you want to do. DNS does
not keep track of which hosts are dead or alive.
Nick Rogness <[EMAIL PROTECTED]>
- Keep on routing in a Free World...
"FreeBSD: The Power to Serve!"
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
Re: building boot floppies set
On Wed, 7 Feb 2001, Gustavo Vieira Goncalves Coelho Rios wrote: > May some one give me some help where i can find documentation on > building my own boot floppy disk for freebsd ? Most info about the FreeBSD OS can be obtained via the website at: http://www.freebsd.org For your particular question, the doc can be found at: http://www.freebsd.org/handbook/install-guide.html#INSTALL-FLOPPIES For future reference, questions like these should be sent to: [EMAIL PROTECTED] Best of Luck! Nick Rogness - Keep on routing in a Free World... "FreeBSD: The Power to Serve " To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: echo request deny
On Tue, 6 Feb 2001, milunovic wrote: > Is there anyway to deny echo request on FreeBSD (except ipfw add deny > icmp from any to any) ? > On Linux It was simple,just echo 1>/proc/.../icmp_echo_request If you just want to block echo_requests and don't want to block any other ICMP why not use ipfw? ipfw add 1000 deny icmp from any to any in via xl0 icmptypes 8 This will still allow other icmp to work...so why not use it? Nick Rogness - Keep on routing in a Free World... "FreeBSD: The Power to Serve " To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: IP Address Overtaking
On Wed, 24 Jan 2001, Andreas Brodmann wrote: > > On normal internetworking hosts, without the necessity of high availability > this works fine. Not all hosts do update or even flush their arp cache with > the same frequency though. Some have a cycle of less than one minute on > routers on the other hand the default arp cache timeout is a lot higher which > would force clients not in the same subnet to wait until the router flushes > its arp cache until they can access your FreeBSD machine again. > -> not ha compliant. The time it takes to flush is very small. During that time the router queue's up the request and waits for a reply. Once the router has it, everything is transparent. I would not recommend playing with MAC addresses at all. Switch things using IP and let the ARP protocol take care of itself. > There is a way to solve this problem by having a second interface in each > cluster > partner serving as standby interface. To this interface you assign the mac of > its > partner's interface and all its interfaces ip addresses. > > Just a hint: Have a look at scyld.com and Donald Becker's new Linux driver > architecture. Many new cards allow for using more than one mac per card > even without going into promiscuous mode. They can then be assigned to > different subinterfaces. I don't know wheter the FreeBSD drivers support > this. Anyway we still keep to the old fashioned way mentionned above, as the > new Linux network driver architecture is not yet as stable as it could be, but > once it is this would solve your problem. I think this is a bad idea in a clustering enviroment. You are taking the job of a switch and moving it to the card/software by fiddling with MAC addresses on the hosts. I guess I can see where this may be useful (trunking) but taking over the MAC could cause problems...like duplicate MAC's etc,etc. Of course, this is my opinion and I could be wrong. Nick Rogness - Keep on routing in a Free World... "FreeBSD: The Power to Serve " To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: accessing an outside IP from inside a NAT net
On Fri, 19 Jan 2001, Ian Kallen wrote: > Well, I've been fiddling with the ipfw syntax, I thought this would do it > /sbin/ipfw add divert 80 all from 10.0.0.128/25 to 206.169.18.10 via ep0 > but that ain't it. > > 10.0.0.128/25 has servers, 10.0.0.0/25 has clients, both gateways > 10.0.0.1 and 10.0.0.129 run off ep0... yes, I've been reading the ipfw man > page and the archives, yet even though the two nets can access each other > directly, I haven't been able to get the clients to access any server > resources via the 206.169.18.10 nat. Further suggestions? > thanks, > -Ian For the following solution, lets assume that you have 2 logical networks 10.0.0.0/25 and 10.0.0.128/25 both bound to the inside interface ep0 (which may or may not be true). Your outside interface we'll call fxp0. You server's inside address is 10.0.0.130 and outside address 206.169.18.10 In /etc/new.firewall.rules: # Divert outside packets in & out ipfw add 100 divert natd ip from any to any via fxp0 # Divert packets from the 10.0.0.0/25 network to the server going to # the public server address ipfw add 200 divert natd ip from 10.0.0.0/25 to 206.169.18.10 via ep0 # Divert packets from the server back to the 10.0.0.0/25 network ipfw add 300 divert natd ip from 10.0.0.130/32 to 10.0.0.0/25 via ep0 - In /etc/natd.conf: use_sockets same_ports port 8668 deny_incoming no log redirect_port tcp 10.0.0.128:80 206.169.18.10:80 - You could also run a seperate natd because you may run into problems with the alias address that is natd is using. In this case, a simple rule may do the trick: ipfw add 200 divert natd ip from any to any via ep0 Of course, I am making assumptions on how your network is layed out. Nick Rogness - Drive defensively. Buy a tank. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: accessing an outside IP from inside a NAT net
On Fri, 19 Jan 2001, Ian Kallen wrote:
> Well, I've been fiddling with the ipfw syntax, I thought this would do it
> /sbin/ipfw add divert 80 all from 10.0.0.128/25 to 206.169.18.10 via ep0
> but that ain't it.
