IPSEC Site-to-Site not routing packages
Dear fellow OpenBSD friends. I'm setting up 2 FW's that should form a VPN tunnel securing the net behind each FW - simple NET x -> FW x -> WAN -> FW y -> NET y I'm using ipsec.conf / ipsecctl. OpenBSD 5, pf is disabled. On FW x # cat /etc/ipsec.conf ike esp from 10.21.35.0/24 to 10.20.0.0/16 peer 212.37.141.59 psk "lotsofFishs4meAndyou" netstat -rn Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) 10.20/16 0 10.21.35/240 0 212.37.141.59/esp/use/in 10.21.35/240 10.20/16 0 0 212.37.141.59/esp/require/out # ipsecctl -sa FLOWS: flow esp in from 10.20.0.0/16 to 10.21.35.0/24 peer 212.37.141.59 srcid 212.37.141.60/32 dstid 212.37.141.59/32 type use flow esp out from 10.21.35.0/24 to 10.20.0.0/16 peer 212.37.141.59 srcid 212.37.141.60/32 dstid 212.37.141.59/32 type require SAD: esp tunnel from 212.37.141.59 to 212.37.141.60 spi 0xc2e3c650 auth hmac-sha2-256 enc aes esp tunnel from 212.37.141.60 to 212.37.141.59 spi 0xc5853584 auth hmac-sha2-256 enc aes On FW y # cat /etc/ipsec.conf ike esp from 10.20.0.0/16 to 10.21.35.0/24 peer 212.37.141.60 psk "lotsofFishs4meAndyou" netstat -rn Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) 10.21.35/240 10.20/16 0 0 212.37.141.60/esp/use/in 10.20/16 0 10.21.35/240 0 212.37.141.60/esp/require/out # ipsecctl -sa FLOWS: flow esp in from 10.21.35.0/24 to 10.20.0.0/16 peer 212.37.141.60 srcid 212.37.141.59/32 dstid 212.37.141.60/32 type use flow esp out from 10.20.0.0/16 to 10.21.35.0/24 peer 212.37.141.60 srcid 212.37.141.59/32 dstid 212.37.141.60/32 type require SAD: esp tunnel from 212.37.141.59 to 212.37.141.60 spi 0xc2e3c650 auth hmac-sha2-256 enc aes esp tunnel from 212.37.141.60 to 212.37.141.59 spi 0xc5853584 auth hmac-sha2-256 enc aes Offcourse on both machines net.inet.ip.forwarding=1 Pinging from a host on NET x Request timeout for icmp_seq 1402 36 bytes from 10.21.35.1: Destination Host Unreachable Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 736e 0 40 01 cfa4 10.21.35.100 10.20.0.10 The gateway clearly answers that it can't route the packet!? Pinging directly from FWx to FWy WORKS !!! ??? # ping -I 10.21.35.1 10.20.0.1 PING 10.20.0.1 (10.20.0.1): 56 data bytes 64 bytes from 10.20.0.1: icmp_seq=0 ttl=255 time=1.185 ms 64 bytes from 10.20.0.1: icmp_seq=1 ttl=255 time=0.829 ms Dump while ping # tcpdump -i enc0 -n tcpdump: listening on enc0, link-type ENC 13:52:24.297384 (authentic,confidential): SPI 0xc5853584: 10.21.35.1 > 10.20.0.1: icmp: echo request (encap) 13:52:24.297508 (authentic,confidential): SPI 0xc2e3c650: 10.20.0.1 > 10.21.35.1: icmp: echo reply (encap) 13:52:25.299664 (authentic,confidential): SPI 0xc5853584: 10.21.35.1 > 10.20.0.1: icmp: echo request (encap) 13:52:25.299760 (authentic,confidential): SPI 0xc2e3c650: 10.20.0.1 > 10.21.35.1: icmp: echo reply (encap) Routing is the problem ? what is the cause ? It looks like each FW doesn't permit routing packets from LAN hosts. Thanks for you help Regards Morten Bech Christensen
Re: smartphones and managing openbsd servers
