Re: 'unregistered_only' in natd does not work?
On Fri, 7 Jul 2006, Chuck Swiger wrote: BigBrother-{BigB3} wrote: [ ... ] I have trouble making a passive ftp connection to work, because every time natd changed source port even though it should not. Sometimes it changes within the IP_PORTRANGE_DEFAULT but sometimes it changes it to something completely irrelevant like 3 The verbose log of natd shows this: Out {default} [TCP] 193.92.?:55211 -> 193.92.:3866 aliased to [TCP] 193.92.??:37962 -> 193.92.?:3866 You might try using the punch_fw keyword or flag to natd to try and control the portrange used for ephermeral FTP & IRC data channels, BTW...but if your problem also affects passive-mode FTP, something else is going on. What happens if you change your IPFW divert statement to only match the RFC-1918 unroutable addresses which you're using, and not send internal routable traffic to NATD...? -- -Chuck Dear Chuck, Thank you for your answer. 1) I have already tried punch_fw keyword with different settings but nothing happened. I mean that no dynamic rule was added. I think that punch_fw works when you are on the box and try to connect to another ftp server (thus, when you are client). I do not think that punch_fw works when this box is the server. Passive mode from the box itself is ok...works without any problem. 2) I am not sure how to change the divert command because take notice that divert should be applied to both incoming and both outgoing packets. I think that messing with divert may cause some strange problems... I followed your suggestion and It seems that the following works (not tested thoroughly though) $fwcmd add 14999 skipto 15001 all from $oip to any via $oif $fwcmd add 15000 divert natd all from any to any via $oif (do you have any feeling for possible faults on the skipto line?) I will test but I think it should be noted that this is a but in natd code (I mean the 'unregistered_only'). Thanks for the support! BB --- Dixi et animan levavi ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
'unregistered_only' in natd does not work?
Summary: NATD translates source addresses even though it should not because unregistered_only is set and the IPs do not belong to RFC 1918 (like 192.168) Hi List, I have a very strange problem in my FreeBSD bigb3 6.1-STABLE FreeBSD 6.1-STABLE #0: Tue Jun 6 I am using the ftpd with inetd. I have specified via sysctl IP_PORTRANGE_DEFAULT and IP_PORTRANGE_HIGH net.inet.ip.portrange.first: 49152 net.inet.ip.portrange.last: 65535 net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.hilast: 65535 and I have opened my ipfw firewall for these ranges. In natd.conf I am using: same_ports yes unregistered_only yes use_sockets yes log_denied yes interface vr0 and I am using ipfw with $fwcmd add 15000 divert natd all from any to any via $oif * T H E P R O B L E M ** I have trouble making a passive ftp connection to work, because every time natd changed source port even though it should not. Sometimes it changes within the IP_PORTRANGE_DEFAULT but sometimes it changes it to something completely irrelevant like 3 The verbose log of natd shows this: Out {default} [TCP] 193.92.?:55211 -> 193.92.:3866 aliased to [TCP] 193.92.??:37962 -> 193.92.?:3866 Thus it shows that the outside IP and port (55211) in the source field was changed to another source port (37962), even though this is not required. My IPFW denies ports lowers than 49152 and thus it drops this and logs that this packets was denied. Can you help me please of how to either 1) instruct natd NOT to translate ports if it is not required (unregistered_only seems that it does not work) or, 2) instruct natd to translate ports which belong to either IP_PORTRANGE_DEFAULT or another defined portrange? Thank you very very much in advance, Best Regards, BB p.s. After searching the freebsd bugs database I found Problem Report bin/77089 : /sbin/natd: natd ignores -u with passive FTP http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/77089, which seems similar. Any clues except re-arranging the firewall rules, as the author of the previous post suggests? --- Dixi et animan levavi ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Too many "unknown dynamic rule type 244" in syslog..
