Re: NAT and PPTP
Thanks for answering my email , even though I am not a programmer I can surely test things out to the best of my abilities. It would be nice to be able to have something like a pptpd integrated into the FreeBSD tree (STABLE and CURRENT) , it would nice of course to be able to setup pptp tunnel dynamically and not only statically like it is the case right now in mpd (AFAIK). My own purpose for using this is securing a bit more 802.11(whatever) in a large WISP setup. One of my question is how many pptp or pppoe sessions can be handled by one FreeBSD box knowing each pptp or pppoe sessions have to be shaped traffic wise symetrically or asymetrically. So having the ability to shape inbound bandwidth and outbound bandwidth directly inside the pptpd and pppoe thru radius and directly (for some cases) thru ppp.conf would be really nice (it would require having a special dictionary for radius (I think)) I don't know if this is achievable without too much hassle in the current PPP (PPPOE) code and if it is at all possible in a PPTP environment? On Tue, 29 Jul 2003 18:17:33 -0600 Brett Glass <[EMAIL PROTECTED]> wrote: > Cristophe: > > Nothing was decided in private e-mail. I'd really like to go for this, > but will likely need some help analyzing the existing code, abstracting > the right parts from pppoed and mpd, and gluing everything together. > That's why I was hoping to ask Archie and Brian for help. The code for > both is tricky and not well documented. > > I do agree that a BSD-licensed pptpd that's made to work with FreeBSD's > (and NetBSD's, and OpenBSD's) userland PPP is needed. PoPToP is a Linux- > oriented, GPLed project and cannot be trusted to maintain compatibility > with the BSDs. (The version in the FreeBSD Ports Collection has serious > bugs, too, and is far behind the developers' latest version.) What's more, > professional programmers, or ones who work on BSD-licensed projects, can't > safely look at the code because it's GPLed and license contamination is > a serious legal threat. > > PPTP is really very close to PPPoE, except that it runs over TCP (for call > setup and control) and GRE (for the PPP session) rather than raw MAC-layer > Ethernet. The call control mechnism has no real security, and I've > always thought it wouldn't be too hard to hijack. PPP over SSH would > probably be more secure, but Windows doesn't support that and most of us > need to support Windows clients. > > In any event, the most difficult part of PPTP to implement seems to be that > call control mechanism, which has far more features than necessary. This is > what would be good to extract from mpd, since I'll bet Archie spent a LOT > of time figuring out how to do it. > > By the way, one thing that surprised me, when I researched it, was that even > though it's supposedly a secure "tunneling" protocol, there's no requirement > that a PPTP session actually use encryption. (In fact, several models of > Linksys routers have a PPTP implementation that does no encryption. This is > likely to mislead consumers, who will assume that if they're using PPTP they > have encryption.) On the other hand, PPPoE can be just as secure as PPTP, > since either can use MPPE to wedge encryption in where PPP normally has > compression. > > By the way, is there BSD-licensed code for the enhanced version of MPPE > that does both encryption AND compression (I believe it's called MPPC)? > I understand that Microsoft Windows has it built in, and that it's available > for Linux as well. > > --Brett > > At 03:12 AM 7/29/2003, Christophe Prevotaux wrote: > > >Hello, > > > >Any hopes for anything like a pptpd (like the pppoed) > >any time soon ? , discussion stopped in the thread > >so maybe you guys discussed this further privately > >and decided something ? > > > >pptpd is a much needed feature nowdays. > > > >On Thu, 24 Jul 2003 23:00:45 -0600 > >Brett Glass <[EMAIL PROTECTED]> wrote: > > > >> At 08:50 PM 7/24/2003, Archie Cobbs wrote: > >> > >> >I don't have time to do any real work.. however, the PPTP control > >> >layer can be used pretty much as is.. i.e., the files pptp_ctrl.[ch]. > >> >It has a fairly clean API that any PPP daemon could use, and all they > >> >require is some kind of event support. > >> > >> We wouldn't be doing it quite that way; we'd be using it just to > >> steer the call through PPP (which wouldn't know that it was PPTP; > >> it would just think the call was PPP with MPPE on the CCP layer). > >> So, the PPP implementation wouldn't need to know about PPTP call > >> control. > >> > >> --Brett > > > >-- > >=== > >Christophe Prevotaux Email: [EMAIL PROTECTED] > >HEXANET SARLURL: http://www.hexanet.fr/ > >Z.A.C Les CharmillesTel: +33 (0)3 26 79 30 05 > >3 Allée Thierry Sabine Direct: +33 (0)3 26 61 77 72 > >BP202 Fax: +33 (0)3 26 79 30 06 > >51686 Reims Cedex 2
Re: NAT and PPTP