Kevin Chadwick [ma1l1i...@yahoo.co.uk] wrote: > > I'm very careful with what I let the almost constantly full of exploits > phone have access to (a network being as strong as it's weakest link). > There were rumors in the last 20 years of firmware being loaded on phones to provide an anonymous, remote tap point for and by various sophisticated individuals. Now Google brings it to everyone, no sophistication required :)
Re: smartphones and managing openbsd servers
On Wed, 22 Feb 2012 10:23:33 +0100 Raimo Niskanen wrote: > Sorry, sftp, When I looked, I couldn't find an open source sftp for Android but andftp works well. I'm very careful with what I let the almost constantly full of exploits phone have access to (a network being as strong as it's weakest link). For routine daily changes to a web pages price whilst out, I use a dedicated empty chroot that the server then picks up files from, checking them before use. -- Kc
test
test
Re: Ospfd : choose between 2 default routes
On Wed, Feb 22, 2012 at 05:05:28PM +0100, Mathieu BLANC wrote: > Hello ! > > I have an OSPF setup with 4 routers : > > INTERNET > || > C1 C2 > || > O1 O2 > || > NE1 NE2 > > C1 and C2 are Cisco Routers, O1 and O2 OpenBSD. > OSPF is used between C1/C2/O1/O2 > NE1 is the network managed by O1, NE2 the network managed by O2. > > C1 and C2 distribute a default route to O1/O2 (same metric) > > Is there a way, in ospfd, to say to O1 : "C1 is your prefered default > route" and to O2 : "C2 is your prefered default route" ? > > The link between O1---C2 (and O2---C1) is a very slow line and should be > used just as backup. > > If i use different metric on C1/C2, i think O1 and O2 will use the same > router (and by the way one of them will use the slow link). Maybe i have > missed something ? > If C1, C2, O1 and O2 share the same L2 network then you're out of luck. For OSPF a L2 network has no metric -- only the uplinks into the L2 network have a metric but that does not matter in your case. There are some more or less evil ways to workaround this. IMO the cleanest would be to make sure that the slow link between the systems shows up as different network (e.g. by using VLANs). Then it is possible to introduce higher metrics for this link. -- :wq Claudio
Ospfd : choose between 2 default routes
Hello ! I have an OSPF setup with 4 routers : INTERNET || C1 C2 || O1 O2 || NE1 NE2 C1 and C2 are Cisco Routers, O1 and O2 OpenBSD. OSPF is used between C1/C2/O1/O2 NE1 is the network managed by O1, NE2 the network managed by O2. C1 and C2 distribute a default route to O1/O2 (same metric) Is there a way, in ospfd, to say to O1 : "C1 is your prefered default route" and to O2 : "C2 is your prefered default route" ? The link between O1---C2 (and O2---C1) is a very slow line and should be used just as backup. If i use different metric on C1/C2, i think O1 and O2 will use the same router (and by the way one of them will use the slow link). Maybe i have missed something ? Thank you in advance ! -- Mathieu
Re: How to deal with DDoS ?