hi, For the past weeks I have been receiving in my syslog the following message "ikaros /kernel: unknown dynamic rule type 244" "ikaros last message repeated XXX times" ipfw -d show | grep 244 does not show anything I have rebooted the machine, I have flushed & reloaded the ruleset...the message remains Can you help me of how to debug this situation? I do not know what is causing this. googling does not revealled something usefull (just the printf of the corresponding file) Thanks in advance, BB --- Dreams have no limits! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: I used "boot0cfg" and destroyed the MBR.All labels dissapear! (How I Fixed it)
Hi, I managed to fix the error of all slices being destroyed. My system is up and running. i did not reinstall any programs, just edited the partition table and the labels. It took me 3 days to figure out the exact values, so I post here my findings, in case somebody faces the same problem. The problem was solved using two programs from the fixit disk: fdisk and disklabel. Note that I am using a whole disc dedicated to freebsd. no other partitions exist. This is a short guide of how to fix it: a) boot the computer using the floppy disks and enter the Fixit menu with the fixit disc inserted. b) go to menu Configure->Fdisk and delete all partitions (NOTE: I am using all the disc dedicated to freebsd. No other OS exist. On your situation this may vary). c) On this screen then I pressed [A] - use Entire disc and saw the new automatically calculated sector values (and the offset). d) I pressed CTRL+C to abort this screen. Only the numbers interested me. e) i went to menu and pressed the fixit prompt. I went to fixit prompt. ( I run 'disklabel ad0' and 'disklabel -r ad0' and I noted down some numbers of the fake partitions. Especially I noted the size (in sectors) of itIf this process fails, then you have to repeat the disklabel step after every fdisk commans that follows. Also note the number of fsize,bsize, and bps/cpg). f) I edited the partition table using fdisk. fdisk -u ad0 (ad0 is my first disc) I deleted all (fake) partitions and created one accoring to the numbers that I have extracted from the previous screen. The type was 165 Freebsd. Thus I have created a big slice ad0s1. I edited the slice ad0s1 because I saw that there is a hidden parition on every freebsd system with thse values: fdisk ad0s1 Media sector size is 512 Warning: BIOS sector numbering starts with sector 1 Information from DOS bootblock is: The data for partition 1 is: The data for partition 2 is: The data for partition 3 is: The data for partition 4 is: sysid 165,(FreeBSD/NetBSD/386BSD) start 0, size 5 (24 Meg), flag 80 (active) beg: cyl 0/ head 0/ sector 1; end: cyl 1023/ head 255/ sector 63 I do not know why, but every freebsd system (on my possesion) has a partition 4 on slice 1 with these values. I then edit the labels on that slice using disklabel -e ad0s1 If that operation fails then you have to install a fresh disklabel using disklabel -w ad0s1 auto or disklabel -w ad0 auto I edit the labels of that slice. The sectors off-set was known from a previous step where I had extracted them using disklabel. The offset is calulated by adding the sectors until know. The fsize and other numbers are known from the previous step also. Then you edit the label and write the first line of a: offset=0 4.2BSD fsize bsize bps/cpg On the b label put in the offset the sectors size of the previous ( a slice) and repeat the process. Note that the label 'c' correspongs to whole disc so this value shoule have size from offset 0 until size the number of disklabel: [sectors/unit: X]. The lats label starts from the sum of all the previous labels until the number of sectors/units. Thus if the calulcated offset it 100 and sectors/unit is 300, then the last label will have size 200 and offset 100. After editing the label, try to mount. Note that the /mnt2/ holds the devices for mounting labels. try to: mount /mnt2/dev/ad0s1a /mnt if this succeeds then label a has correct values. If not try to edit disklabel with oteher numbers. Remember that as long as you do no issue [newfs] the inode table is somewhere hidden on the disc and you just have to figure out the label information (where it starts and where it ends for every slice). Finally, install bootblocks using fdisk -B ad0 fdisk -B ad0s1 disklabel -B ad0 auto disklabel -B ad0s1 auto and to be 100% sure enter sysinstall and go to fdisk menu and press Q quit. it will then ask you to install a boot manager...Say yes to it and your PC is 100% ready! Reboot and enjoy:) it took me 3 days to figure out this process but I managed to succeed in it. Of course the best advice is (in order to avoid this) to print the partitoin information for your hard disc so you know before hand all the values... Just issue (in case you have a ad0 disc) fdisk ad0 [depending on your disc] fdisk ad0s1 [-<<-] disklabel ad0 disklabel ad0s1 i hope that you will not need my short guide on fixing such kind of problems, but your never know :) BB --- Dreams have no limits! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
I used "boot0cfg" and destroyed the MBR.All labels dissapear!