>
> 10.0.0.128/25 has servers, 10.0.0.0/25 has clients, both gateways
> 10.0.0.1 and 10.0.0.129 run off ep0... yes, I've been reading the ipfw man
> page and the archives, yet even though the two nets can access each other
> directly, I haven't been able to get the clients to access any server
> resources via the 206.169.18.10 nat. Further suggestions?
> thanks,
> -Ian
Also 10.0.0.128 is on a subnet boundary when used with a /25
netmask and therefore can not be used. how is the network clients
and servers configured on the 10.0.0 network?
Nick Rogness
- Drive defensively. Buy a tank.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
Re: accessing an outside IP from inside a NAT net
On Fri, 19 Jan 2001, Ian Kallen wrote: > Well, I've been fiddling with the ipfw syntax, I thought this would do it > /sbin/ipfw add divert 80 all from 10.0.0.128/25 to 206.169.18.10 via ep0 > but that ain't it. > > 10.0.0.128/25 has servers, 10.0.0.0/25 has clients, both gateways > 10.0.0.1 and 10.0.0.129 run off ep0... yes, I've been reading the ipfw man > page and the archives, yet even though the two nets can access each other > directly, I haven't been able to get the clients to access any server > resources via the 206.169.18.10 nat. Further suggestions? I have had this same problem before and have solved it when dealing with setup of a DMZ using FreeBSD. This is actually a pretty tricky ipfw setup to get it to work right (depending on network layout). Let me see if I can give you the details. But first I need a tad more details on how your network is laid out. Are 10.0.0.129 & 10.0.0.1 bound to the same ethernet card? Nick Rogness - Drive defensively. Buy a tank. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: accessing an outside IP from inside a NAT net
On Fri, 19 Jan 2001, Ian Kallen wrote: > > I'd like a hand figuring out how to access resources on the internal side > of a NAT net from within it without doing something kludgey with DNS. > i.e. suppose I run natd with a configuration like this: > > # begin /etc/natd.conf > use_sockets > same_ports > port 8668 > deny_incoming no > log > redirect_port tcp 10.0.0.128:80 206.169.18.10:80 > # end /etc/natd.conf > > Now if the DNS for the web server www.foo.com running on 10.0.0.128 > directs a browser on the 10.0.0.0 net to 206.169.18.10, it doesn't get > routed back to 10.0.0.128; it just hangs (I'm acutally not sure what's > happening there, the connction never succeeds). Is there a nice way to > handle this case without running a dummy DNS just for the 10.0.0.0 > internal net? Run a firewall rule for diverting packets on your inside interface for that web server. Nick Rogness - Drive defensively. Buy a tank. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Help
On Tue, 31 Oct 2000, Ron MacPherson wrote:
> Can you assist me with a Free BSD problem. One of my customers had a College kid
>mess with his Unix Kernal.
> Now they can no longer access thier E-mail ???
> Could he have turned off Email somehow, when he messed around with the Unix kernal???
Probably not. However, it is possible if he turned on IPFIREWALL
or something like that and the packets are being denied by
default.
Boot the GENERIC kernel (kernel.GENERIC) from the boot
loader. See if that fixes it.
Otherwise, give more detail, like how Email is broken.
Nick Rogness
- Drive defensively. Buy a tank.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
Re: gateway on different subnet
On Tue, 24 Oct 2000, Marko Ruban wrote: > IT WORKED ! > the arp way is the true way hehehe > > > Thanks to everyone who has replied with suggestions, especially to Nick > whose suggestion was the answer I needed :) Actually it was Mr. Biffle (Les Biffle <[EMAIL PROTECTED]>). I will make sure to document it though. Thanks for the reply. Nick Rogness - Drive defensively. Buy a tank. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: gateway on different subnet
On Mon, 23 Oct 2000, Les Biffle wrote:
> > Hm -- how about using proxy-arp style routing?
