Re: pf/ALTQ graphing of queues
Kenneth Oncinian ([EMAIL PROTECTED]) wrote: queue sap bandwidth 138.24Kb priority 6 cbq( borrow ) [ measured: 1.9 packets/s, 14.38Kb/s ] ^^^ queue default bandwidth 76.80Kb priority 4 cbq( red borrow default ) [ measured: 3.5 packets/s, 2.47Kb/s ] ^^ What application can create graphs for this measure queues? I doubt there's anything canned. But you could write a little script to parse this output and feed the numbers into rrdtool (see /usr/ports/net/rrdtool). -- Greg Wooledge | Truth belongs to everybody. [EMAIL PROTECTED] |- The Red Hot Chili Peppers http://wooledge.org/~greg/ | pgpmtJXqNzCit.pgp Description: PGP signature
Re: How do I change my firewall ports to stealth mode?
Rod.. Whitworth ([EMAIL PROTECTED]) wrote: On Tue, 28 Sep 2004 22:03:55 -0400, Greg Wooledge wrote: Personally, I prefer not to reveal the usernames behind the client connections I'm making, so I use nullidentd. What's better about that than making the flags -Hole on the inetd settings for identd? Well, for one, when I started out on OpenBSD 3.0, there wasn't a -H flag http://www.openbsd.org/cgi-bin/man.cgi?query=identdapropos=0sektion=0manpath=OpenBSD+3.0arch=i386format=html I'm not in the habit of re-checking the man pages for every command with every new release (nor am I subscribed to the CVS commit list), so I didn't know this feature had been added. Meanwhile, nullidentd does precisely what I want it to do, so there's very little reason for me to switch. New users who are just starting out, though, may prefer to use the in-tree identd. -- Greg Wooledge | Truth belongs to everybody. [EMAIL PROTECTED] |- The Red Hot Chili Peppers http://wooledge.org/~greg/ | signature.asc Description: Digital signature
Re: More Ident nonsense
[EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote: 2) If this port is- and forget critical, how about occasionally nessessary for irc is it the case that the legion number of mIRC clients out there, windows code btw, ports auth client functioning? Most windows IRC clients implement RFC 1413 themselves. Since end-user processes basically run with full privileges on Windows, they can do that (listen on port 113). Unix IRC clients can't, so a separate ident daemon is usually employed. I don't understand what the debate is. Run ident, or don't. If you run an ident daemon, you get to pick which one. If not, you get to pick whether you drop packets or send back rejections. If you just want more examples of MTAs doing ident lookups, I can point you at tcpserver (which is typically used to run qmail-smtpd). That does ident lookups *by default* on all connections it accepts. When new qmail administrators have trouble of the form my client takes FOREVER to {send mail,connect to the POP service}, the first thing we tell them to do is turn off PTR and ident lookups in their tcpserver commands. -- Greg Wooledge | Truth belongs to everybody. [EMAIL PROTECTED] |- The Red Hot Chili Peppers http://wooledge.org/~greg/ | signature.asc Description: Digital signature
Re: How do I change my firewall ports to stealth mode?