Dear, Please help me with this strange situation, that is due to using boot0cfg with wrong switches. I googled it but I did not find any similar case. On a working 4.11 freebsd system I wanted to create a floppy bootable disk. This system had one slice and four labels. I run this command: boot0cfg -B -o update -s 1 -t 20 fd0 After I run this command I rebooted and I faced a situation where a) the floppy booting only showed F1 ??? F2 ??? F3 ??? F4 ??? (whatever I pressed it causes to beep and nothing happens) b) I removed the floppy disk and booted from the hard disc, but the same list appeared..and nothing happened. c) I boot with the 2 kernel/mfsroot diskcs with fixit also and I saw: fdisk from the 'sysinstall' shows that no slices exist, and all the space is unused. fdisk ad0 shows that there are 4 partitions with information like == sysid 32 (uknown) 1919950958, 544437093 (265838 Meg) (flag 0x80 active) beggining: cylinder 356 head 97 sector 46 end: cyllinder 357 head 116 secotr 40 sysid 107 (unknown) sysid 83 (unknown) ... sysid 73 (unknown) ... Meanwhile I got the message "slice ad0s1 starts beyong end of the disk: rejecting it" "slice ad0s2 ..rejecting it" "slice ad0s3 rejecting it" "slice ad0s4 ... rejecting it" It seems that all the labels of the single slice have become seperated slices. As a result I cannot mount anything and it seems that all my data is inaccessible. because this is my home freeBSD firewall and I would like to bring it back online without reinstalling and setting it up from the beggining (no backups sniff:( ) how can I fix this? If I recreate partitions (how?) without erasing the file/inode table? how can I change the type of every partition to be freebsd? And how can i change the slices to be one big slice? I think disklabel can help but I am not sure how. How can I save/backup the data on the disk? Thank you very much in advance!!! Please if you have any hint of where to search or what to do help me and I will post the results (and hopefully the solution) of this case as a reference. regards, BB --- Dreams have no limits! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Renaming files with spaces in the name to files without spaces..
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 10 Jan 2003, Rob wrote: > > > Sorry for this OT but I am trying for some hours to achieve a massive > > > rename of files using a simple script and I have not success yet. I want > > > to rename files like > > > > > > "RESULTS OF JAN 01 2002.txt " > > > > > > to > > > > > > "RESULTS_OF_JAN_01_2002.txt" > > > > > > i.e. all the spaces, being substituted by '_', and the last space being > > > completely removed [yes it has a space after the suffix] > > > I tried to experiment with sed/awk and creating a sample sh script with > > > for i in 'ls' > > > > > > but the i takes values of 'RESULTS' 'OF' 'JAN'. This means that it doesnt > > > take the full filename as value, but parts of the filenames. > > > > > > > > > Can u please suggest an easy way to implement the massive rename? > > > > > > > If you want to do it for all files in a directory: > > > > # for file in *; do mv "$file" `echo $file | sed -e 's/ /_/g'`; done > > > > should do the trick. I think Perl is overkill for something this simple. > > Someone else suggested tr, which probably works, but I've had more > > success with sed. > > But if you do this, won't the spaces be mistaken for filename separators? > > Try this instead - make sure you're using sh, not csh: > > ls *\ * | while read OLD ; do > NEW=`echo $OLD | tr ' ' _` > echo mv -i $OLD $NEW > done > > This works because ls prints them on separate lines. Once you're sure that it > will do the right thing, take out the echo and run it for real. > > If the files are all over the place, you can use find the same way: > > find * -name '* *' -type f | while read OLD ; do > NEW=`echo $OLD | tr ' ' _` > echo mv -i $OLD $NEW > done > > You'll have to fix the directories separately (otherwise find gets lost). > > Thank you all for your quick reply. I followed Rob's way and it was fairly easy to do. I had to change a bit something but it worked. The rename script that I used is: - --cut here-- #!/bin/sh ls *\ * | while read OLD ; do NEW=`echo $OLD | tr ' ' _` mv -i "$OLD" $NEW done - -cut here-- As u notice I had to add the semicolon " " in the $OLD variable because otherwise the mv was complaining. So this was a nice and fast way to do it. Thank you all people for your quick reply!! BigBrother - --- We are being monitored..but there is a solution... Use PGP for signing and encrypting emails Download my public key at http://www.us.pgp.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+HZgpGe/V3CxAyHoRAnYRAJ9qGvtXc7cA7bdGJAbmRGNbyrHW9ACeLN95 1+0+V1Q76jtCW1jbVMdZZQA= =8IWO -END PGP SIGNATURE- To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Renaming files with spaces in the name to files without spaces..
