Re: pf/ALTQ graphing of queues

2004-10-11 Thread Greg Wooledge 
Kenneth Oncinian ([EMAIL PROTECTED]) wrote:

 queue   sap bandwidth 138.24Kb priority 6 cbq( borrow )
   [ measured: 1.9 packets/s, 14.38Kb/s ]
  ^^^
 queue  default bandwidth 76.80Kb priority 4 cbq( red borrow default )
   [ measured: 3.5 packets/s, 2.47Kb/s ]
  ^^
 What application can create graphs for this measure queues?

I doubt there's anything canned.  But you could write a little script
to parse this output and feed the numbers into rrdtool (see
/usr/ports/net/rrdtool).

-- 
Greg Wooledge  |   Truth belongs to everybody.
[EMAIL PROTECTED]  |- The Red Hot Chili Peppers
http://wooledge.org/~greg/ |


pgpmtJXqNzCit.pgp
Description: PGP signature

Re: How do I change my firewall ports to stealth mode?

2004-10-01 Thread Greg Wooledge 
Rod.. Whitworth ([EMAIL PROTECTED]) wrote:
 On Tue, 28 Sep 2004 22:03:55 -0400, Greg Wooledge wrote:
 Personally, I prefer not to reveal the usernames behind the client
 connections I'm making, so I use nullidentd.
 What's better about that than making the flags -Hole on the inetd
 settings for identd?

Well, for one, when I started out on OpenBSD 3.0, there wasn't a -H
flag
http://www.openbsd.org/cgi-bin/man.cgi?query=identdapropos=0sektion=0manpath=OpenBSD+3.0arch=i386format=html

I'm not in the habit of re-checking the man pages for every command
with every new release (nor am I subscribed to the CVS commit list),
so I didn't know this feature had been added.

Meanwhile, nullidentd does precisely what I want it to do, so there's
very little reason for me to switch.  New users who are just starting
out, though, may prefer to use the in-tree identd.

-- 
Greg Wooledge  |   Truth belongs to everybody.
[EMAIL PROTECTED]  |- The Red Hot Chili Peppers
http://wooledge.org/~greg/ |


signature.asc
Description: Digital signature

Re: More Ident nonsense

2004-09-30 Thread Greg Wooledge 
[EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote:

 2) If this port is- and forget critical, how about occasionally
  nessessary for irc is it the case that the legion number of
  mIRC clients out there, windows code btw, ports auth client
  functioning?

Most windows IRC clients implement RFC 1413 themselves.  Since end-user
processes basically run with full privileges on Windows, they can do
that (listen on port 113).  Unix IRC clients can't, so a separate ident
daemon is usually employed.

I don't understand what the debate is.  Run ident, or don't.  If you
run an ident daemon, you get to pick which one.  If not, you get to
pick whether you drop packets or send back rejections.

If you just want more examples of MTAs doing ident lookups, I can
point you at tcpserver (which is typically used to run qmail-smtpd).
That does ident lookups *by default* on all connections it accepts.
When new qmail administrators have trouble of the form my client takes
FOREVER to {send mail,connect to the POP service}, the first thing we
tell them to do is turn off PTR and ident lookups in their tcpserver
commands.

-- 
Greg Wooledge  |   Truth belongs to everybody.
[EMAIL PROTECTED]  |- The Red Hot Chili Peppers
http://wooledge.org/~greg/ |


signature.asc
Description: Digital signature

Re: How do I change my firewall ports to stealth mode?

2004-09-28 Thread Greg Wooledge 
Volker Kindermann ([EMAIL PROTECTED]) wrote:

 I'm running emailservers for years now and never ran an identd. And my
 clients don't have an identd running either. I don't think that you need this
 for smtp nowadays.

It's never been mandatory for SMTP.  Some IRC servers do require it,
though.

Personally, I prefer not to reveal the usernames behind the client
connections I'm making, so I use nullidentd.  It's very simplistic; it
just returns a constant string for all ident requests.  (It doesn't
appear to be in ports; I simply grabbed the source code from
packages.debian.org/nullidentd and built it myself.)

-- 
Greg Wooledge  |   Truth belongs to everybody.
[EMAIL PROTECTED]  |- The Red Hot Chili Peppers
http://wooledge.org/~greg/ |


signature.asc
Description: Digital signature

Re: pfctl: Cannot allocate memory

2004-03-09 Thread Greg Wooledge 
 connects to me from the Internet, and never gets pruned, then
this resembles a denial of service attack. :-/  But I have a hard time
believing I'd be the only person seeing such a problem.

-- 
Greg Wooledge  |   Truth belongs to everybody.
[EMAIL PROTECTED]  |- The Red Hot Chili Peppers
http://wooledge.org/~greg/ |


signature.asc
Description: Digital signature

Re: pfctl: Cannot allocate memory

2004-02-04 Thread Greg Wooledge 
David Chubb ([EMAIL PROTECTED]) wrote:

 I ran into this with pf under OpenBSD 3.2.
 