Hi, On Tue, 29 Jul 2003, Brett Glass wrote: > > By the way, is there BSD-licensed code for the enhanced version of MPPE > that does both encryption AND compression (I believe it's called MPPC)? no. MPPC (STAC-compression) is proprietary and patented (www.hifn.com), you can enable MPPC, but you have to buy the sources. > I understand that Microsoft Windows has it built in, and that it's available > for Linux as well. this is a kernel module for linux, however they are violating the US-patent. bye, -- --- -- Michael Bretterklieber - http://www.bretterklieber.com JAWA Management Software GmbH - http://www.jawa.at Tel: ++43-(0)316-403274-12 - GSM: ++43-(0)676-84 03 15 712 --- -- "...the number of UNIX installations has grown to 10, with more expected..." - Dennis Ritchie and Ken Thompson, June 1972 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: xl0 full duplex
** Reply to note from [EMAIL PROTECTED] (Bill Paul) Tue, 29 Jul 2003 12:18:33 -0700 (PDT) > If your switch is not managed and doesn't allow you to manually > configure the port settings, then you're out of luck. You'll just > have to live with half duplex mode. Sigh: this is the case. :( Well, I'll guess I can live with that. Thanks for your answer. bye av. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Help with FreeBSD Bridged Firewall
> From: William Knechtel [mailto:[EMAIL PROTECTED] I think you need to allow arp through this device, something like: ipfw add 30 allow layer2 mac-type arp [not sure which rule to insert it at]. I'm guessing your arp cache is timing out. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Help with FreeBSD Bridged Firewall
Per a list members request, I've attached dumps of the following commands: arp -a netstat -m ipfw show ifconfig netstat -s netstat -i One caveat, I've hidden all IP addresses that could be used to divine my netblock... I guess I'm a little paranoid about people inspecting my firewall configuration :-) and are public (routable) IP addresses of the two machines I have behind the firewall. One additional note. Since I first composed this message early this afternoon, the responsiveness of the internal NIC on the firewall has bounced up and down a bit. Here's a bit of a log of it's activity: 11:57 DOWN 12:06 UP (reboot) 12:26 DOWN 2:18 UP 3:14 DOWN 5:43 UP The odd thing is that it's been in operating fine for a few months now (it's a fairly new installation), and the last change I made to the firewalls config was well over a week ago. I hope this helps figure out what's going on!! Thanks in advance for your help. Kindest Regards, Bill > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of William Knechtel > Sent: Tuesday, July 29, 2003 6:56 PM > To: [EMAIL PROTECTED] > Subject: Help with FreeBSD Bridged Firewall > > > Hello! > > Help!! I'm running a PC with dual NICs and FreeBSD 4.8 for a bridged > firewall. I've got a private IP 10.0.0.1 tied to the internal card on the > box for remote management. The firewall blocks any 10.x traffic > coming in on > the external card, so to remotely admin it, I have to shell into a machine > on the same isolated network segment that it's on, and then shell > over from > that machine. > > Today around noon, the machine suddenly stopped responding to > pings. I went > down to the server room and couldnt find anything wrong. No notes on the > console screen, no anomalous entries in the security or message > logs. So, in > the interest of getting it back up quickly, I rebooted it. That worked. > About an hour later, the same thing happened... my network > monitor tells me > that it's not responding to pings. So before I go down to the > server room, I > run a few tests... the firewall is still blocking packets like a champ. I > run nmap against a host the firewall protects, and everything comes back > fine. But when I go downstairs to the console, I can't ping out to it's > 10.0.0.2 buddy, and no incoming pings work either. I'm at a loss > on how to > troubleshoot this, folks. I could really use a few ideas, so please send > them along! > > Thanks in Advance! > Bill > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > # arp -a ? (10.0.0.1) at 00:01:53:80:e2:40 on dc0 permanent [ethernet] ? (10.0.0.2) at 00:02:b3:a8:3d:2b on dc0 [ethernet] # netstat -m 129/160/4992 mbufs in use (current/peak/max): 129 mbufs allocated to data 128/136/1248 mbuf clusters in use (current/peak/max) 312 Kbytes allocated to network (8% of mb_map in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines # ipfw show 00100 24 1824 allow udp from 132.239.1.6 123 to 123 00200 23 1748 allow udp from 128.194.254.9 123 to 123 00300 24 1824 allow udp from 192.43.244.18 123 to 123 00400 24 1824 allow udp from 128.138.140.44 123 to 123 00500 0 0 allow udp from 132.239.1.6 123 to 123 00600 0 0 allow udp from 128.194.254.9 123 to 123 00700 0 0 allow udp from 192.43.244.18 123 to 123 00800 0 0 allow udp from 128.138.140.44 123 to 123 00900 0 0 deny ip from 127.0.0.0/8 to any via vr0 01000 131613 deny ip from 10.0.0.0/8 to any via vr0 01100512 65098 deny ip from 192.168.0.0/16 to any via vr0 01200 0 0 deny ip from 172.16.0.0/16 to any via vr0 