[leaf-user] Re: [leaf-devel] Fw: Re:bering 1.2 and ebtables
Hi Nicolas At 08:40 03.05.2004 -0400, nicolas bussieres wrote: >i compiled bering 1.2 from leaf.sourceforge.net (latest) , added package >bridge.lrp and ebtables.lrp , but when i run ebtables i get the famous >"kernel doesnt support th ebtables filter table" but here the changelogs say >its patched ... help ??? > >ive modified the install to make it work on a flashcard ... could that have >anything to do with it ? Unlikely, did you load the respective kernel modules? HTH Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id149&alloc_id66&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Routing Question
At 10:23 AM 05/01/04, Ray Olszewski wrote:
At 07:46 AM 5/1/2004 -0500, Joey Officer wrote:
>Forgive my ignorance, but I have what seems to be a very simple question. I
>have a wireless card that I'm still attempting to setup, and while I think I
>have the link issues corrected, I do have some questions about the routing
>itself.
>
>My configuration is as follows:
>
>eth0 : internet/dhcp
>eth1 : wired local network 192.168.1.254
>eth2 : wireless network (current IP 10.10.55.254 - can be configured
>differently)
>
>What I want to do is to setup an open wireless gateway that will allow
>anyone in the area to use the wireless connection, but only after
>registerring. Basically I want to forward any requests to a site on my
>bering box that says something like, hey its free, just tell me who you are
>and I'll add you, after that they would be able to get through.
>
>Has anyone configured this type of setup? Is there anything I should be
>paying attention to. One thing that is important is that I don't want the
>eth2 traffic to be able to get to my local wired LAN, on eth1.
The "old hand" Linux application for approximately this purpose is called
NoCat; find it at NoCat.net . A Google search ("wifi public access linux")
just now found a custom distro called PublicIP (http://www.publicip.net/)
that builds on NoCat.
My hunch (based partly on some work I did about 2 years ago on a similar
idea, but one involving charging usage fees) is that the required
infrastructure is a bit large for LEAF, particularly the parts needed for
reliable user authentication. But I haven't actually tried anything like
this in quite some time, so I may be unaware of newer solutions to some of
the problems.
If you have a Prism2+ based card, the HostAP - http://hostap.epitest.fi/
driver has worked great for me on Bering-uClibc 2.1 as an access
point. There are alot of other things that can be done with this card and
driver that might be what you're looking for. While not based off
LEAF/Bering, you might look into some alternative options like Pebble -
http://www.nycwireless.net/pebble/ or hack this modified version of
Pebble that runs off hard disk to suit your needs -
http://www.burngreave.net/~aland/it/bcan/ . The stock Pebble includes
NoCat and from the sound of what you're wanting, I'd agree that it might be
exactly what you're looking for. And yet more info for options with the
HostAP driver if that is the card that you have -
http://trekweb.com/~jasonb/articles/hostap_20030727.shtml .
HTH,
Rob
--
Outgoing mail is certified Virus Free.
Checked by AVG Anti-Virus (http://www.grisoft.com).
Version: 7.0.240 / Virus Database: 262.9.13 - Release Date: 05/02/04
---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Re:bering 1.2 and ebtables
Hi Nicolas this is really a leaf-user issue, so others can profit At 09:22 03.05.2004 -0400, you wrote: >ive loaded bridge.o , thats all (and ebtablkes.lrp , of course) What about the ebtables kernel modules? ebtables.o, ebt???.o HTH Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id149&alloc_id66&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Re: Re:bering 1.2 and ebtables
ok , i added ebtables.o , no problem on that part , but i still egt "kernel doesnt support the ebtables filter table" Linux firewall 2.4.20 #1 Sun May 11 18:53:34 CEST 2003 i586 unknown | Nicolas Bussieres _| Altaspectra °v° | 2014 Jean-Talon Nord /(_)\ | Tel. 1 (418)527-8217 ^ ^ | [EMAIL PROTECTED] - Original Message - From: "Erich Titl" <[EMAIL PROTECTED]> To: "nicolas bussieres" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, May 03, 2004 9:49 AM Subject: Re:bering 1.2 and ebtables Hi Nicolas this is really a leaf-user issue, so others can profit At 09:22 03.05.2004 -0400, you wrote: >ive loaded bridge.o , thats all (and ebtablkes.lrp , of course) What about the ebtables kernel modules? ebtables.o, ebt???.o HTH Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id149&alloc_id66&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Re: Re:bering 1.2 and ebtables