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sorry for this OT but I am trying for some hours to achieve a massive rename of files using a simple script and I have not success yet. I want to rename files like "RESULTS OF JAN 01 2002.txt " to "RESULTS_OF_JAN_01_2002.txt" i.e. all the spaces, being substituted by '_', and the last space being completely removed [yes it has a space after the suffix] I tried to experiment with sed/awk and creating a sample sh script with for i in 'ls' but the i takes values of 'RESULTS' 'OF' 'JAN'. This means that it doesnt take the full filename as value, but parts of the filenames. Can u please suggest an easy way to implement the massive rename? Thank you very very much in advance - --- We are being monitored..but there is a solution... Use PGP for signing and encrypting emails Download my public key at http://www.us.pgp.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+HEtwGe/V3CxAyHoRAjmmAJ0VIpM/GjywRp6akCEuCaAP636okQCeL3g0 shL8qGgwBEIvbuSEBMHof8w= =Q8dy -END PGP SIGNATURE- To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
NFS client hang after umount -f
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I was transferring a huge file (700 MB) to an nfs mounted disc and I umount -f the nfs mounted directory. After this I lost control of that pc (I was remotely administering it). The machine responds to pings and forwards packets as well, but if I try to telnet or ssh to it, I connect to that box but no login prompt appear. I dont have physical access to that box and so I wait for 1 week for someone to go there and reboot it, but I am very curious why this situation happened. Is it normal to happen when u use unmount -f on nfs mounted drives??? I am running 4.7-p2 and I dont have any noticable problems. The gateway machine is a diskless machine with local mounted discs for storing files only. Thanks in advance!!! - --- We are being monitored..but there is a solution... Use PGP for signing and encrypting emails Download my public key at http://www.us.pgp.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+FXpoGe/V3CxAyHoRAt1OAJ9q9eTCKN6Xfj7sX+uu8S7D50ulPACeJRW3 BPjpAAhV0RcrgZ/VqZ6l3UI= =u2dQ -END PGP SIGNATURE- To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Slow network - ed driver, Realtek 8029
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >I'm having a problem with slow transfers to my FreeBSD 4.7-RELEASE box >using a D-Link 528CT >(Realtek 8029 chipset). When I try to upload files to this machine from a >windowsXP box, I only >get about 30KB/s on the 10BaseT cat 5 network. This identical machine >previously was able to >receive transfers of 1000KB/s when it was running under windows 98. I'm >only getting 3% of the >windows receive performance. > >My best guess is that this is a driver issue. I had possibly similar >problem with the same card under >win98. The issue was if you set the driver to full duplex when the card >hardware was not setup for >full duplex (it is capable of full duplex, but you need to tell the >hardware in some way), the transfer >rate would be ridiculously slow. I'm guessing this is a similar problem, >however, ifconfig shows: I also have the same problem with this network card. For some strange reason when something is uploaded to the freebsd machine, the speed is very ridiculous [4~5 KBytes/sec] but when I download from it I have > 500KBytes/sec How can somebody change the SIMPLEX on the ifconfig? If I change to half duplex the speed, will it be better for uploads to the box? And by the way I think SIMPLEX is anotehr word for UNICAST I am planning to buy another network card to achieve better performance... Regards, BigB - --- We are being monitored..but there is a solution... Use PGP for signing and encrypting emails Download my public key at http://www.us.pgp.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+AepAGe/V3CxAyHoRApZ8AJ9uhSfGNanBHjxcmJWaHGb5aokfhQCfYPKK BREklo/y498pQsh0P0u/hlE= =X4lS -END PGP SIGNATURE- To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Administering a large number of freebsd machines