01300 6363 1136947 allow ip from 10.0.0.0/28 to any via dc0 01400 5952374220 allow ip from any to any via lo* 01500 214096 106791094 allow ip from X.X.211.64/26 to any 01600176 21124 allow ip from X.X.122.180 to any 01700703 33825 allow icmp from any to any 01800898130784 allow ip from X.X.204.192/28 to any 01900 0 0 allow ip from X.X.211.68 to any 02000 51768 7784246 allow ip from any to X.X.255.255 02100 0 0 allow tcp from any to 53 02200 0 0 allow udp from any to 53 02300 11915 2725386 allow tcp from any to 80 02400 0 0 allow udp from any to 80 02500659444559 allow tcp from any to 25 02600 0 0 allow udp from any to 25 02700 0 0 allow tcp from any to 110 02800 0 0 allow udp from any to 110 02900 0 0 allow tcp from any to 143 03000 0 0 allow udp from any to 143 03100 0 0 deny tcp from any to 3306 03200 0 0 deny udp from any to 3306 03300 0 0 deny tcp from any to 6101 03400
Help with FreeBSD Bridged Firewall
Hello! Help!! I'm running a PC with dual NICs and FreeBSD 4.8 for a bridged firewall. I've got a private IP 10.0.0.1 tied to the internal card on the box for remote management. The firewall blocks any 10.x traffic coming in on the external card, so to remotely admin it, I have to shell into a machine on the same isolated network segment that it's on, and then shell over from that machine. Today around noon, the machine suddenly stopped responding to pings. I went down to the server room and couldnt find anything wrong. No notes on the console screen, no anomalous entries in the security or message logs. So, in the interest of getting it back up quickly, I rebooted it. That worked. About an hour later, the same thing happened... my network monitor tells me that it's not responding to pings. So before I go down to the server room, I run a few tests... the firewall is still blocking packets like a champ. I run nmap against a host the firewall protects, and everything comes back fine. But when I go downstairs to the console, I can't ping out to it's 10.0.0.2 buddy, and no incoming pings work either. I'm at a loss on how to troubleshoot this, folks. I could really use a few ideas, so please send them along! Thanks in Advance! Bill ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: NAT and PPTP
Cristophe: Nothing was decided in private e-mail. I'd really like to go for this, but will likely need some help analyzing the existing code, abstracting the right parts from pppoed and mpd, and gluing everything together. That's why I was hoping to ask Archie and Brian for help. The code for both is tricky and not well documented. I do agree that a BSD-licensed pptpd that's made to work with FreeBSD's (and NetBSD's, and OpenBSD's) userland PPP is needed. PoPToP is a Linux- oriented, GPLed project and cannot be trusted to maintain compatibility with the BSDs. (The version in the FreeBSD Ports Collection has serious bugs, too, and is far behind the developers' latest version.) What's more, professional programmers, or ones who work on BSD-licensed projects, can't safely look at the code because it's GPLed and license contamination is a serious legal threat. PPTP is really very close to PPPoE, except that it runs over TCP (for call setup and control) and GRE (for the PPP session) rather than raw MAC-layer Ethernet. The call control mechnism has no real security, and I've always thought it wouldn't be too hard to hijack. PPP over SSH would probably be more secure, but Windows doesn't support that and most of us need to support Windows clients. In any event, the most difficult part of PPTP to implement seems to be that call control mechanism, which has far more features than necessary. This is what would be good to extract from mpd, since I'll bet Archie spent a LOT of time figuring out how to do it. By the way, one thing that surprised me, when I researched it, was that even though it's supposedly a secure "tunneling" protocol, there's no requirement that a PPTP session actually use encryption. (In fact, several models of Linksys routers have a PPTP implementation that does no encryption. This is likely to mislead consumers, who will assume that if they're using PPTP they have encryption.) On the other hand, PPPoE can be just as secure as PPTP, since either can use MPPE to wedge encryption in where PPP normally has compression. By the way, is there BSD-licensed code for the enhanced version of MPPE that does both encryption AND compression (I believe it's called MPPC)? I understand that Microsoft Windows has it built in, and that it's available for Linux as well. --Brett At 03:12 AM 7/29/2003, Christophe Prevotaux wrote: >Hello, > >Any hopes for anything like a pptpd (like the pppoed) >any time soon ? , discussion stopped in the thread >so maybe you guys discussed this further privately >and decided something ? > >pptpd is a much needed feature nowdays. > >On Thu, 24 Jul 2003 23:00:45 -0600 >Brett Glass <[EMAIL PROTECTED]> wrote: > >> At 08:50 PM 7/24/2003, Archie Cobbs wrote: >> >> >I don't have time to do any real work.. however, the PPTP control >> >layer can be used pretty much as is.. i.e., the files pptp_ctrl.