ok , i loaded all the ETB modules , and now i got another message For IP filtering the protocol must be specified as IPv4 | Nicolas Bussieres _| Altaspectra °v° | 2014 Jean-Talon Nord /(_)\ | Tel. 1 (418)527-8217 ^ ^ | [EMAIL PROTECTED] - Original Message - From: "Erich Titl" <[EMAIL PROTECTED]> To: "nicolas bussieres" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, May 03, 2004 9:49 AM Subject: Re:bering 1.2 and ebtables Hi Nicolas this is really a leaf-user issue, so others can profit At 09:22 03.05.2004 -0400, you wrote: >ive loaded bridge.o , thats all (and ebtablkes.lrp , of course) What about the ebtables kernel modules? ebtables.o, ebt???.o HTH Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id149&alloc_id66&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Re: Re:bering 1.2 and ebtables
Nicolas At 10:16 03.05.2004 -0400, nicolas bussieres wrote: >ok , i added ebtables.o , no problem on that part , but i still egt "kernel >doesnt support the ebtables filter table" Look into modules.dep, there are many ebt* modules which you may have to load, like ebt_802_3.o ebt_arpreply.o ebt_limit.o ebt_mark_m.oebt_snat.o ebtable_broute.o ebtables.o ebt_among.o ebt_dnat.o ebt_log.oebt_pkttype.o ebt_stp.o ebtable_filter.o ebt_arp.oebt_ip.oebt_mark.o ebt_redirect.o ebt_vlan.o ebtable_nat.o It all depends on your requirements cheers Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id149&alloc_id66&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Re: Re:bering 1.2 and ebtables
ok :P sorry about that last one :) ebtables -A FORWARD --ip-proto 1 -j DROP # 1 is ICMP so ebtables cant block icmp on lrp ... or i dont haver the module loaded :P | Nicolas Bussieres _| Altaspectra °v° | 2014 Jean-Talon Nord /(_)\ | Tel. 1 (418)527-8217 ^ ^ | [EMAIL PROTECTED] - Original Message - From: "Erich Titl" <[EMAIL PROTECTED]> To: "nicolas bussieres" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, May 03, 2004 10:46 AM Subject: Re: [leaf-user] Re: Re:bering 1.2 and ebtables Nicolas At 10:16 03.05.2004 -0400, nicolas bussieres wrote: >ok , i added ebtables.o , no problem on that part , but i still egt "kernel >doesnt support the ebtables filter table" Look into modules.dep, there are many ebt* modules which you may have to load, like ebt_802_3.o ebt_arpreply.o ebt_limit.o ebt_mark_m.oebt_snat.o ebtable_broute.o ebtables.o ebt_among.o ebt_dnat.o ebt_log.oebt_pkttype.o ebt_stp.o ebtable_filter.o ebt_arp.oebt_ip.oebt_mark.o ebt_redirect.o ebt_vlan.o ebtable_nat.o It all depends on your requirements cheers Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id149&alloc_id66&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Re: Re:bering 1.2 and ebtables
Nicolas At 10:39 03.05.2004 -0400, nicolas bussieres wrote: >ok , i loaded all the ETB modules , and now i got another message > >For IP filtering the protocol must be specified as IPv4 OK, it gets specific, now I guess you will have to revert to http://ebtables.sourceforge.net/documentation.html cheers Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id149&alloc_id66&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Bering uClibc
I have been using Bering 1.2 and tried to upgrade to uClibc on a floppy. Everything was ok except that whenever I tried to backup a package after making config changes, the floppy became unbootable. I tried this on 3 floppies and each time the floppy would reboot. Bering 1.2 did not do that. Any explanation on what is going on? Thanks. --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering uClibc
Am Montag, 3. Mai 2004 20:25 schrieb Godfried Duodu: > I have been using Bering 1.2 and tried to upgrade to uClibc on a > floppy. > Everything was ok except that whenever I tried to backup a package > after making config changes, the floppy became unbootable. I tried this > on 3 floppies and each time the floppy would reboot. Bering 1.2 did not > do that. Bering-uClibc does not do that :) Maybe you should be more precise what you are doing. You may start with Bering-uClibc 2.1.1 dd'ed to a plain floppy. See if it boots Make a small change and save it Try to reboot - let us know if you run into problems and esp. the error message. thx kp --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] ulogd.lrp package and mysql plugin for Bering
Hi all,
I posted the below to the ulogd mailing lists sometime ago, but the list
seems to be dead (not alot of activity on it for sometime now).