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 (I sent this email to freebsd-security but it never appeared on the list, nor it returned back-very strange for freebsd-security;does freebsd security has any problem?) I have a small question. When I was administering one freebsd box the things were quite easily. I could easily read the emails that were sent to root, the logcheck reports and the tripwire reports. After administering one box, I was made responsible for other freebsd boxes...The fact is that now the email reports have been multiplied. Also making all the neccesary upgrades, monitoring and other everyday things has been made very time consuming. My question is...Is there any usefull guide or book of how you can administer efficiently large number of freebsd boxes in term of security, upgrades and software deployment? My job is not being a full day system administrator and thus I have to be involved as low time i administering the boxes as possible. Thank you very much in advance for any usefull tip! - --- We are being monitored..but there is a solution... Use PGP for signing and encrypting emails Download my public key at http://www.us.pgp.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE98OpbGe/V3CxAyHoRAmt6AKDGIxyQqPE+R8/TzcAbYisy6VpZvACcDxpU jwoKbT2q84uRDtc5tPyq1EU= =rNDW -END PGP SIGNATURE- To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: ipfw firewall help
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >ipfw add 108 allow tcp from any to xx.250.227.0/22 20,21,25,80,110 via >bge0 > >#Outbound from inside >ipfw add 109 check-state >ipfw add 110 allow tcp from xx.250.224.0/22 via bge0 keep-state >ipfw add 111 allow udp from xx.250.224.0/22 via bge0 keep-state >ipfw add 112 allow tcp from any to any established setup >#Machine specific ports >#Server NEWS 1 >ipfw add 120 allow tcp from any to xx.250.227.2 53 via bge0 >ipfw add 121 allow tcp from any to xx.250.227.3 53 via bge0 >ipfw add 122 allow tcp from any to xx.250.227.4 53 via bge0 >ipfw add 123 allow udp from any to xx.250.227.2 via bge0 >ipfw add 124 allow udp from any to xx.250.227.3 via bge0 >ipfw add 125 allow udp from any to xx.240.227.4 via bge0 >#Deny all after above allows - here we go >ipfw add 400 deny tcp from any to xx.250.227.0/22 via bge0 >ipfw add 410 deny udp from any to xx.250.227.0/22 via bge0 > > >Goal is if we're on any of the 227 subnetted machines and wish to do >anything on the internet that we be allowed to do so, such as ftp, >telnet, >browse the web, etc. 1)General tip when using firewalls, especially if you are having problems.. ALWAYS log the denied packetsso in ruleset 400 you should put a log statement. 2) When using firewall always remember that packets are usually two way packets..which means somebody connectes to your port and your port sends a reply. So rule 108 should also include a 'keep state' option or it should be immediately followed byt a ipfw add 108 allow tcp from xx.250.227.0/22 20,21,25,80,110 to any via bge 3) Your problem is located on a missing rule. You have rules for the 224 subnet but not for the 227 for outgoing... So you should also include a line ipfw add 113 allow all from xx.250.227.0/22 via bge keep-state 4) Also whatever is not specifically writen with 2 rules (one incoming and other outgoing) it should have a keep-state option. For example rule 120 it has only the incoming connection to 53. You dont allow the outgoing. So prefereably you should i) make two rules for it ii) use a keep-state directive Regards, BigB - --- We are being monitored..but there is a solution... Use PGP for signing and encrypting emails Download my public key at http://www.us.pgp.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE98F9jGe/V3CxAyHoRAn+sAJ0X65d6o/+YrI1iLMq+mHvDxtCrdACffrMb Uz0a1/8Z6fgUOuspgXeOjVk= =Dh2k -END PGP SIGNATURE- To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
STATEFULL IPFW AND NATD (Was: NAT & IPFW)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nelis wrote >... >inside machines cannot telnet... > >#allow all outbound and only inbound TCP connections I've created >add 0301 divert natd all from any to any via rl0 >add 00302 check-state >add 00303 allow tcp from any to any established >add 00304 allow tcp from any to any out setup keep-state >add 00305 allow tcp from any to 192.x.x.0/24 22,25,53,80,443 setup >add 00306 allow tcp from 192.x.x.125 to 192.x.x.0/24 161,162 setup >add 00307 allow tcp from any to 192.168.x.0/27 in recv rl1 >#allow all outbound and only inbound UDP connections I've created >add 00400 allow udp from 192.x.x.0/24 to any 53,123 keep-state out via rl0 >add 00401 allow udp from any to 192.x.x.0/24 53,123 keep-state in via rl0 >add 00402 allow udp from 192.x.x.0/24 to 192.x.x.125 161,162 keep-state out via rl0 >add 00403 allow udp from 192.x.x.125 to 192.x.x.0/24 161,162 keep-state >in via rl0 >add 00404 allow udp from any to 192.168.x.0/27 in recv rl1 >add 00405 allow udp from any to any out >#allow some icmp types (codes not supported) >##allow path-mtu in both directions >add 00600 allow icmp from any to any icmptypes 3 >##allow source quench in and out >add 00601 allow icmp from any to any icmptypes 4 >##allow me to ping out and receive response back >add 00602 allow icmp from any to any icmptypes 8 out >add 00603 allow icmp from any to any icmptypes 0 in >##allow people to ping me >add 00604 allow icmp from any to any icmptypes 8 in >add 00605 allow icmp from any to any icmptypes 0 out >##allow me to run traceroute >add 00606 allow icmp from any to any icmptypes 11 in >#allow ident requests >add 00700 allow tcp from any to any 113 keep-state setup >#deny syn and fin bits used for OS finger printing using nmap >add 00701 deny log tcp from any to any in tcpflags syn,fin >#log anything that falls through >add 09000 deny log ip from any to any Using statefull IPFW and NATD is a very very tricky thing. I have invested a lot of efford to try to create a ruleset that combines all these, so perhaps u could use this advice... In order to use statefull and NATD you should learn what NAT does. Lets say u have an internal net of 192.168.3.1/24 and an external IP of 300.400.500.345 (hypothetically). When an internal machine of 192.168.3.10 tryies to establish a telnet connection with outside that is what happens when the packet reachs the gw 1) 192.168.3.10 request to connect to 216.136.204.117 port 23 Rule 301 makes the request 300.400.500.345 request to connect to 216.136.204.117 port 23 2) Packet reinjected to firewall rule with changed SRC field 3) Rule 304 will allow it so the SYN packet will leave... 4) what about the ACK packet? An ACK is sent back so now a packet has to be checked 216.136.204.117 port 23 ACK to 300.400.500.345 5) 301 rule matches...is the ACK to our internal telnet request...so its translated to 216.136.204.117 23 ACK destination to 192.168.3.10 6) NO rule allows thisoops ACK lost and all every responses. - In order to compensate this...I give u a part of my own firewall any comments welcome... You have to put a lot of extra things in ur ruleset...take an example of this #!/bin/sh oip="X" #external ip of gateway oif="XXX" #external if iif="YYY" #internal if iip="ZZZ" #internal ip of gateway <...snip...other local variables> # ### # ## F I R E W A L L R U L E S S T A R TH E R E # ### # Force a flush of the current firewall rules before we reload $fwcmd -f flush # Allow the loopback to work $fwcmd add 100 allow all from any to any via lo0 # Prevent spoofing of your loopback $fwcmd add 200 deny log all from any to 127.0.0.0/8 # Deny suspicious packets $fwcmd add 300 deny log tcp from any to any in tcpflags syn,fin # Deny fragmented packetsthey may cause our server to crash...(network buffers exchaustion) $fwcmd add 301 deny all from any to any frag # ### # Stop private networks (RFC1918) from entering the outside interface. # $fwcmd add 351 deny log ip from 192.168.0.0/16 to any in via $oif $fwcmd add 352 deny log ip from 172.16.0.0/12 to any in via $oif $fwcmd add 353 deny log ip from 10.0.0.0/8 to any in via $oif $fwcmd add 354 deny log ip from any to 192.168.0.0/16 in via $oif $fwcmd add 355 deny log ip from any to 172.16.0.0/12 in via $oif $fwcmd add 356 deny log ip from any to 10.0.0.0/8 in via $oif # # # Stop draft-manning-dsua-01.txt nets on the outside interface # ## # The following line stops all broadcasts also #$fwcmd add 350 deny all from 0.0.0.0
Statefull IPFW + YP/NIS => Server hang.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SORT: Stetefull IPFW rules combined in a router that is a ypclient may make the box loose connectivity and a irreleavent error "too many dynamic rules" appear in the log eventhough only <20 dynamic rules may exist. LONG: I am reporting a strange observation that happened on my network. My P166 router/firewall box runs 4.7 -p2 For many years this box was running a STATELESS ipfw firewall and was using another NIS server to have account information (shared passwd file). Some days ago I changed the STELESS ipfw firewall to statefull IPFW with NATD also support. For the first couple of hours all things where normal. After some time (t>2h) my logs start flooding by messages NIS SERVER [XXX] for domain "" not responding... and after this a message "/kernel: Too many dynamic rules, sorry" The box at the first occurence of this message lost all connectivity with the net (internal+external), although INTERNAL rules were stateless rules (e.g. they have no KEEP-STATE). I was barely to login to the box from console and when I did ipfw -d show, only 10 dynamic rules existed... but the messages keep complaining 'too many dynamic rules' My sysct variable that defines the #dynamic rules was not changed and it was 1000. ipfw -f flush had no effect on the system. I was forced to reboot the machine as the only