>
> Here's what I've done in the past:
>
> 1. Have a friend out in the net ping your address 208.59.162.242
>
> 2. Run tcpdump and look for someone ARPing for you. That someone
> will very likely be your default gateway as seen from your site.
> If that router is in your subnet, set your default to it and you're
> done. If not, continue at the next step.
>
> 3. Pick an IP Address in your cable subnet that feels like a really
> good router address to you. Make something up. 208.59.162.1 perhaps?
>
> 4. Use "arp -s 208.59.162.1 xx:xx:xx:xx:xx:xx" to install an arp
> entry in your route table for this made-up address. That will keep
> you from ARPing for 208.59.162.1 and discovering the device that
> really owns that address.
>
> 5. Set your default gateway to 208.59.162.1.
If that doesn't work (it should), you could also look into the
ipfw fwd option.
I would like to know when you get it to work...
Nick Rogness
- Drive defensively. Buy a tank.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
Re: Routing issue with cable modem
On Fri, 20 Oct 2000, Nick Rogness wrote: Made an error in my previous statement, clarification below: > On Fri, 20 Oct 2000, Marko Ruban wrote: > > > I tried replicating my windows routing table in freebsd. > > Only one entry didn't work... (guess) > > "route add default 10.17.56.xx" > > > > I'm cursed ! > > My guess guess would be your DHCP client is not working right. > Is it suppose to be using DHCP? Is it really something else like > PPPoE? > > You see, the problem is not that the network is unreachable. It > is that the default network is not DIRECTLY reachable. This is a > violation of basic routing principles...although many devices work This is not neccessarily true. There are some instances where this is perfectly legal and are out-of-scope for this mail. However, they are usually handled by dynamic routing protocols and/or other equipment/software interaction. This argument has come up before on this list and the concept has went back and forth on why's and why not's. > with that setup (Windows,Cisco,etc). FreeBSD does not allow you > to add a default route to a network that is not directly > connected. > > Why don't you dump your windows routing table `route -print` to > the list and we could put together a routing table for you or see > what is acutally going on. > Nick Rogness - Drive defensively. Buy a tank. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Routing issue with cable modem
;>>>>>>> > >> > > defaultrouter="10.17.56.12" #<-- fails with symptom previously > described > >> > > >> > DHCP will normally configure the default route for you -- try setting > >> > this to NO. > >> > >> Tried setting to NO... DHCP doesn't seem to add a default route, so in my > case it > >> makes no difference really. > >> Should it add default route? > > > >Normally, yes. You sort of need default route and netmask in order to > >make things work. This should happen with the stock dhclient.conf > >(which is empty). You could try to run dhclient by hand, something > >like: > > > > # killall dhclient > > # dhclient -dD ed0 > > > >Or whatever your interface is. Terminate it with Ctrl+C. You should > >get a bunch of files in /tmp, containing values received from the > >server. You may also get some interesting error messages. > > Tried "dhclient -d -D ed0" no files are written to /tmp dir. > Do you think it could be a problem with my dhclient ? > I tried using wide-dhcp client earlier, with even less success. > > Marko > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-hackers" in the body of the message > Nick Rogness - Drive defensively. Buy a tank. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Frustration with SCSI system
On Wed, 20 Sep 2000, Alfred Perlstein wrote:
> * Edward Elhauge <[EMAIL PROTECTED]> [000920 12:48] wrote:
> > Hello Freebsders,
> >
> > I've been using FreeBSD over the last 6 years (since I switched from
> > NetBSD) to run a small ISP out of my basement.
> >
> > I've had about six disk crashes in as many years and still don't know how
> > to work reliably with them.
>
> "man vinum"
>
> software mirroring == good.
The question should be, "How much you want to spend?" Depending
on how you answer that question, you could choose either software
or hardware RAID. I've always had better luck with hardware
RAID cards compared to software RAID's. ALthough vinum sounds
like a great package, I have little experience with it...only ccd,
which is why I went with a hardware solution.
If you got money, get a RAID controller (supported by
FreeBSD). Then you don't have the root limitation that comes with
vinum.
If you don't have money, use vinum. Either way, use RAID.
Best of luck.