 The workaround at the time was to inclue the -F rules in the command to
 have it flush the current ruleset before loading the new one. Not sure if
 this is a long term fix or not but it worked for me.

That's not a viable long-term fix, because it's precisely what I'm
trying to *avoid* by using the table.  Before I used the table, I'd
just do pfctl -f /etc/pf.conf to re-read the list of banned IP
addresses from pf.conf, but whenever I do this, all of the existing
connections lose their queues and get reassigned to the default queue.
That's bad.

-- 
Greg Wooledge  |   Truth belongs to everybody.
[EMAIL PROTECTED]  |- The Red Hot Chili Peppers
http://wooledge.org/~greg/ |


signature.asc
Description: Digital signature

Re: newbie help

2004-01-03 Thread Greg Wooledge 
stan ([EMAIL PROTECTED]) wrote:

 And this is when I started to get puzzled. The next refernce is to a
 /etc/nat.conf file. I thought this file was obsoleted with teh move from
 ifp to pf. Am I wrong?

No, you're not wrong.  NAT rules go in /etc/pf.conf now.

-- 
Greg Wooledge  |   Truth belongs to everybody.
[EMAIL PROTECTED]  |- The Red Hot Chili Peppers
http://wooledge.org/~greg/ |


signature.asc
Description: Digital signature

Re: pf and smtp

2003-12-29 Thread Greg Wooledge 
Jay Moore ([EMAIL PROTECTED]) wrote:

 On Mon, Dec 29, 2003 at 03:06:23PM -0700, the entity calling itself Edward A. 
 Gardner stated:

  I don't really understand so-called dynamic DNS, other that what seems self 
  evident from the name.  But wouldn't that provide a way to get around such 
  blocking and send mail from dynamic addresses?
 
 I don't understand the term either.

Dynamic DNS service is a one-way (domain name - IP address) service
to help people with dynamic IP addresses run services.  It uses a
third party DNS server with a very short Time To Live.

Example: Alice wants to run a low-volume web site on her cable modem
which uses DHCP to get a dynamic address.  She signs up with an
imaginary dynamic DNS service called dyno-dns.com (which may or may
not charge her a fee).  She chooses the hostname alicesrestaurant.

Now, she owns the FQDN alicesrestaurant.dyno-dns.com.  It's an A
record in a DNS zone controlled by the registrant of dyno-dns.com, with
a very short TTL (usually on the order of 60 seconds).  When she brings
up her Internet connection (typically at boot time), she gets her
dynamic IP address from her ISP.  Then she runs some program on her
local computer (a perl script, etc.) which transmits her hostname
(alicesrestaurant), her current IP address, and her authentication
credentials to dyno-dns.com.  dyno-dns.com updates their DNS zone file,
and then voila!  Her friends can now reach her web site on her dynamic
IP address just by going to http://alicesrestaurant.dyno-dns.com/.

This is a one-way service, because typically she will have no control over
the PTR record for her address (the IP - name translation).  So, looking
up alicesrestaurant.dyno-dns.com will reveal an IP address, but looking
up that same IP address will give unpredictable results (either no PTR
record at all, or something like host-1-2-3-4.la.ca.big-cable-isp.com).

This really has nothing to do with spam, AFAIK.

-- 
Greg Wooledge  |   Truth belongs to everybody.
[EMAIL PROTECTED]  |- The Red Hot Chili Peppers
http://wooledge.org/~greg/ |


signature.asc
Description: Digital signature

Re: pfstat per port?

2003-10-18 Thread Greg Wooledge 
Kenny Gryp ([EMAIL PROTECTED]) wrote:

 You can use tcpstat to create vmstat like statistics. Then you can
 create graphics from the tcpstat files with gnuplot. tcpstat allows
 tcpdump-like filters so you can specify ports, ip´s 

Once you have the raw data, you can also use rrdtool to maintain a
round robin database of the information, and to produce graphs of
it over specified time intervals.  rrdtool is in /usr/ports/net/rrdtool .

-- 
Greg Wooledge  |   Truth belongs to everybody.
[EMAIL PROTECTED]  |- The Red Hot Chili Peppers
http://wooledge.org/~greg/ |


pgp0.pgp
Description: PGP signature

Re: Anyone know what happend to this site

2003-07-13 Thread Greg Wooledge 
Elijah Savage ([EMAIL PROTECTED]) wrote:

 http://www.devguide.net
 
 Seemed to have been off the net for a few days now, and I ordered the
 book from there and have not heard anything about my order.

I got e-mail on the 9th of July saying that mine has been shipped.
Of course, it hasn't arrived yet.

-- 
Greg Wooledge  |   Truth belongs to everybody.
[EMAIL PROTECTED]  |- The Red Hot Chili Peppers
http://wooledge.org/~greg/ |


pgp0.pgp
Description: PGP signature