solution. This was repeated for many times. finally I removed the ypbind (yp client) from my freebsd box thus only root could login (why normal users to login to the firewall after all). After this all the things were normal again. And my measring the number of dynamic rules for different times is < 20. So my network is not overloaded. Conclusion: For some reason when dynamic rules are used the firewall box queries the yp server for information, but with a very big rate. My NIS server is a slackware linux 166 box running 2.2 series kernel for 2 years and nobody is touching it, because all things work there nicely. Although this box can handle queries with a small rate, when is overhelming by queries it may delay to answer it. Solution: Dont run STATEFULL IPFW firewall on a box that acts as a client to a NIS/YP network (especially if the NIS server cannot keep up with tooo many queries simultaneously). p.s. And for people that will ask. I still run linux on that box behind firewall because it has a lot of ext2fs hard discs (180GB) with a lot of data and I cannot covnert them to FFS to change the OS to linux. - --- We are being monitored..but there is a solution... Use PGP for signing and encrypting emails Download my public key at http://www.us.pgp.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE95O/HGe/V3CxAyHoRAvVCAJ0azIYeBt7V6GavCqWVHhA2dzDtMQCgo5VO 7uhiverd6gZ+zBfnGbbC1I8= =voim -END PGP SIGNATURE- To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Performance degration of moving FFS hdd from a slow to a fast pc.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I have a question about FFS filesystem. According to a paper about the design of UFS filesystem[1], if you create the FFS filesystem on a slow cpu and then move it to a fast cpu with a fast controller, theh the FFS wont perform efficient. This is justified because when the UFS is created having in mind the speed of the system, in order to create the cyllinder group summary information with optimal rotationally blocks [see page 7 of the paper]. If somebody takes the hdd of the slow pc and put it on a much faster pc, then it is reported that the throughput will drop significantly because of lost disk revolutions. I would like to know if this is true. Can I move my hdd of my old slow pc [intel 486] to a pentium III 600Mhz machine without performance penatly, or its better to re-create the filesystem? Thank you very much... References: [1] http://citeseer.nj.nec.com/mckusick84fast.html - --- We are being monitored..but there is a solution... Use PGP for signing and encrypting emails Download my public key at http://www.us.pgp.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (FreeBSD) iD8DBQE93M3XGe/V3CxAyHoRAtCKAJsFEPJAEgYOzE8NkszHO5jUBETrnwCfTC+V vLYTHw2fXGYPIwfuzA3TitM= =/4V2 -END PGP SIGNATURE- To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: UDMA ICRC error's
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > >What is the best way to resolve these? > > ad0s1e: UDMA ICRC error reading fsbn 897759 of 144-159 (ad0s1 bn 897759; cn 55 tn 225 sn 9) retrying > ad0s1a: UDMA ICRC error reading fsbn 45439 of 22688-22719 (ad0s1 bn 45439; cn 2 tn 211 sn 16) retrying > ad0s1a: UDMA ICRC error reading fsbn 39391 of 19664-19695 (ad0s1 bn 39391; cn 2 tn 115 sn 16) retrying > ad0s1a: UDMA ICRC error reading fsbn 39391 of 19664-19695 (ad0s1 bn 39391; cn 2 tn 115 sn 16) retrying >I've tried bringing the system down to single user mode, umounting the >filesystems and running fsck but it never finds anything wrong. Next I'm >going to switch out the ide cable, and i'm hoping that is the problem as >I'd >prefer not to have my drive go out. > >What else can I do besides running fsck? Are there any other utilites to >check the disk, maybe something from the ports tree? I would suggest to run badsect (8) so u can mark the sector as bad, unreadable and thus u can continue accessing ur drive. Of course in the badsect you have to put sectors and not fsbn, and I dont know in your error message how u can find the sector number...(anyone can help on this?) perhaps the sectors for example are 144-159 ? But I dont know... Perhaps u should try to find out the 'fsdb' tool...but it will be a tricky thing.. Any help is appreciated... - --- We are being monitored..but there is a solution... Use PGP for signing and encrypting emails Download my public key at http://www.us.pgp.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (FreeBSD) iD8DBQE90XunGe/V3CxAyHoRArxBAKDIf32vQwNtyN6P20yLeslc/tHokwCgp9bb BN+Nr6Ezrq5ZDR+5Rgkdaec= =pf4d -END PGP SIGNATURE- To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message