[ch]. >> >It has a fairly clean API that any PPP daemon could use, and all they >> >require is some kind of event support. >> >> We wouldn't be doing it quite that way; we'd be using it just to >> steer the call through PPP (which wouldn't know that it was PPTP; >> it would just think the call was PPP with MPPE on the CCP layer). >> So, the PPP implementation wouldn't need to know about PPTP call >> control. >> >> --Brett > >-- >=== >Christophe Prevotaux Email: [EMAIL PROTECTED] >HEXANET SARLURL: http://www.hexanet.fr/ >Z.A.C Les CharmillesTel: +33 (0)3 26 79 30 05 >3 Allée Thierry Sabine Direct: +33 (0)3 26 61 77 72 >BP202 Fax: +33 (0)3 26 79 30 06 >51686 Reims Cedex 2 >FRANCE HEXANET Network Operation Center >=== ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: xl0 full duplex
> ** Reply to note from "Sreekanth" <[EMAIL PROTECTED]> Tue, 29 Jul 2003 09:53:05 -0700 > > > > > Ok, so I tried: > > > > > > ifconfig xl0 mediaopt autoselect > > > > > > but I get: > > > > > > ifconfig: SIOCSIFMEDIA: Device not configured > > >Try > >ifconfig xl0 media auto > > Ditto. I get the same message. > > bye & Thanks > av. *sigh* You can't set a mode that the NIC doesn't support. You have a 10Mbps-only NIC (3c900/3c900B). These NICs do _NOT_ support NWAY autoneg: 10baseT mode is implemented using a non-NWAY transceiver which doesn't do autonegotiation. If you do "ifconfig -m xl0" and 'auto' doesn't show up as one of the supported modes, autoselect won't work. If you want to do full duplex with this NIC, you will need to manually set both ends of the link to do it. You can do this with "ifconfig xl0 media 10baseT/UTP mediaopt full-duplex" on the NIC, but you'll need to manually configure the switch via its management interface to set the port with the xl0 link to full duplex as well. If your switch is not managed and doesn't allow you to manually configure the port settings, then you're out of luck. You'll just have to live with half duplex mode. -Bill -- = -Bill Paul(510) 749-2329 | Senior Engineer, Master of Unix-Fu [EMAIL PROTECTED] | Wind River Systems = "If stupidity were a handicap, you'd have the best parking spot." = ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: SysKonnect 9821 Adapters
On Monday 28 July 2003 05:33 pm, Dan Mahoney, System Admin wrote: > Hi, we recently bought a "fully supported" SysKonnect 9821 adapter, > but it claims to be "V2.0". I can't find any docs anywhere on this > extra "feature" but the card does not detect under either a > standard kernel or one with the sk driver compiled in... V2.0 is NOT supported by FreeBSD yet. FYI, this one has Marvell's Yukon controller. http://www.marvell.com/products/pcconn/yukon/index.jsp The previous 'version' used SysKonnect Genesis and XaQti XMAC II combo. V2.0 is sort of compatible with the previous version in many ways but identification/initialization change is required. > This is a 64 bit card in a dell poweredge 600SC. > > By the way, according to LINT, support for the 9821 is provided by > the bge driver. According to "man sk" it's provided by the sk > driver. Could this be part of the problem? No, bge supports SK-9D21. Jung-uk Kim > (Both device lines are included in my kernel). > > Please reply directly as I am not subscribed. > > -Dan Mahoney > > -- > > Dan Mahoney > Techie, Sysadmin, WebGeek > Gushi on efnet/undernet IRC > ICQ: 13735144 AIM: LarpGM > Site: http://www.gushi.org > --- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: xl0 full duplex
** Reply to note from "Sreekanth" <[EMAIL PROTECTED]> Tue, 29 Jul 2003 09:53:05 -0700 > > Ok, so I tried: > > > > ifconfig xl0 mediaopt autoselect > > > > but I get: > > > > ifconfig: SIOCSIFMEDIA: Device not configured >Try >ifconfig xl0 media auto Ditto. I get the same message. bye & Thanks av. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Differences between netgraph nodes in 4.x and 5.x
On Tue, Jul 29, 2003 at 09:59:14AM -0700, Julian Elischer wrote: > > The fix in this case would be for the ether node to not allow this ti > happen.. > this requires a few small changes.. > The error codes must exist in sys/errno.h > I try select one that is closest in spirit :-) maybe: #define EISCONN 56 /* Socket is already connected */ or #define ECONNREFUSED61 /* Connection refused */ but anyway it's not vital anymore, now i that know i won't make the same mistake again... =) but it seems that there's another problem now, while loading the nodes, that freeze my box... -- Paolo GUFI: http://www.gufi.org ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: what developpement of network between BSD 4.3 et BSD 4.4 life
On Friday 18 July 2003 21:24, Van Vinh Vo wrote: > i am working the research about the network of freeBSD > i want knowing the developpement of BSD4.4 life > comparing the 4.3 BSD. I've explained to you several times these historical questions are not appropriate for the freebsd-net mailing list. Please take these to freebsd-chat or I'll have to ban you from this list. -- "Where am I, and what am I doing in this handbasket?" Wes Peters [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: NAT and PPTP