Nick Rogness
- Drive defensively. Buy a tank.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
Re: Maybe OT, maybe not
On Tue, 18 Jul 2000, Ulf Zimmermann wrote: > So I am basicly looking for a load generator and a "server". Anyone got > something laying around like that ? Look in the ports under benchmarks. DBS may be what you are looking for, maybe not. At least it is a place to start. See also: http://www.freebsd.org/ports/benchmarks.html for more info. Nick Rogness - Speak softly and carry a Gigabit switch. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: bridging
On Fri, 7 Jul 2000, Narvi wrote:
> > On Thu, 6 Jul 2000, Sean Lutner wrote:
> >
> > >
> > > Bridges create a broadcast zone. broadcast packets will cross the bridge
> > > unobstructed.
> >
> > OK. So do bridged interfaces fall within the same collision
> > domain?... or are they just members of the same broadcast domain?
> >
>
> They can't be in the same collison domain - you'll realise it if you
> think about it for a second.
It is possible to span 2 collison domains across 1 VLAN...so
yes they could be, if it were possible with FreeBSD (?IS it?) to
put two ethernet cards in this setup:
FreeBSD
int1 int2
/\
/ \
/\
switch1 switch2
If int1 and int2 were part of the same collision domain, then
switch1 and switch2 would also be part of the same collosion
domain and visa versa. This would be pretty cool to see happen,
essentially making a VLAN switch (with Layer 3 capabilities).
Nick Rogness
- Speak softly and carry a Gigabit switch.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
Re: bridging
On Fri, 7 Jul 2000, Louis A. Mamakos wrote:
> They can't be in the same collision domain -- the only way to do that
> is to have an Ethernet repeater which repeats bit by bit fron one
> segment to another, and propagating a collision on one segment as a
> jam on another.
>
> On a FreeBSD box, where you interfaces to ethernet segments are NIC
> cards, you can't get your hands on the ethernet frame until the
> NIC has received it completely. Thus, you don't have to opportunity
> to act as a repeater (not that you'd want to anyway) to have a
> single collision domain.
You know, you are right...never thought it
through completely before I sent my reply. Sorry
everyone for the wasted bandwidth.
Have 1 more question (has to do with this bridging deal):
Anyone working on load-sharing/load-balancing or clustering
network solution with FreeBSD?
Nick Rogness
- Speak softly and carry a Gigabit switch.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
Re: bridging
On Thu, 6 Jul 2000, Sean Lutner wrote: > > Bridges create a broadcast zone. broadcast packets will cross the bridge > unobstructed. OK. So do bridged interfaces fall within the same collision domain?... or are they just members of the same broadcast domain? Nick Rogness - Speak softly and carry a Gigabit switch. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: VPNs and FreeBSD
On Tue, 4 Jul 2000, Kris Kennaway wrote:
> On Sun, 2 Jul 2000, Nick Rogness wrote:
>
> > On Sun, 2 Jul 2000, Stephen Hocking wrote:
> >
> > > Has anyone done this yet? I've just acquired this shiny new cable modem and
> > > would like to have secure access to my place of work (even though they're only
> > > 10 minutes walk away!)
> >
> > I have done just that with nos-tun and Road Runner service. I
>
> That's a Virtual Public Network, then..better not log into your work
> machines via telnet over that link :-)
No, I don't. SSH or die ;-) Yes, that is my definition a VPN
tunnel. Encryption should be added after the tunnel's are built,
IMHO, and are a added functionality of your existing VPN.
That's just my opinion...however, Cisco implements it the same
way.
Nick Rogness
- Speak softly and carry a Gigabit switch.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
Re: BPF and Promiscuous Mode
On Mon, 3 Jul 2000, Dan Nelson wrote: > In the last episode (Jul 03), Nick Evans said: > > How do I set an interface in promiscous mode permanently? In Linux > > it's simply ifconfig PROMISC. Is there something similar > > in BSD? Is it somekind of sysctl command? Stupid Man's Answer: I would just run on bootup: /usr/sbin/tcpdump >> /dev/null & Probaby not the answer you are looking for, but maybe it will help. Nick Rogness - Speak softly and carry a Gigabit switch. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: VPNs and FreeBSD
On Sun, 2 Jul 2000, Stephen Hocking wrote: > Has anyone done this yet? I've just acquired this shiny new cable modem and > would like to have secure access to my place of work (even though they're only > 10 minutes walk away!) I have done just that with nos-tun and Road Runner service. I have not yet implemented the IPSEC feature for security, but the basic tunneling seems to work. Nick Rogness - Speak softly and carry a Gigabit switch. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Periodic scripts [Was: Re: /etc/security -> /etc/periodic/security?]
On Fri, 30 Jun 2000, Fotis Georgatos wrote:
> Why bother with complex shell scripts when you can have most
> needed functionality in a single C program?