Volker Kindermann ([EMAIL PROTECTED]) wrote: I'm running emailservers for years now and never ran an identd. And my clients don't have an identd running either. I don't think that you need this for smtp nowadays. It's never been mandatory for SMTP. Some IRC servers do require it, though. Personally, I prefer not to reveal the usernames behind the client connections I'm making, so I use nullidentd. It's very simplistic; it just returns a constant string for all ident requests. (It doesn't appear to be in ports; I simply grabbed the source code from packages.debian.org/nullidentd and built it myself.) -- Greg Wooledge | Truth belongs to everybody. [EMAIL PROTECTED] |- The Red Hot Chili Peppers http://wooledge.org/~greg/ | signature.asc Description: Digital signature
Re: pfctl: Cannot allocate memory
connects to me from the Internet, and never gets pruned, then this resembles a denial of service attack. :-/ But I have a hard time believing I'd be the only person seeing such a problem. -- Greg Wooledge | Truth belongs to everybody. [EMAIL PROTECTED] |- The Red Hot Chili Peppers http://wooledge.org/~greg/ | signature.asc Description: Digital signature
Re: pfctl: Cannot allocate memory
David Chubb ([EMAIL PROTECTED]) wrote: I ran into this with pf under OpenBSD 3.2. The workaround at the time was to inclue the -F rules in the command to have it flush the current ruleset before loading the new one. Not sure if this is a long term fix or not but it worked for me. That's not a viable long-term fix, because it's precisely what I'm trying to *avoid* by using the table. Before I used the table, I'd just do pfctl -f /etc/pf.conf to re-read the list of banned IP addresses from pf.conf, but whenever I do this, all of the existing connections lose their queues and get reassigned to the default queue. That's bad. -- Greg Wooledge | Truth belongs to everybody. [EMAIL PROTECTED] |- The Red Hot Chili Peppers http://wooledge.org/~greg/ | signature.asc Description: Digital signature
Re: newbie help
stan ([EMAIL PROTECTED]) wrote: And this is when I started to get puzzled. The next refernce is to a /etc/nat.conf file. I thought this file was obsoleted with teh move from ifp to pf. Am I wrong? No, you're not wrong. NAT rules go in /etc/pf.conf now. -- Greg Wooledge | Truth belongs to everybody. [EMAIL PROTECTED] |- The Red Hot Chili Peppers http://wooledge.org/~greg/ | signature.asc Description: Digital signature
Re: pf and smtp
Jay Moore ([EMAIL PROTECTED]) wrote: On Mon, Dec 29, 2003 at 03:06:23PM -0700, the entity calling itself Edward A. Gardner stated: I don't really understand so-called dynamic DNS, other that what seems self evident from the name. But wouldn't that provide a way to get around such blocking and send mail from dynamic addresses? I don't understand the term either. Dynamic DNS service is a one-way (domain name - IP address) service to help people with dynamic IP addresses run services. It uses a third party DNS server with a very short Time To Live. Example: Alice wants to run a low-volume web site on her cable modem which uses DHCP to get a dynamic address. She signs up with an imaginary dynamic DNS service called dyno-dns.com (which may or may not charge her a fee). She chooses the hostname alicesrestaurant. Now, she owns the FQDN alicesrestaurant.dyno-dns.com. It's an A record in a DNS zone controlled by the registrant of dyno-dns.com, with a very short TTL (usually on the order of 60 seconds). When she brings up her Internet connection (typically at boot time), she gets her dynamic IP address from her ISP. Then she runs some program on her local computer (a perl script, etc.) which transmits her hostname (alicesrestaurant), her current IP address, and her authentication credentials to dyno-dns.com. dyno-dns.com updates their DNS zone file, and then voila! Her friends can now reach her web site on her dynamic IP address just by going to http://alicesrestaurant.dyno-dns.com/. This is a one-way service, because typically she will have no control over the PTR record for her address (the IP - name translation). So, looking up alicesrestaurant.dyno-dns.com will reveal an IP address, but looking up that same IP address will give unpredictable results (either no PTR record at all, or something like host-1-2-3-4.la.ca.big-cable-isp.com). This really has nothing to do with spam, AFAIK. -- Greg Wooledge | Truth belongs to everybody. [EMAIL PROTECTED] |- The Red Hot Chili Peppers http://wooledge.org/~greg/ | signature.asc Description: Digital signature
Re: pfstat per port?
Kenny Gryp ([EMAIL PROTECTED]) wrote: You can use tcpstat to create vmstat like statistics. Then you can create graphics from the tcpstat files with gnuplot. tcpstat allows tcpdump-like filters so you can specify ports, ip´s Once you have the raw data, you can also use rrdtool to maintain a round robin database of the information, and to produce graphs of it over specified time intervals. rrdtool is in /usr/ports/net/rrdtool . -- Greg Wooledge | Truth belongs to everybody. [EMAIL PROTECTED] |- The Red Hot Chili Peppers http://wooledge.org/~greg/ | pgp0.pgp Description: PGP signature
Re: Anyone know what happend to this site
Elijah Savage ([EMAIL PROTECTED]) wrote: http://www.devguide.net Seemed to have been off the net for a few days now, and I ordered the book from there and have not heard anything about my order. I got e-mail on the 9th of July saying that mine has been shipped. Of course, it hasn't arrived yet. -- Greg Wooledge | Truth belongs to everybody. [EMAIL PROTECTED] |- The Red Hot Chili Peppers http://wooledge.org/~greg/ | pgp0.pgp Description: PGP signature