Christophe Prevotaux wrote: > Any hopes for anything like a pptpd (like the pppoed) > any time soon ? , discussion stopped in the thread > so maybe you guys discussed this further privately > and decided something ? Not really.. from my point of view, unfortunately I don't have time to work on mpd right now (just keeping up with email is hard these days :-) so someone else will have to do any coding work that needs to be done, etc. Might make for a nice programming project if anyone is interested. -Archie __ Archie Cobbs *Halloo Communications* http://www.halloo.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Differences between netgraph nodes in 4.x and 5.x
On Tue, 29 Jul 2003, Paolo Pisati wrote: > On Tue, Jul 29, 2003 at 04:16:41PM +0200, Paolo Pisati wrote: > > > > well, i answer to myself: > > > > it seems it's not my mistake, cause you can trigger it with a > > plain original tee node too. =P > > Ok, i promise this is the last msg: > > it was my mistake, whe i deleted the tee node, the ether > node short circuited the lower & upper hook, and then > it was impossibile to connect again something to the ether > hook. > > solution: rmhook one of the ether hook, and connect > again mynode... =P > > maybe it would be nice to change the error msg from: > "File exists" to "hook already connected" or something like this The fix in this case would be for the ether node to not allow this ti happen.. this requires a few small changes.. The error codes must exist in sys/errno.h I try select one that is closest in spirit :-) > > bye > > -- > > Paolo > > GUFI: http://www.gufi.org > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: xl0 full duplex
Try ifconfig xl0 media auto Sreekanth > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Andrea Venturoli > Sent: Tuesday, July 29, 2003 4:47 PM > To: [EMAIL PROTECTED] > Subject: Re: xl0 full duplex > > > ** Reply to note from Olivier Nicole <[EMAIL PROTECTED]> Mon, > 21 Jul 2003 16:56:30 +0700 (ICT) > > >> since it is connected to a full-duplex switch. > > >Is the port set to full-duplex? Or to auto configuration? > > There is no such options: it's always using Auto-Negotiation. > > >If the last, the default is to fall in half duplex degradated mode. > >Auto configuration will only work when both ends are set to auto. > > Ok, so I tried: > > ifconfig xl0 mediaopt autoselect > > but I get: > > ifconfig: SIOCSIFMEDIA: Device not configured > > > > Would this mean that either the card or the driver do not > support auto configuration? (and thus I would be stuck to > half-duplex?) > > bye & Thanks > av. > > > > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/free> bsd-net > To > unsubscribe, send any mail to > "[EMAIL PROTECTED]" > > --- > Incoming mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.502 / Virus Database: 300 - Release Date: 7/18/2003 > > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: xl0 full duplex
** Reply to note from Olivier Nicole <[EMAIL PROTECTED]> Mon, 21 Jul 2003 16:56:30 +0700 (ICT) >> since it is connected to a full-duplex switch. >Is the port set to full-duplex? Or to auto configuration? There is no such options: it's always using Auto-Negotiation. >If the last, the default is to fall in half duplex degradated mode. >Auto configuration will only work when both ends are set to auto. Ok, so I tried: ifconfig xl0 mediaopt autoselect but I get: ifconfig: SIOCSIFMEDIA: Device not configured Would this mean that either the card or the driver do not support auto configuration? (and thus I would be stuck to half-duplex?) bye & Thanks av. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: xl0 full duplex
** Reply to note from "Kevin Stevens" <[EMAIL PROTECTED]> Mon, 21 Jul 2003 02:53:35 -0700 (PDT) >Do you know that full-duplex is supported and enabled on the switch for >10Mb operation? Some only support half-duplex for 10Mb, others have to be >forced. Quoting the manual: This Switch supports both Half- and Full-Duplex modes for 10BASE-T and 100BASE-TX. Bye & Thanks av. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Differences between netgraph nodes in 4.x and 5.x
On Tue, Jul 29, 2003 at 04:16:41PM +0200, Paolo Pisati wrote: > > well, i answer to myself: > > it seems it's not my mistake, cause you can trigger it with a > plain original tee node too. =P Ok, i promise this is the last msg: it was my mistake, whe i deleted the tee node, the ether node short circuited the lower & upper hook, and then it was impossibile to connect again something to the ether hook. solution: rmhook one of the ether hook, and connect again mynode... =P maybe it would be nice to change the error msg from: "File exists" to "hook already connected" or something like this. bye -- Paolo GUFI: http://www.gufi.org ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Differences between netgraph nodes in 4.x and 5.x