> I've found myself replacing 10-20 lines of shell code with a single line.
WHAT? Are you crazy? I've found just the opposite.
What shell scripting are you using? Example to find # of
duplicate usernames in your password file:
#!/usr/local/bin/ksh
VAR1=`awk -F: '{print $1}' /etc/passwd|grep -cx $1`
print "Number of occurences of $1 in /etc/passwd: $VAR1"
Let me see you replicate that in C in less than 2 lines...
Nick Rogness
- Speak softly and carry a Gigabit switch.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
2 routes/same net
Maybe someone on this list knows the answer... How do you add 2 static routes to the same network through different gateways with different metric sizes? (FBSD 4.0-RELEASE,3.3-RELEASE) This is legal to do in routing... Example: # route add -net 192.168.0.0 -netmask 255.255.255.252 192.168.1.1 # route add -net 192.168.0.0 -netmask 255.255.255.252 192.168.1.2 route: writing to routing socket: File exists add net 192.168.0.0: gateway 192.168.1.2: File exists I thought (at 1 time) there was a -metric switch to route(8)? Is -hopcount associated with that? Can you even add 2 routes to the same network? Thanks in adv. Nick Rogness - Speak softly and carry a Gigabit switch. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: routing bug(?) persists (PR 16318)
On Sat, 17 Jun 2000, Marinos J . Yannikos wrote:
> On Fri, Jun 16, 2000 at 09:17:13PM -0400, Colin wrote:
> It's not exactly a "catch-22", since the (perfectly valid) static route to
> the default gateway's network takes precedence over the above rule (the
> default route).
So how are they handling the routes pointing to you? Static
routes? or VLANs or what? Messy...just plain messy. These routing
'rules' are setup for certain reasons...to stop slopping routing
techniques. This should all be handled by routing protocols
anyway.
> > Either you or your ISP needs to alias the adapter on
> > this set of subnets, and if you're not the only person on this multi-netted
> > section, it really should be them.
>
> The ISP is giving away lots of /29 subnets and this is a kludge to provide
> each client with 1 more useable IP. It's not easy to get many IPs these days.
That is exactly what NAT was designed to do. WHat's wrong with a
/30? If they are running out of IP's, that is a design flaw in
the capacity planning of your ISP...or they don't know
what they are doing. Either way, your SOL ;-)
>
> Windows apparently allows the configuration even without the static route to
> the gateway's network, which is very odd.
That's not suprising at all. Windows can also not handle a /32
netmask on certain adapters.
Nick Rogness
- Speak softly and carry a Gigabit switch.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
Re: routing bug(?) persists (PR 16318)
On Thu, 15 Jun 2000, Marinos J . Yannikos wrote:
> On Thu, Jun 15, 2000 at 11:44:14AM -0600, Nick Rogness wrote:
> > > route_0="-net 195.58.161.96 -netmask 255.255.255.240 -iface vr0"
> > What IP is that network reachable through?
>
> vr0 has only one IP - 195.58.183.77
That's not likely unless you are dialed up (with your net
interface that's not likely) or running some type of bridge, like
a cable modem or a DSL bridge.
Your IP is actually part of some subnetwork, more than likely.
Otherwise how does your upstream provider route packets to you
through their network...static routes??? maybe, if their idiots.
That would mean that every machine on that net would have to have
a static route to your machine right? What is the network
topology like?
BUT if you think that is how you are setup you can use ipfw to
accomplish your task:
ipfw add 450 allow ip from any to any in via vr0
ipfw add 500 fwd 195.58.161.97 ip from any to any
Then:
route add -net 195.58.161.96 -netmask 255.255.255.240 -interface vr0
Doesn't that basically setup a default route? How they get to
your machine is their problem.
>
> > WHat does your routing table look like before this route gets
> > added? after it gets added?
>
> Before, it (probably) only contains the localhost route, afterwards it
> looks like this:
>
> DestinationGatewayFlags Refs Use Netif Expire
> default195.58.161.97 UGSc0 192 vr0
> 127.0.0.1 127.0.0.1 UH 0 209212 lo0
> 195.58.161.96/28 link#1 UCSc00 vr0
> 195.58.183.72/29 link#1 UC 00 vr0
> 195.58.183.77 0:50:ba:c5:6e:77 UHLW0 80 lo0
>
> WRT your other e-mail,
> > The whole question is, What are you trying to accomplish?
>
> For some reason, there are 2 (actually more) distinct subnets within one
Probably VLAN's or they are trying to save IP space.