On 2/22/12 12:39 AM, Roger S. wrote: On Tue, Feb 21, 2012 at 9:51 PM, Joachim Schipper wrote: Just the most obvious idea, since you mention that this sort-of-works if you put "block drop in quick from !": does it handle this load if you turn off pf, or only include one or two trivial rules? Hi, I don't know nothing about nothing but someone once said as I was struggling with a Snort and country block setup, "why don't you put them on different machines?" As I am sure you have thought about this, can you reduce the volume of attacks with a different machine so your pf machine can handle the rest? Mehma
USB connection strangenes
On this (almost) current/i386, strange things sometimes happen when plugging things into USB ports. The machine has 10 USB ports: 8 in the back, 2 in the front. At the back, 5 ports are occupied with: keyboard, mouse, disk, disk, printer. Now, *sometimes* when I plug a sixth thing into a back port (say, another disk), the keyboard and mouse become unresponsive. The disks that were there before continue to work OK. The machine can be ssh'd remotely and everyting seems to run OK. When I unplu-and-plug again the keyboard, it becomes responsive again. It happened a few times in X. It never happened on a tty. When I plug anything into any of the front USB ports, the machine reboots immediately. Is there something to be suspicious of on the OpenBSD side, or is this solely a hardware problem? Could it make a difference what is plugged where (into which usbX on which uhubY)? Jan OpenBSD 5.1-beta (GENERIC.MP) #167: Sat Jan 21 00:49:25 MST 2012 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Core(TM)2 Duo CPU E8200 @ 2.66GHz ("GenuineIntel" 686-class) 2.67 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,LAHF real mem = 2145837056 (2046MB) avail mem = 2100617216 (2003MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 11/16/07, BIOS32 rev. 0 @ 0xfb3f0, SMBIOS rev. 2.4 @ 0xf0100 (40 entries) bios0: vendor Award Software International, Inc. version "F10" date 11/16/2007 bios0: Gigabyte Technology Co., Ltd. P35-DS3 acpi0 at bios0: rev 0 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP HPET MCFG APIC SSDT SSDT acpi0: wakeup devices PEX0(S5) PEX1(S5) PEX2(S5) PEX3(S5) PEX4(S5) PEX5(S5) HUB0(S5) UAR1(S1) USB0(S1) USB1(S1) USB2(S1) USB3(S1) US31(S1) USB4(S1) USB5(S1) USBE(S1) USE2(S1) AZAL(S5) PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimcfg0 at acpi0 addr 0xf000, bus 0-63 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 333MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM)2 Duo CPU E8200 @ 2.66GHz ("GenuineIntel" 686-class) 2.67 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,LAHF ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 2 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 2 (PEX0) acpiprt2 at acpi0: bus -1 (PEX1) acpiprt3 at acpi0: bus -1 (PEX2) acpiprt4 at acpi0: bus 3 (PEX3) acpiprt5 at acpi0: bus 4 (PEX4) acpiprt6 at acpi0: bus -1 (PEX5) acpiprt7 at acpi0: bus 5 (HUB0) acpicpu0 at acpi0: FVS, 2667, 2000 MHz acpicpu1 at acpi0: FVS, 2667, 2000 MHz acpibtn0 at acpi0: PWRB bios0: ROM list: 0xc/0xce00 0xd/0x1e00! 0xd2000/0x3000! pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 "Intel 82G33 Host" rev 0x02 ppb0 at pci0 dev 1 function 0 "Intel 82G33 PCIE" rev 0x02: apic 2 int 16 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 "NVIDIA GeForce 8600 GT" rev 0xa1 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) uhci0 at pci0 dev 26 function 0 "Intel 82801I USB" rev 0x02: apic 2 int 16 uhci1 at pci0 dev 26 function 1 "Intel 82801I USB" rev 0x02: apic 2 int 21 uhci2 at pci0 dev 26 function 2 "Intel 82801I USB" rev 0x02: apic 2 int 18 ehci0 at pci0 dev 26 function 7 "Intel 82801I USB" rev 0x02: apic 2 int 18 