On Tue, Jul 29, 2003 at 12:30:42PM +0200, Paolo Pisati wrote: > > btw, i think i did the converion and it was quite straightforward, > but i've still a little problem that i didn't have in 5.x: > > if i try to unload my module, change the internals, compile > and use it again, it fails! =P > > I think it's a problem in the shutdown/disconnect > part of my work, cause this is what i get: > > ngctl mkpeer rl0: tee lower right > ngctl: send msg: File exists > > actually tee is my own node, i didn't yet change the name > to classifier but it's my node. well, i answer to myself: it seems it's not my mistake, cause you can trigger it with a plain original tee node too. =P does it mean that the problem lays inside the inability to delete rl0? the only solution that i found now, when i've to try some modifications to my node, is to reboot, while i'm sure it worked under 5.x... =P bye -- Paolo GUFI: http://www.gufi.org ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Kernel tuning for large maxsockets
Here is my patch for this. I've added the new settings to uipc_socket2.c
instead of subr_param.c because they need to be initialized with maxsockets
to keep the current behavior by default.
This patch adds four new tunable vars:
kern.ipc.maxripcb - maximum number of raw pcbs
kern.ipc.maxdivcb - maximum number of divert pcbs
kern.ipc.maxudpcb - maximum number of udp pcbs
kern.ipc.maxtcpcb - maximum number of tcp pcbs
Index: kern/uipc_socket2.c
===
RCS file: /cvs/src/sys/kern/uipc_socket2.c,v
retrieving revision 1.55.2.17
diff -U3 -r1.55.2.17 uipc_socket2.c
--- kern/uipc_socket2.c 31 Aug 2002 19:04:55 - 1.55.2.17
+++ kern/uipc_socket2.c 23 Jul 2003 20:40:53 -
@@ -54,6 +54,10 @@
#include
intmaxsockets;
+intmaxripcb; /* max raw pcbs to preallocate */
+intmaxdivcb; /* max divert pcbs to preallocate */
+intmaxtcpcb; /* max tcp pcbs to preallocate */
+intmaxudpcb; /* max udp pcbs to preallocate */
/*
* Primitive routines for operating on sockets and socket buffers
@@ -998,6 +1002,16 @@
SYSCTL_INT(_kern_ipc, KIPC_SOCKBUF_WASTE, sockbuf_waste_factor, CTLFLAG_RW,
&sb_efficiency, 0, "");
+SYSCTL_INT(_kern_ipc, OID_AUTO, maxripcb, CTLFLAG_RD,
+&maxripcb, 0, "Maximum number of raw sockets available");
+SYSCTL_INT(_kern_ipc, OID_AUTO, maxdivcb, CTLFLAG_RD,
+&maxdivcb, 0, "Maximum number of divert sockets available");
+SYSCTL_INT(_kern_ipc, OID_AUTO, maxtcpcb, CTLFLAG_RD,
+&maxtcpcb, 0, "Maximum number of TCP sockets available");
+SYSCTL_INT(_kern_ipc, OID_AUTO, maxudpcb, CTLFLAG_RD,
+&maxudpcb, 0, "Maximum number of UDP sockets available");
+
+
/*
* Initialise maxsockets
*/
@@ -1005,5 +1019,14 @@
{
TUNABLE_INT_FETCH("kern.ipc.maxsockets", &maxsockets);
maxsockets = imax(maxsockets, imax(maxfiles, nmbclusters));
+
+maxripcb = maxsockets;
+TUNABLE_INT_FETCH("kern.ipc.maxripcb", &maxripcb);
+maxdivcb = maxsockets;
+TUNABLE_INT_FETCH("kern.ipc.maxdivcb", &maxdivcb);
+maxtcpcb = maxsockets;
+TUNABLE_INT_FETCH("kern.ipc.maxtcpcb", &maxtcpcb);
+maxudpcb = maxsockets;
+TUNABLE_INT_FETCH("kern.ipc.maxudpcb", &maxudpcb);
}
SYSINIT(param, SI_SUB_TUNABLES, SI_ORDER_ANY, init_maxsockets, NULL);
Index: netinet/ip_divert.c
===
RCS file: /cvs/src/sys/netinet/ip_divert.c,v
retrieving revision 1.42.2.5
diff -U3 -r1.42.2.5 ip_divert.c
--- netinet/ip_divert.c 9 Jul 2002 09:11:42 - 1.42.2.5
+++ netinet/ip_divert.c 23 Jul 2003 20:10:30 -
@@ -125,7 +125,7 @@
divcbinfo.hashbase = hashinit(1, M_PCB, &divcbinfo.hashmask);
divcbinfo.porthashbase = hashinit(1, M_PCB,
&divcbinfo.porthashmask);
divcbinfo.ipi_zone = zinit("divcb", sizeof(struct inpcb),
- maxsockets, ZONE_INTERRUPT, 0);
+ maxdivcb, ZONE_INTERRUPT, 0);
}
/*
Index: netinet/raw_ip.c
===
RCS file: /cvs/src/sys/netinet/raw_ip.c,v
retrieving revision 1.64.2.10
diff -U3 -r1.64.2.10 raw_ip.c
--- netinet/raw_ip.c26 Nov 2001 10:07:57 - 1.64.2.10
+++ netinet/raw_ip.c23 Jul 2003 20:10:43 -
@@ -103,7 +103,7 @@
ripcbinfo.hashbase = hashinit(1, M_PCB, &ripcbinfo.hashmask);
ripcbinfo.porthashbase = hashinit(1, M_PCB,
&ripcbinfo.porthashmask);
ripcbinfo.ipi_zone = zinit("ripcb", sizeof(struct inpcb),
- maxsockets, ZONE_INTERRUPT, 0);
+ maxripcb, ZONE_INTERRUPT, 0);
}
static struct sockaddr_in ripsrc = { sizeof(ripsrc), AF_INET };
Index: netinet/tcp_subr.c
===
RCS file: /cvs/src/sys/netinet/tcp_subr.c,v
retrieving revision 1.73.2.28.1000.1
diff -U3 -r1.73.2.28.1000.1 tcp_subr.c
--- netinet/tcp_subr.c 2 Jan 2003 18:07:54 - 1.73.2.28.1000.1
+++ netinet/tcp_subr.c 23 Jul 2003 22:55:12 -
@@ -231,7 +231,7 @@
tcbinfo.hashbase = hashinit(hashsize, M_PCB, &tcbinfo.hashmask);
tcbinfo.porthashbase = hashinit(hashsize, M_PCB,
&tcbinfo.porthashmask);
- tcbinfo.ipi_zone = zinit("tcpcb", sizeof(struct inp_tp), maxsockets,
+ tcbinfo.ipi_zone = zinit("tcpcb", sizeof(struct inp_tp), maxtcpcb,
ZONE_INTERRUPT, 0);
#ifdef INET6
#define TCP_MINPROTOHDR (sizeof(struct ip6_hdr) + sizeof(struct tcphdr))
Index: netinet/udp_usrreq.c
===
RCS file: /cvs/src/sys/netinet/udp_usrreq.c,v