I was hoping someone here might be able to help me out. I'm running Bering
as my firewall.
All I want to be able to do is log my firewall traffic to a mysql db via
ulogd
Cheers
Ad
Background:
I wish to statically link ulogd and mainly the MYSQL plugin. I wish to
update the uplogd package on my leaf (linux router) box.
So I grab'd the MYSQL source (4.0.18) and compiled it with the following
CFLAGS="-O3 -mcpu=pentiumpro" CXX=gcc CXXFLAGS="-O3 -mcpu=pentiumpro \
-felide-constructors -fno-exceptions -fno-rtti" ./configure \
--without-server \
--prefix=/usr/local/mysql \
--enable-assembler \
--with-client-ldflags=-all-static
I then updated /etc/ld.so.conf with
/usr/local/mysql/lib/mysql
ldconfig -v
/usr/local/mysql/lib/mysql:
libmysqlclient.so.12 -> libmysqlclient.so.12.0.0
unpacked ulogd-1.02
I have edited Rules.make.in to change the config location etc
ULOGD_CONFIGFILE=/etc/ulogd.conf
and the mysql location
MYSQL_CFLAGS=-I/usr/local/mysql/include
./configure --with-mysql
make
make install
I test this first and all works perfectly (well I assume it does ulogd loads
without any errors, because this is a VirtualPC I didn't bother to check if
it is ACTUALLY logging to mysql just yet.)
[EMAIL PROTECTED] sbin]# ulogd
Thu Apr 29 22:56:00 2004 <3> ulogd.c:300 registering interpreter `raw'
Thu Apr 29 22:56:00 2004 <3> ulogd.c:300 registering interpreter `oob'
Thu Apr 29 22:56:00 2004 <3> ulogd.c:300 registering interpreter `ip'
Thu Apr 29 22:56:00 2004 <3> ulogd.c:300 registering interpreter `tcp'
Thu Apr 29 22:56:00 2004 <3> ulogd.c:300 registering interpreter `icmp'
Thu Apr 29 22:56:00 2004 <3> ulogd.c:300 registering interpreter `udp'
Thu Apr 29 22:56:00 2004 <3> ulogd.c:300 registering interpreter `ahesp'
Thu Apr 29 22:56:00 2004 <1> ulogd_MYSQL.c:218 allocating 4304 bytes for
statement
Thu Apr 29 22:56:00 2004 <1> ulogd_MYSQL.c:242 stmt='insert into ulog
(ahesp_spi,icmp_fragmtu,icmp_gateway,icmp_echoseq,icmp_echoid,icmp_code,icmp
_type,udp_len,udp_dport,udp_sport,tcp_fin,tcp_syn,tcp_rst,tcp_psh,tcp_ack,tc
p_urgp,tcp_urg,tcp_window,tcp_ackseq,tcp_seq,tcp_dport,tcp_sport,ip_fragoff,
ip_id,ip_csum,ip_ihl,ip_totlen,ip_ttl,ip_tos,ip_protocol,ip_daddr,ip_saddr,o
ob_out,oob_in,oob_mark,oob_prefix,oob_time_usec,oob_time_sec,raw_mac) values
('
Thu Apr 29 22:56:00 2004 <5> ulogd.c:355 registering output `mysql'
Thu Apr 29 22:56:00 2004 <5> ulogd.c:355 registering output `syslogemu'
Now because my leaf router is your "run of the mill" LRP box
(leaf.sourceforge.net) I figured I need to link ulogd + plugins statically.