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 azalia0 at pci0 dev 27 function 0 "Intel 82801I HD Audio" rev 0x02: msi azalia0: codecs: Realtek ALC885 audio0 at azalia0 ppb1 at pci0 dev 28 function 0 "Intel 82801I PCIE" rev 0x02: apic 2 int 16 pci2 at ppb1 bus 2 ppb2 at pci0 dev 28 function 3 "Intel 82801I PCIE" rev 0x02: apic 2 int 19 pci3 at ppb2 bus 3 jmb0 at pci3 dev 0 function 0 "JMicron JMB363 IDE/SATA" rev 0x02 ahci0 at jmb0: apic 2 int 19, AHCI 1.0 scsibus0 at ahci0: 32 targets jmb1 at pci3 dev 0 function 1 "JMicron JMB363 IDE/SATA" rev 0x02 pciide0 at jmb1: DMA, channel 0 wired to native-PCI, channel 1 wired to native-PCI pciide0: using apic 2 int 16 for native-PCI interrupt atapiscsi0 at pciide0 channel 0 drive 0 scsibus1 at atapiscsi0: 2 targets cd0 at scsibus1 targ 0 lun 0: ATAPI 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4 pciide0: channel 1 disabled (no drives) ppb3 at pci0 dev 28 function 4 "Intel 82801I PCIE" rev 0x02: apic 2 int 16 pci4 at ppb3 bus 4 re0 at pci4 dev 0 function 0 "Realtek 8168" rev 0x01: RTL8168 2 (0x3800), apic 2 int 16, address 00:1d:7d:a9:a0:48 rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 2 uhci3 at pci0 dev 29 function 0 "Intel
Re: smartphones and managing openbsd servers
> I just downloaded PaderSync SSH Trial and I think I will buy the > full version. I got it before it was a paid app whilst still in testing. It seems very good and handles large keys well enough. The only objection I've got is the menus and dialogs can be a bit wordy but it does seem to work fine. > It has a semi transparent keyboard with easy > access to Ctrl, Alt, etc keys (in contrast to ConnectBot) > and works in landscape mode giving larger characters. BlackBerrys have a physical keyboard so we've got to use the transparent onscreen kb just for bits like control and alt keys (emacs is fun on a BB) > keyboard, ...). It also claims to do scp... yeah sftp telnet and maybe smb. an nfs client would be grand.
Asus Eee PC R101 Netbook
Does someone have experiens with OpenBSD and the above Laptop? Does OpenBSD run there and support all devices (Wlan, Ethernet, etc)? Thanks in advance for any hint! Rodrigo
Re: How to deal with DDoS ?
My followup mail was just about bufcachepercent. Auto-sizing socket buffers is pointless on a firewall. Even if it were useful, if you are running into resource starvation you want to *DECREASE* resource use not increase it. "aggressive" sets tcp.first to 30s. 2M SYNs per second * 30s = 60M states; Roger said that 5M states is too much for the box. On 2012/02/22 13:11, Hassan Monfared wrote: > 1- auto-sizing in obsd5.0 is for tcp not udp. > 2- I think setting option to aggressive will help. > > > On 2/22/12, Stuart Henderson wrote: > > On 2012-02-22, Stuart Henderson wrote: > >> On 2012-02-21, Hassan Monfared wrote: > >>> Hi, > >>> have you tried to set some tuning options in pf.conf & sysctl.conf ? > >>> eg: > >>> for sysctl.conf: > >>> net.inet.ip.ifq.maxlen=512 # Maximum allowed input queue length > >>> (256*number of physical interfaces) > >>> kern.bufcachepercent=90# Allow the kernel to use up to 90% of the > >>> RAM for cache (default 10%) > >>> net.inet.udp.recvspace=131072 # Increase based on your memory > >>> net.inet.udp.sendspace=131072 # Increase based on your memory > >>> ddb.panic=0# do not enter ddb console on kernel > >>> panic, > >>> reboot if possible , this reduces headache > >> > >> These have nothing to do with state overflow > > > >> (except raising bufcachepercent will leave less space for states..) > > > > it was pointed out offlist that this may be incorrect, the theory is > > that it should shrink when you need the space; that said it won't help > > anyway and if for some reason it doesn't shrink you'll have problems.
Re: How to deal with DDoS ?