retrieving revision 1.64.2.16.1000.3
diff -U3 -r1.64.2.16.1000.3 udp_usrreq.c
--- netinet/udp_usrreq.c29 May 2003 16:35:50 -
1.64.2.16.1000.3
+++ netinet/udp_usrreq.c2
Off Topic - Broadcasts
Hi Folks, I verified my network traffic using tcpdump. I have 3 sub-net. In the past i used one switch per sub-net. The broadcast were genereted for PC's inside your sub-net. I need to created VLANS in one switch and attach the 3 sub-nets. Now the broadcasts are genereted of all PC's to all sub-nets, Is it normal? Thanks. Eicke. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Setting up a NAT Router that will route between 3 networks
On Mon, 28 Jul 2003, Jason Hunt wrote: > On Mon, Jul 28, 2003 at 06:14:29PM -0400, [EMAIL PROTECTED] wrote: > > I was wondering how to modify the appropriate files to setup a FreeBSD > > computer to act as a NAT Router, that would do the following: > > > > Check the natd(8) man page, it should give you a good start. Chapter > 19.12 in the handbook might be helpful as well. > You should also check man ipf and man ipnat. ipf and ipnat run completely in the kernel, where natd runs in userland. On a slower machine this could affect speed (lots more context switches with natd than with ipnat). Ken > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Differences between netgraph nodes in 4.x and 5.x'
hi, there! On Tue, Jul 29, 2003 at 12:30:42PM +0200, Paolo Pisati wrote: > And while you are listening, i can show u something else... =) > > I have NETGRAPH in my kernel, and this is what i get when i > try to load ng_ether the first time: > > [EMAIL PROTECTED] root]# kldload ng_ether > module_register: module netgraph already exists! > linker_file_sysinit "netgraph.ko" failed to register! 17 > kldload: can't load ng_ether: Exec format error > ^ > it fails to load the node... yes, kernel loader in RELENG_4 fails when some of the dependancies are linked into the kernel. > [EMAIL PROTECTED] root]# kldload ng_ether > > while the second time it works... =O > > [EMAIL PROTECTED] root]# kldunload ng_ether > kldunload: can't unload file: Device busy > > and if i try to unload it, it always says that it's busy: > i think this is due to the inability to delete > an interface, isn't it? /fjoe ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Differences between netgraph nodes in 4.x and 5.x
On Mon, Jul 28, 2003 at 07:13:04PM -0700, Julian Elischer wrote: > > If you want to send me the node you have writen I can > make the diffs and send it back :-) thanks Julian, but i prefer to do it myself, cause i want to understand how the hell netgraph works... =) btw, i think i did the converion and it was quite straightforward, but i've still a little problem that i didn't have in 5.x: if i try to unload my module, change the internals, compile and use it again, it fails! =P I think it's a problem in the shutdown/disconnect part of my work, cause this is what i get: ngctl mkpeer rl0: tee lower right ngctl: send msg: File exists actually tee is my own node, i didn't yet change the name to classifier but it's my node. And while you are listening, i can show u something else... =) I have NETGRAPH in my kernel, and this is what i get when i try to load ng_ether the first time: [EMAIL PROTECTED] root]# kldload ng_ether module_register: module netgraph already exists! linker_file_sysinit "netgraph.ko" failed to register! 17 kldload: can't load ng_ether: Exec format error ^ it fails to load the node... [EMAIL PROTECTED] root]# kldload ng_ether while the second time it works... =O [EMAIL PROTECTED] root]# kldunload ng_ether kldunload: can't unload file: Device busy and if i try to unload it, it always says that it's busy: i think this is due to the inability to delete an interface, isn't it? nothing really nasty, but maybe you didn't know... =) thank you & bye. -- Paolo GUFI: http://www.gufi.org ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Crash with bpfs
Hello.
I've got a production server which keeps crashing if I use bpfs to much.
I usually only use bpf0 for dhcp server, but if I start e.g. snort and ntop, the
machine will soon reboot. The same
happens if I run tcpdump.
uname -a gives:
FreeBSD x..zz 4.7-RELEASE-p9 FreeBSD 4.7-RELEASE-p9 #2: Sat Mar 22
19:25:28 CET 2003
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/X i386
The hardware is an Athlon with 128MB RAM, 4 SCSI HD building two mirrored vinum
volumes and two Intel NIC (one of which
is currently unused, but was when it all began and probably will be again soon).
The problem has started to show after an upgrade to 4.6 or 4.7 I believe (but I cannot
recall exactly).
I might as well try an upgrade to 4.8, but I'd rather have more insight.
Following is the output of bt from gdb. Anyone can suggest where do I look next?
#0 dumpsys () at ../../kern/kern_shutdown.c:487
#1 0xc015b2ef in boot (howto=260) at ../../kern/kern_shutdown.c:316
#2 0xc015b714 in poweroff_wait (junk=0xc02594cc, howto=-1071280145)
at ../../kern/kern_shutdown.c:595