Because I'm not too savvy with linux I just edited the Rules.make.in and
changed
LD=ld
to
LD=ld -static
Then a ./configure --with-mysql
make clean
make
make install
But when I fire up ulogd I get the following
[EMAIL PROTECTED] sbin]# ulogd
Thu Apr 29 23:12:43 2004 <3> ulogd.c:300 registering interpreter `raw'
Thu Apr 29 23:12:43 2004 <3> ulogd.c:300 registering interpreter `oob'
Thu Apr 29 23:12:43 2004 <3> ulogd.c:300 registering interpreter `ip'
Thu Apr 29 23:12:43 2004 <3> ulogd.c:300 registering interpreter `tcp'
Thu Apr 29 23:12:43 2004 <3> ulogd.c:300 registering interpreter `icmp'
Thu Apr 29 23:12:43 2004 <3> ulogd.c:300 registering interpreter `udp'
Thu Apr 29 23:12:43 2004 <3> ulogd.c:300 registering interpreter `ahesp'
Thu Apr 29 23:12:43 2004 <7> ulogd.c:460 load_plugins:
'/usr/local/lib/ulogd/ulogd_MYSQL.so': /usr/local/lib/ulogd/ulogd_MYSQL.so:
undefined symbol: mysql_real_escape_string
Thu Apr 29 23:12:43 2004 <5> ulogd.c:355 registering output `syslogemu'
Thu Apr 29 23:12:43 2004 <7> ulogd.c:460 load_plugins:
'/usr/local/lib/ulogd/ulogd_MYSQL.so': /usr/local/lib/ulogd/ulogd_MYSQL.so:
undefined symbol: mysql_real_escape_string
I'm not sure what/where to go from here.
The box is a RH9 box
[EMAIL PROTECTED] sbin]# uname -a
Linux blah 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 i686 i386 GNU/Linux
[EMAIL PROTECTED] sbin]# gcc --version
gcc (GCC) 3.2.2 20030222 (Red Hat Linux 3.2.2-5)
[EMAIL PROTECTED] bin]# ./mysqladmin --version
./mysqladmin Ver 8.40 Distrib 4.0.18, for pc-linux on i686
I'm not sure what other information I need to include.
smime.p7s
Description: S/MIME cryptographic signature
RE: [leaf-user] Re: LEAF article
> Applied to "all Linux servers", 20 Mbps is not even a > plausible "rule of > thumb". I routinely see 60 Mbps on big (multi-gigabyte) LAN-to-LAN > transfers (ftp, scp, and samba) between pairs of Linux > servers (equipment > varies, but typically either a 1 GHz P3 or a 1.7 GHz Celeron, usually > cheap, "flavor-of-the-week" tulip NICs). The 'rule of thumb' algorithm I was using is 5 megahertz = 1 megabit/sec. Of course, once you top ~60-80mbps you start talking about interrupts and 64-bit slots and such. Let's not really get into firewall rules. Or what happens to iptables when there are too many rules :) > a T-1 has a top speed of 1.544 Mbps, making it hard > for me to > understand how a connection over it could test the throughput > limit of a 10 Mbps NIC, let alone a 100 Mbps NIC. I was testing if a 100mhz machine could handle a T1 with 3DES encryption. It could, even with "compress=yes" set :). Unencrypted it got around 20mbps over the LAN. Sorry for not being more specific. Cheers, P --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Re: LEAF article
Hello Michelle, > Am 2004-05-03 14:51:10, schrieb Peter Mueller: > > >With good NICs (eepro100 etc.) and not too many iptables > rules you will max > >around 20mbit/sec. A good rule of thumb is 5 cycles per > megabit. This > >limit actually applies to all Linux servers, not just leaf. > > > >P > > Are you sure ? > > I run a HP Vectra XA 5/200mmx with 32 MB and have 4 x 3Com > 3C905B and 2 x 3c509B. > > I have one USB-Modem connected to the USB-Port and two other > Ethernet-Modem-Router to the two 3c509B. > > The 10MBit Nics are for my publicnet, privatenet, securenet and > wavenet (Proxim Tsunami MP.11a). > > I can transfer without any problem around 5 MByte/Second between > the publicnet (ftp/web-server) and the privatenet (workstation) > > My old Router (LRP 2.9.4) had done around 30 MBits on a 486dx4/100 > with 5 nics 3c509B > > So I think, you can have realy more on a P1/100 It's a rule of thumb, not a book of law :-). I did some testing for a T1 IPSEC gateway and had my results confirmed by the FreeSWAN performance guide (http://www.freeswan.org/freeswan_trees/freeswan-2.06/doc/performance.html). It is only my result from one machine, but it was confirmed by a fairly popular project so I still feel confident that it is reasonable. The bottom line is it depends on your PCI bus, network drivers, and especially your network cards. Also, firewall rules can play a part here. I must admit I'm surprised to hear a 486 - admittedly one of the faster ones - was able to get above 20mbit/s with ISA (3c509b) cards! Maybe there is some truth to 3com cards using less CPU. I have always preferred eepro100's but maybe that was premature.. Cheers, P --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Re: LEAF article