On 2012-02-22, Stuart Henderson wrote: > On 2012-02-21, Hassan Monfared wrote: >> Hi, >> have you tried to set some tuning options in pf.conf & sysctl.conf ? >> eg: >> for sysctl.conf: >> net.inet.ip.ifq.maxlen=512 # Maximum allowed input queue length >> (256*number of physical interfaces) >> kern.bufcachepercent=90# Allow the kernel to use up to 90% of the >> RAM for cache (default 10%) >> net.inet.udp.recvspace=131072 # Increase based on your memory >> net.inet.udp.sendspace=131072 # Increase based on your memory >> ddb.panic=0# do not enter ddb console on kernel panic, >> reboot if possible , this reduces headache > > These have nothing to do with state overflow > (except raising bufcachepercent will leave less space for states..) it was pointed out offlist that this may be incorrect, the theory is that it should shrink when you need the space; that said it won't help anyway and if for some reason it doesn't shrink you'll have problems.
Re: smartphones and managing openbsd servers
On Wed, Feb 22, 2012 at 10:09:51AM +0100, Raimo Niskanen wrote: : > > I just downloaded PaderSync SSH Trial and I think I will buy the : > keyboard, ...). It also claims to do scp... Sorry, sftp, not scp. > > / Raimo : -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
Re: smartphones and managing openbsd servers
I have used ConnectBot occasionally on an Xperia Neo. The screen is very small and ConnectBot works best in portrait mode making the characters even smaller. But it works. I just downloaded PaderSync SSH Trial and I think I will buy the full version. It has a semi transparent keyboard with easy access to Ctrl, Alt, etc keys (in contrast to ConnectBot) and works in landscape mode giving larger characters. So it feels a few notches more usable than ConnectBot (after 5 minutes of using, on a small screen, without hardware keyboard, ...). It also claims to do scp... / Raimo On Mon, Feb 20, 2012 at 06:21:01PM -0600, Nick Templeton wrote: > I use ConnectBot to SSH into servers on my Google/Samsung Nexus S 4G > running CyanogenMod with the Hacker's Keyboard. It works great in a > pinch, but I wouldn't want to spend all day using it to admin a > server. > > -Nick > > On Sat, Feb 18, 2012 at 5:06 PM, Marcos Ariel Laufer > wrote: > > Hello list, > > This might not be OpenBSD specific, but maybe users can share their > > experiences with smartphones an managing OpenBSD servers. > > So far, my smartphone has been a very usefull tool to manage my OpenBSD > > servers. Currently i am using a Palm Treo 680 with some lousy ssh > > application to access my servers, it is usefull, but this is getting pretty > > ancient, doesn't have wifi for exaple, and i would like that feature on a > > smartphone. I also love the touch screen. > > What newer smartphones do you recommend for using also as a tool for > > managing OpenBSD servers (maybe windogs too) ? What experiences had you had > > with smartphones and OpenBSD managing? > > > > Best regards, > > Marcos -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
Re: an idea to implement in bgpd/bgpctl
* Gregory Edigarov [2012-02-22 09:08]: > How about having something like "explain " command for bgpctl? > If given it should pass the prefix through the bgp path selection > algorithm showing WHY this or another path was selected. > I mean one can always follow the 13 steps in the mind, but I would > prefer having that done by machine. > > What do you think? I'd look at the diff -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: How to deal with DDoS ?
can people please stop suggesting to push random buttons they don't understand? this is a prime ewxample. * Hassan Monfared [2012-02-22 00:22]: > Hi, > have you tried to set some tuning options in pf.conf & sysctl.conf ? > eg: > for sysctl.conf: > net.inet.ip.ifq.maxlen=512 # Maximum allowed input queue length > (256*number of physical interfaces) that rule of thumb is at least inaccurate. i'm pretty certain i explained the details before and am getting tired of repeating myself over and over. > kern.bufcachepercent=90# Allow the kernel to use up to 90% of the > RAM for cache (default 10%) that is entirely useless on a firewall. > net.inet.udp.recvspace=131072 # Increase based on your memory > net.inet.udp.sendspace=131072 # Increase based on your memory that is a) obsoleted by the autosizing b) entirely useless for not locally terminated connections anyway I gave the OP some input in private mail which I don't think belongs in public. There is no one-size-fits-all recipe for dealing with DDoS. And I certainly don't want to teach people how to make better DDoS attacks. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: How to deal with DDoS ?