#3 0xc021c30a in trap_fatal (frame=0xc8344abc, eva=3230566052)
at ../../i386/i386/trap.c:974
#4 0xc021bfdd in trap_pfault (frame=0xc8344abc, usermode=0, eva=3230566052)
at ../../i386/i386/trap.c:867
#5 0xc021bbc7 in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16,
tf_edi = 6704128, tf_esi = 1, tf_ebp = -936097008, tf_isp = -936097048,
tf_ebx = -1065849344, tf_edx = -1066233856, tf_ecx = -1607974912,
tf_eax = 1832612, tf_trapno = 12, tf_err = 2, tf_eip = -1072206401,
tf_cs = 8, tf_eflags = 66066, tf_esp = -1066083072, tf_ss = -1066180606})
at ../../i386/i386/trap.c:466
#6 0xc0176dbf in m_getcl (how=1, type=1, flags=2)
at ../../kern/uipc_mbuf.c:589
#7 0xc012f2e7 in fxp_add_rfabuf (sc=0xc0a54e00, oldm=0xc074dd00)
at ../../dev/fxp/if_fxp.c:1867
#8 0xc012df28 in fxp_intr_body (sc=0xc0a54e00, statack=64 '@', count=-1)
at ../../dev/fxp/if_fxp.c:1327
#9 0xc012de3d in fxp_intr (xsc=0xc0a54e00) at ../../dev/fxp/if_fxp.c:1228
#10 0xc0211ec2 in vec10 ()
#11 0xc0182eb3 in biowait (bp=0xc3394184) at ../../kern/vfs_bio.c:2638
#12 0xc018081d in bread (vp=0xc7fc00c0, blkno=360576, size=8192, cred=0x0,
bpp=0xc8344c6c) at ../../kern/vfs_bio.c:525
#13 0xc01cc5c2 in ffs_update (vp=0xc8256700, waitfor=0)
at ../../ufs/ffs/ffs_inode.c:99
#14 0xc01d5fed in ffs_fsync (ap=0xc8344cd0) at ../../ufs/ffs/ffs_vnops.c:273
#15 0xc01d48cb in ffs_sync (mp=0xc0b99400, waitfor=2, cred=0xc0731900,
p=0xc02b94e0) at vnode_if.h:558
#16 0xc018b0df in sync (p=0xc02b94e0, uap=0x0) at ../../kern/vfs_syscalls.c:576
#17 0xc015b08a in boot (howto=256) at ../../kern/kern_shutdown.c:235
#18 0xc015b714 in poweroff_wait (junk=0xc02594cc, howto=-1071280145)
at ../../kern/kern_shutdown.c:595
#19 0xc021c30a in trap_fatal (frame=0xc8344df0, eva=3230566052)
at ../../i386/i386/trap.c:974
#20 0xc021bfdd in trap_pfault (frame=0xc8344df0, usermode=0, eva=3230566052)
at ../../i386/i386/trap.c:867
#21 0xc021bbc7 in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16, tf_edi = 0,
tf_esi = -1065680640, tf_ebp = -936096172, tf_isp = -936096228,
tf_ebx = -1065680640, tf_edx = -1066233856, tf_ecx = -1607974912,
tf_eax = 1832612, tf_trapno = 12, tf_err = 2, tf_eip = -1072194409,
tf_cs = 8, tf_eflags = 66066, tf_esp = -1058056832, tf_ss = -947913056})
at ../../i386/i386/trap.c:466
#22 0xc0179c97 in sosend (so=0xc7c168c0, addr=0x0, uio=0xc8344ed4, top=0x0,
control=0x0, flags=0, p=0xc77ffea0) at ../../kern/uipc_socket.c:567
#23 0xc016d624 in soo_write (fp=0xc0ef5580, uio=0xc8344ed4, cred=0xc0c2e800,
flags=0, p=0xc77ffea0) at ../../kern/sys_socket.c:81
#24 0xc016a2b5 in dofilewrite (p=0xc77ffea0, fp=0xc0ef5580, fd=3,
buf=0x8092000, nbyte=8240, offset=-1, flags=0) at ../../sys/file.h:162
#25 0xc016a16e in write (p=0xc77ffea0, uap=0xc8344f80)
at ../../kern/sys_generic.c:329
#26 0xc021c5b9 in syscall2 (frame={tf_fs = 47, tf_es = 47, tf_ds = 47,
tf_edi = 671784156, tf_esi = 8240, tf_ebp = -1077937636,
tf_isp = -936095788, tf_ebx = 671771728, tf_edx = 671784156, tf_ecx = 3,
tf_eax = 4, tf_trapno = 0, tf_err = 2, tf_eip = 673124360, tf_cs = 31,
tf_eflags = 646, tf_esp = -1077937680, tf_ss = 47})
at ../../i386/i386/trap.c:1175
#27 0xc02109b5 in Xint0x80_syscall ()
#28 0x8050a5c in ?? ()
#29 0x804e065 in ?? ()
#30 0x804d413 in ?? ()
#31 0x804c0bd in ?? ()
bye & Thanks
av.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
never freeing data received in netgraph control message
In netgraph(4) it is said that: In both directions, (request and response) it is up to the receiver of that message to free() the control mes- sage buffer. All control messages and replies are allocated with malloc() type M_NETGRAPH. Does this mean that I can receive message, point to its data with a pointer in private node info, and use this data? -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: NAT and PPTP
Hello, Any hopes for anything like a pptpd (like the pppoed) any time soon ? , discussion stopped in the thread so maybe you guys discussed this further privately and decided something ? pptpd is a much needed feature nowdays. On Thu, 24 Jul 2003 23:00:45 -0600 Brett Glass <[EMAIL PROTECTED]> wrote: > At 08:50 PM 7/24/2003, Archie Cobbs wrote: > > >I don't have time to do any real work.. however, the PPTP control > >layer can be used pretty much as is.. i.e., the files pptp_ctrl.[ch]. > >It has a fairly clean API that any PPP daemon could use, and all they > >require is some kind of event support. > > We wouldn't be doing it quite that way; we'd be using it just to > steer the call through PPP (which wouldn't know that it was PPTP; > it would just think the call was PPP with MPPE on the CCP layer). > So, the PPP implementation wouldn't need to know about PPTP call > control. > > --Brett -- === Christophe Prevotaux Email: [EMAIL PROTECTED] HEXANET SARLURL: http://www.hexanet.fr/ Z.A.C Les CharmillesTel: +33 (0)3 26 79 30 05 3 Allée Thierry Sabine Direct: +33 (0)3 26 61 77 72 BP202 Fax: +33 (0)3 26 79 30 06 51686 Reims Cedex 2 FRANCE HEXANET Network Operation Center === ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