> physical network. Only one system has an outwards connection, but its internal
> IP lies in the other subnet and has no IP alias in "my" subnet. The idea is to
> set up a static route between the 2 subnets and then use the IP in the other
> subnet as the default gateway.
There should be an IP on your subnet that you can reference
their network with...unless they have a messy static routing
table. Ask them how they are routing your IP to you?
> This is how a Linux box is set up in another connected subnet using the same
> default gateway (not that I consider Linux to be a reference for a correct
> implementation, but it seems that most/all boxes in that server room are
> connected in a similar way):
>
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric RefUse Iface
> 195.58.161.48 0.0.0.0 255.255.255.240 U 0 00 eth0
> 195.58.161.96 0.0.0.0 255.255.255.240 U 0 00 eth0
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 00 lo
> 0.0.0.0 195.58.161.97 0.0.0.0 UG0 00 eth0
>
hmmm. OK. THis just makes no sense to do it this way. Static
routes are the only thing besides some bizarre VLAN setup that
could work.
I would look at your arp table, possible run tcpdump to see if
these guys are setup the way they say they are. If they are on
the same physical network, then you should be able to ping
there machine without any default gateway and just that 1 static
route out the interface.
I would like to know how, and why, they are doing this. If it is
to conserve IP space, NAT is a far better solution.
Nick Rogness
- Speak softly and carry a Gigabit switch.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
Re: routing bug(?) persists (PR 16318)
On Thu, 15 Jun 2000, Mike Smith wrote:
> > >My ISP claims that the configuration above works trivially under
> > >Linux and Windows NT,
> >
> > I would like to see that.
> >
> > Mr. Smith is correct. Why not set your gateway as the next-hop
> > address to your ISP upstream within the 195.58.183.77 network?
> >
> > Another option would to run an IP tunnel between your network and
> > the gateway using gif or nos-tun.
> >
> > The whole question is, What are you trying to accomplish?
>
> I spent some more time thinking about this, and I think the deal is that
> if you do this on both sides, you achieve the result where you can
> crosstalk between the two networks without requiring a gateway.
>
> It's kinda ugly, but it's basically what route add -iface is there for,
> and it makes sense that if ARP is happy ARPing for these hosts, the route
> code should also consider these hosts as directly connected.
Interior routing protocols can be used in this
fashion. OSPF and Cisco's EIGRP use this technique as well.
You CAN use this but you are relying on other things to be intact
(like routes) before it works properly.
Nick Rogness
- Speak softly and carry a Gigabit switch.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
Re: routing bug(?) persists (PR 16318)
On Thu, 15 Jun 2000, Marinos J . Yannikos wrote: > route_0="-net 195.58.161.96 -netmask 255.255.255.240 -iface vr0" What IP is that network reachable through? WHat does your routing table look like before this route gets added? after it gets added? Nick Rogness - Speak softly and carry a Gigabit switch. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: routing bug(?) persists (PR 16318)
On Thu, 15 Jun 2000, Mike Smith wrote: [snip] >I don't see why that should be necessary - my ISP doesn't either, since >he'd have to part with another IP address. No he wouldn't, he's already connected to you through your vr0 interface network range: 195.58.183.77 netmask 255.255.255.248 or is he? Why are you trying to use a gateway of a non directly connected network? What are you trying to do? Is your ISP running any Interior gateway protocols that you can take advantage of? >My ISP claims that the configuration above works trivially under >Linux and Windows NT, I would like to see that. Mr. Smith is correct. Why not set your gateway as the next-hop address to your ISP upstream within the 195.58.183.77 network? Another option would to run an IP tunnel between your network and the gateway using gif or nos-tun. The whole question is, What are you trying to accomplish? Nick Rogness - Speak softly and carry a Gigabit switch. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Roadrunner cable modems & FreeBSD
On Mon, 12 Jun 2000, Steve Hocking wrote: > I've just moved from the one street in the Perth, Australia metropolitan area > that didn't have cable access to Houston, where I have a plethora of choices. > The apartment I'm planning to move into has Roadrunner access. Does anyone > have any experience with setting this up under FreeBSD? Yes, I am running several machines with RR. dhclient seems to work alright. The DHCP leases expire, but you always get the same IP and there is little inbound firewalling within their network so I can ssh,telnet, or web serve to my home machine. I am using nos-tun between several machines within this network, created a VPN between fellow employees across their FreeBSD machines...so far so good. Just don't port scan across their network or they lock your MAC address out ;-) Nick Rogness - Speak softly and carry a Gigabit switch. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
IP tunnel
Can anyone tell me the difference between nos-tun(8) and gif(4) (Other than IPv6)? I want to create a tunnel between 2 networks (IPv4), 2 FreeBSD boxes... will one of these work or is this a different type of tunnel. I am familiar with Cisco tunnelling, I am assuming a similar concept. Anyone doing this already, if so sample configs? Is it possible? Thanks. Nick Rogness - Speak softly and carry a Gigabit switch. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Bad Block scan
I thought FreeBSD had an option on install to run a bad block scan on a drive? Just installed (4.0-RELEASE) and noticed it wasn't there. Any specific reason...or maybe a reference page that explains. Thanks in advance. Nick Rogness - Speak softly and carry a Gigabit switch. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Upgrade from 3.3 to 4.0
Does the Upgrade option work on the 4.0-RELEASE disks if I am going from 3.3-RELEASE? Or do I want to CVSup? Thanks. Nick Rogness - Speak softly and carry a Gigabit switch. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: deX OErrs on crossed link.