On Tue, Feb 21, 2012 at 9:51 PM, Joachim Schipper wrote: > Just the most obvious idea, since you mention that this sort-of-works if > you put "block drop in quick from !": does it handle > this load if you turn off pf, or only include one or two trivial rules? Did not try to turn off pf (I need it anyway), and my pf.conf is very simple and already optimized following the good book of pf and some undeadly posts. > It certainly suggests that you may be well-served by optimizing your > pf.conf... (also, you've probably found the "synproxy" directive? If > not, try that too.) I already use synproxy, the problem is that I get so much SYN that pf/state table collapses. > Also, state tracking is apparently faster than stateless pf for normal > firewalls. I'd double-check if this is still true in your case, though; > if nothing else, stateless pf makes a CARP'ed setup easier. I am not sure to understand here. I want to use synproxy to protect my backend servers, so I need state stracking. > I'm pretty sure you can muck with the rules without dropping existing > connections. (pf essentially does "does this packet match a known state? > If not, look at pf.conf".) This is almost certainly easier than your > proposed daemon. Sure thing, the daemon is only a workaround to provide degraded but working service when under attack. > A final, rather hackish, idea that probably does need a bit of > programming: greylisting for SYNs. Legitimate users will send you a > second SYN, so you could do something like (this has not even been > syntax-checked!) > block drop log in quick from ! no state flags S/SA I like the idea. This may need some programming indeed, but it seems even better than my idea. Thanks, I'll take a look at this. > and then add every logged IP to syn_seen. Obviously, this will slow down > access to the service for legitimate users, which may or may not be > acceptable. We are speaking of a slower but working service, or no service at all. I prefer the first alternative :)
Re: How to deal with DDoS ?
On 2012-02-21, Hassan Monfared wrote: > Hi, > have you tried to set some tuning options in pf.conf & sysctl.conf ? > eg: > for sysctl.conf: > net.inet.ip.ifq.maxlen=512 # Maximum allowed input queue length > (256*number of physical interfaces) > kern.bufcachepercent=90# Allow the kernel to use up to 90% of the > RAM for cache (default 10%) > net.inet.udp.recvspace=131072 # Increase based on your memory > net.inet.udp.sendspace=131072 # Increase based on your memory > ddb.panic=0# do not enter ddb console on kernel panic, > reboot if possible , this reduces headache These have nothing to do with state overflow (except raising bufcachepercent will leave less space for states..) > for pf.conf : > set optimization aggressive May possibly help (or you can set state limits per-rule; *very* tight ones might be appropriate for the attack traffic).
Re: How to deal with DDoS ?
Am Mittwoch, 22. Februar 2012, 08:36:49 schrieb Jan Stary: > > $ sysctl net.inet.udp.{recvspace,sendspace} > > net.inet.udp.recvspace=131072 > > net.inet.udp.sendspace=131072 > > I don't think it's gonna help with handling a DDOS, anyway. Especially not in this particular case. He drops UDP anyway and reportedly fights a SYN flood attack.
Re: 5.0 Stable (amd64) build appears broken.
On 2012-02-21, Duncan Patton a Campbell wrote: > read and weap. i did. when you do a cd install, it puts > src (sys), and xenocara in /usr. that "primes" the src/sys > tree. if you then _move_ those trees out of the way entirely, > and do a cvs checkout of the whole tree, well that what *I* saw > anyways. "primes"? it just creates empty directories. I think this is a permissions problem. I saw a similar problem building a release (i.e. root needs to write to compile/) on NFS without -maproot.
an idea to implement in bgpd/bgpctl
Hello misc@, How about having something like "explain " command for bgpctl? If given it should pass the prefix through the bgp path selection algorithm showing WHY this or another path was selected. I mean one can always follow the 13 steps in the mind, but I would prefer having that done by machine. What do you think? -- With best regards, Gregory Edigarov