Am 2004-05-03 14:51:10, schrieb Peter Mueller: >With good NICs (eepro100 etc.) and not too many iptables rules you will max >around 20mbit/sec. A good rule of thumb is 5 cycles per megabit. This >limit actually applies to all Linux servers, not just leaf. > >P Are you sure ? I run a HP Vectra XA 5/200mmx with 32 MB and have 4 x 3Com 3C905B and 2 x 3c509B. I have one USB-Modem connected to the USB-Port and two other Ethernet-Modem-Router to the two 3c509B. The 10MBit Nics are for my publicnet, privatenet, securenet and wavenet (Proxim Tsunami MP.11a). I can transfer without any problem around 5 MByte/Second between the publicnet (ftp/web-server) and the privatenet (workstation) My old Router (LRP 2.9.4) had done around 30 MBits on a 486dx4/100 with 5 nics 3c509B So I think, you can have realy more on a P1/100 Greetings Michelle signature.asc Description: Digital signature
RE: [leaf-user] LEAF article
> 1. What sort of throughput, for instance, could LEAF-Bering > theoretically > provide on a Pentium 100 system with edo ram and with 10/100 > nics, cables, > and switch, assuming that all other systems connected have > unlimited speed? With good NICs (eepro100 etc.) and not too many iptables rules you will max around 20mbit/sec. A good rule of thumb is 5 cycles per megabit. This limit actually applies to all Linux servers, not just leaf. P --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Re: LEAF article
At 04:40 PM 5/3/2004 -0700, Peter Mueller wrote: Hello Michelle, > Am 2004-05-03 14:51:10, schrieb Peter Mueller: > > >With good NICs (eepro100 etc.) and not too many iptables > rules you will max > >around 20mbit/sec. A good rule of thumb is 5 cycles per > megabit. This > >limit actually applies to all Linux servers, not just leaf. > > > >P > > Are you sure ? > > I run a HP Vectra XA 5/200mmx with 32 MB and have 4 x 3Com > 3C905B and 2 x 3c509B. > > I have one USB-Modem connected to the USB-Port and two other > Ethernet-Modem-Router to the two 3c509B. > > The 10MBit Nics are for my publicnet, privatenet, securenet and > wavenet (Proxim Tsunami MP.11a). > > I can transfer without any problem around 5 MByte/Second between > the publicnet (ftp/web-server) and the privatenet (workstation) > > My old Router (LRP 2.9.4) had done around 30 MBits on a 486dx4/100 > with 5 nics 3c509B > > So I think, you can have realy more on a P1/100 It's a rule of thumb, not a book of law :-). I did some testing for a T1 IPSEC gateway and had my results confirmed by the FreeSWAN performance guide (http://www.freeswan.org/freeswan_trees/freeswan-2.06/doc/performance.html). It is only my result from one machine, but it was confirmed by a fairly popular project so I still feel confident that it is reasonable. The bottom line is it depends on your PCI bus, network drivers, and especially your network cards. Also, firewall rules can play a part here. I must admit I'm surprised to hear a 486 - admittedly one of the faster ones - was able to get above 20mbit/s with ISA (3c509b) cards! Maybe there is some truth to 3com cards using less CPU. I have always preferred eepro100's but maybe that was premature.. My own router (DMZ to LAN) experience is closer to Michelle's than to Peter's. That's with an old, 166 MHz Pentium, a 2.4.x kernel, a bespoke ruleset (not Shorewall or any of the less popular stock alternatives), and no encryption. But the more important thing to note is that the two of you are probably looking at quite different configurations. Michelle's setups almost surely use simpler rulesets than Peter's, and the added load of IPSec in Peter's case will also slow throughput ... by a lot if the advice from the IPSec site he cites is to be believed. Applied to "all Linux servers", 20 Mbps is not even a plausible "rule of thumb". I routinely see 60 Mbps on big (multi-gigabyte) LAN-to-LAN transfers (ftp, scp, and samba) between pairs of Linux servers (equipment varies, but typically either a 1 GHz P3 or a 1.7 GHz Celeron, usually cheap, "flavor-of-the-week" tulip NICs). A couple of other details ... both my memory and 3Com's Website say that the 3c509b NIC is a 10 Mbps NIC. So I suspect a typo in Michelle's report that she got 30 Mbps throughput using them ... unless she meant the combined throughput of the 4 in her LRP router. Similarly, the "5 Mbyte" (40 Mbps) transfer she reports between two nets using 3c509bs is a bit hard to understand. a T-1 has a top speed of 1.544 Mbps, making it hard for me to understand how a connection over it could test the throughput limit of a 10 Mbps NIC, let alone a 100 Mbps NIC. --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Name resolution (dnscache?) difficulty, on the firewall only - RESOLVED