On Thu, 23 Dec 1999, David Gilbert wrote: > I am using the 4-port DLink adapter (uses tulip chips) on the server > and currently intel fxp0 chips on the clients. With this setup, I get > a huge number of OErrs on the deX interface (nothing shows on the fxp0 > on the other end). If I use an fxp in the server, no errors... and I > have tried a variety of handmade and professionally-made cables to > join them. > > I have even tried shutting down full-duplex... doesn't help. Ah ha! I thought I was the only one having problems with the de driver. Performance just went right down the tubes running 100BaseT at Full-Duplex. However, after days of troubleshooting why I was getting 6Kb a second across a X-over cable between two machines, I ran it down to the Full-duplex operation. Apparently, When half-duplex was enabled, performance was great...at full-duplex...6kb a sec (even ftp stalls). FreeBSD 3.3-RELEASE and 3.3-STABLE...same results on both. Anyone else? **** Nick Rogness Speak softly and carry Systems Administrator a Gigabit switch. RapidNet, Inc., USA To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: natd is jumpy
On Sun, 5 Dec 1999, Archie Cobbs wrote: > Brian Dean writes: > > No dropped packets, but definitely some occasional long delays before > > I get the echo. However, I must concede, based on other respondants, > > that something else must be going on and I cannot necessarily > > attribute this to divert/firewall/natd. I forgot to mention, are you connecting at V.90 speeds? If so renegotiations/retrains will take place and you will see a speed jump or hesitation. Disable this in the modem. There are specific S registers to do this. Also what type of term/com server gear are you connecting to? I would also recommend upgrading your modem BIOS. > > > > However, the above numbers don't really illustrate the long response > > times that I experience while typing at the shell prompt, or in elm. > > It's really frustrating. How often does this happen? Is it a fixed time period? [snip] > > Could be you have a noisy line and your modem error correction is > kicking in. Try configuring your modem to disable error correction > and see if it changes things. uuhhh, don't disable error correction for long. You might see massive problems then. But it might be useful to see if it is involved in your problem. Also, get your ISP involved. Most admins have access to debug or PPP trace tools to help you. Good luck. Nick Rogness File not found... System Administrator Should I fake it (Y/N)? RapidNet, INC To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: natd is jumpy
On Fri, 3 Dec 1999, Brian Dean wrote: > I use natd and a 56k phone connection to my ISP so that all my > computers can share one line. Is this an internal/external modem or a router connection to the outside? > > This all works fine, but I experience very noticeable jumpiness when > typing over a telnet connection to a remote system. Delays of 7-10 How many machines are on this setup and use it at the same time? > seconds between typing characters and them appearing on my screen are > not uncommon. If I rebuild my kernel without IPFIREWALL and IPDIVERT, > and disable natd and the firewall code, these delays go away so I am > assuming that it is natd/firewall/divert that is responsible for this > delay. Was there anyone sharing the bandwidth WHILE natd was configured and running? If so, try running NAT with noone else on sharing bandwidth and see if you get the same delays. Could it be possibly that when you rebooted, after the kernel rebuild, no other machines were able to use the same bandwidth because nat was turned off? Those delays could be normal if the other machines were surfing or using the majority of your bandwidth. Try turning natd on unplugging the 'inside' interface from the network and then run your tests. How 'far' away is the machine you are telneting to? 1,2,3 hops? Ping the host and see what times you are getting, both with NAT turned on and without. I run this setup with ISDN at home and never see delays on either diverted range (192.168.0.0/24) or my routeable subnet. Of course, I am running stable though. ******** Nick Rogness File not found... System Administrator Should I fake it (Y/N)? RapidNet, INC To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: natd question
On Tue, 19 Oct 1999, Brian Beattie wrote: [snip] > > How about: > > (~~) (~~) >() +---+ +---+ () > + + | | | |+ + > ( 130.144.120/22 ) -- |FreeBSD| |FreeBSD| --( 130.144.120/22 ) > +(real)+ | | | |+(test)+ >() +---+ +---+ () > (~~) (~~) > > Using 10.0.0.0 on the network in the middle > I originally had this idea but the problem is when a machine from the 'test' network, lets say 130.144.120.1, tries to reach a machine on the 'real' network, let's say 130.144.120.2. Packets will never be routed properly because it will never leave the 'test' network. The machines on both sides would not send the packets to the gateway since the the destination is considered to be local. Unless there is specific static routes on all machines pointing to higher netmasked hosts they will never be routed across the BSD machines. Even if they were to make it across the return packets would never make it back unless there were static routes on the other side as well. Even if you did get the routing tables setup right on both sides you would then also have to deal with duplicate IP addresses, on a LAN. I have just thought of a way to keep the the ip addresses the same and let NATD handle the IP pointers. However, there will be some renumbering involved: (~~) 10.11.0.0/30 (~~) () +---+ +---+ () + + | | | |+ + ( 10.10.0.0/22 ) -- |FreeBSD| |FreeBSD| -- ( 10.10.0.0/22 ) +(real)+ | | | |+(test)+ () +---+ +---+ () (~~) NATD-1NATD-2(~~) If you setup 2 different machines with 2 ethernet cards in them, configure them to connect to each other with a different network range from the remote sides. Run NatD on those interfaces. Then you setup 2 different address translation tables on each FBSD machine that has static pointers to the real machine IP's using the natd config table eg: #NATD-1 config file port 8668 interface de0 redirect_address 10.10.0.1 130.144.120.1 redirect_address 10.10.0.2 130.144.120.2 redirect_address 10.10.0.3 130.144.120.3 . . . redirect_address 10.10.0.20 130.144.120.19 #NATD-2 config file port 8668 interface de0 redirect_address 10.10.0.1 130.144.120.20 redirect_address 10.10.0.2 130.144.120.25 redirect_address 10.10.0.3 130.144.120.35 . . . redirect_address 10.10.0.20 130.144.120.60 Then you just refer to the machines when communicating between each network as 130.144.120.XXX. That way the FreeBSD machines make the decision on which public packets need to get diverted to which local machine. Also you can change these mappings fairly easily and your mappings will take place without ever having to change IP addresses on your local machines. Just an idea. *** Nick Rogness Shaw's Principle: System Administrator Build a system that even a fool RapidNet, INC can use, and only a fool will [EMAIL PROTECTED] want to use it. *** To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: natd question
On Tue, 19 Oct 1999, Zuidam, Hans wrote: > I want to set up a test network which (partly) mirrors our production > side network. To match reality as close as possible we keep the IP > addresses in the test network the same as in the production network. In > order not to run around with tapes between the two networks, I would like > to create the following setup: > >(~~) (~~) > () +-+ () > + + | | + + > ( 130.144.120/22 ) -- | FreeBSD | -- ( 130.144.120/22 ) > +(real)+ | | +(test)+ > () +-+ () >(~~) (~~) You can't split 2 identical networks, with identical netmasks across 2 interfaces unless you are running some sort of BRIDGE or transparent proxy support. Even then, if you have the same IP's on both networks you will run into problems with routing and ARP entries on the FreeBSD machine. If you are looking to connect the 2 networks together, run a different ip range on the (test) network, like the 10.0.0.0 or 192.168 network. If you are not connecting to the internet then you will not need to run NATD, just make sure that the gateway address of the machines on both sides are pointing to the corresponding FreeBSD interface IP. ******* Nick Rogness Shaw's Principle: System Administrator Build a system that even a fool RapidNet, INC can use, and only a fool will [EMAIL PROTECTED] want to use it. *** To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: passwd and chat
On Thu, 4 Nov 1999, Johan Kruger wrote: > How can i use chat on the command line to enter a new password without > interaction with passwd . > For example , i want to use chat to reply on New password and Retype > password, something like this : Why use chat when you can use pw(8)? Example: # echo "password" | pw usermod -n username -h 0 ******** Nick Rogness File not found... System Administrator Should I fake it (Y/N)? RapidNet, INC To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