Victor: I'm replying back to the list because I have a couple of ancillary questions, and to share my successful experience ... Perhaps you intended your reply to go to the list, but the bummer reality is that the default reply is to the sender, not to the list :( Per below, Victor suggested: - I rename my eth1 & eth2 to be eth0 & eth1, respectively (since I have no eth0 otherwise); - I change my resolv.conf from: search lan nameserver 127.0.0.1 to instead be: nameserver 127.0.0.1 nameserver 192.168.1.254 I figured that the eth0/1/2 naming _shouldn't _ matter (and would require my changing shorewall setup) so I just made the resolv.conf change and voila! we have a fix. So once again thank you to the list, and in particular to Victor! My piddly questions are these: - shouldn't having 127.0.0.1 in resolv.conf permit the fw itself to resolve from itself no differently than adding in 192.168.0.254 (addy of the fw's private-network interface?) The way I see it: 127.0.0.1 = the fw, and 192.168.0.254 = the fw, mais non? - do I care that I don't have a 'search lan' line in my resolv.conf? What does this do? I read up via 'man resolv.conf' but it didn't make much sense to me: perhaps because I don't quite understand what a "domain search path" is. Again, thanks to the list and to the LEAF developers. LEAF absolutely ROCKS! I'm going to be setting up a LEAF box at our office because our Linksys model:BEFSX41 is wonky. Newest firmware but IPSec is problematic, exposed ports are sometimes un-connectable, etc. scott; canada Victor McAllister wrote: freeman wrote: I'm running Bering 1.2 My ISP up and died on me so I'm getting by, having reconfigged my LEAF box to use the ppp (serial modem) package, instead of the pppoe/ppp package. As a consequence I have removed eth0 and now have ppp0 as the internet interface. eth1 = private LAN, eth2 = DMZ. I get assigned a dynamic IP address on ppp0, via the modem's dialing-in. With this changed setup the problem is that I can resolve DNS names when asked to do so by PC's that are on the private LAN and for the machine on the DMZ, too (e.g. ping www.yahoo.com resolves and pings fine). However I get the following msg if I try to do the same ping from the firewall itself: ping: www.yahoo.com: Host name lookup failure I've read the dnscache docs and sought on this leaf-user list for any hints but found none that have panned out. I had previously mentioned that I was playing with having a second copy of dnscache running (called dnscach2). I have removed that reference from lrpkg.cfg so that should not be an issue. As well, shorewall makes no complaints (i.e. log entries) about port 53 traffic, nor ICMP packets. Does anyone have any ideas? I fear that I've exhausted the documentation that's available (dnscache homepage, LEAF docs, google ...). Thanks for any help that might come my way. scott; canada Here's some config info that might shed some light: grep -v "^#" /etc/network/interfaces auto lo iface lo inet loopback auto ppp0 iface ppp0 inet ppp provider provider auto eth1 iface eth1 inet static address 192.168.0.254 masklen 24 broadcast 192.168.0.255 when I do a dial in LEAF box - I change this to eth0 auto eth2 iface eth2 inet static address 10.0.0.254 masklen 24 broadcast 10.0.0.255 and this to eth1 I then make sure the dnscahe is listening on etho and eth1 did you put in a YES for dnscache forwarding - when you use a modem you should use forwarding and the ISPs DNS servers. grep -v "^#" /etc/resolv.conf search lan nameserver 127.0.0.1 should say - otherwise the router has no where to look up names itself - although the clients do. nameserver 127.0.0.1 nameserver 192.168.1.254 grep -v "^#" /etc/networks localnet127.0.0.0 grep 53 /etc/shorewall/rules | grep -v "^#" ACCEPT dmz fw udp 53 ACCEPT fw net tcp 53 ACCEPT fw net udp 53 ACCEPT loc fw udp 53 grep -v "^#" /etc/dnscache/env/IP 192.168.0.254 grep -v "^#" /etc/dnscache/env/IPQUERY 192.168.0 127.0.0.1 --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
