y for bandwidth limiting with dummynet, and
> ipfilter for packet filtering?
> I seem to recall that I've read a description of this, but came out empty
> when searching for anything regarding the topic.
As answered multiple times on multiple lists: yes.
--
Bill Fumerola
CP RST packets: x/y pps" or something)
--
Bill Fumerola - security yahoo / Yahoo! inc.
- [EMAIL PROTECTED] / [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
On Wed, Dec 13, 2000 at 09:35:40PM -0500, Bosko Milekic wrote:
> > Bosko, please change the descriptions to something very generic before
> > committing them ("ratelimiting TCP RST packets: x/y pps" or something)
>
> Mike said he would do it and re-post the
at the 'user' that is defined per program,
thats who is going to be charged for packets on that socket.
--
Bill Fumerola - security yahoo / Yahoo! inc.
- [EMAIL PROTECTED] / [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
e `n_short'
> /usr/include/netinet/ip_icmp.h:93: syntax error before `n_time'
> /usr/include/netinet/ip_icmp.h:98: field `idi_ip' has incomplete type
>
> Is there any problems with ip_icmp.h??
>
> i'm running FBSD 4.0
man inet
--
Bill Fumerola - secur
y have to include as well. UNP
and the other stevens books use libunp.h or something similar that
include all the required files for you.
please stop skimming and read, the book is very explicit on how to compile.
--
Bill Fumerola - security yahoo / Yahoo! inc.
- [EMAIL PROT
4 Deny UDP 0.0.0.0:68
> 10.3.3.240:67 in via rl2
>
> I believe ports 67 and 68 are used for DHCP - we are not using DHCP
> anywhere, so I don't understand why this pops up, but I include it as it may
> be relevant ?!? Also, why is the source IP on the first line 0
n't very secure though. You can more specific ipfw rules
> that make this a little more secure.
Luckily, figuring out which servers you need to allow is pretty easy,
you already have a list of them.
--
Bill Fumerola - security yahoo / Yahoo! inc.
- [EMAIL PROT
ith named.conf as well if you just want simple
ipfw rules)
--
Bill Fumerola - security yahoo / Yahoo! inc.
- [EMAIL PROTECTED] / [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
ead the man page on natd (there
is an installation guide in the page) and read the parts of the
configuration for "-redirect_port".
--
Bill Fumerola - security yahoo / Yahoo! inc.
- [EMAIL PROTECTED] / [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECT
ir, useless
> and waste time. please stop doing such a stupid thing!
Reading your posts is also a "waste of time" and a "stupid thing".
Please stop trolling.
--
Bill Fumerola - security yahoo / Yahoo! inc.
- [EMAIL PROTECTED] / [EMAIL PROTECTED]
To Un
look at, build a tree/trie to drive your
> searches, use lookup and hash tables, etc.e tc. -- there is a lot of
> recent literature on the topic of fast packet classification.
yeah, someone should write an ipfw compiler. :->
--
Bill Fumerola - security yahoo / Yahoo! inc.
f this, use softupdates so the meta-data
operations on the network buffers can be scheduled async.
--
Bill Fumerola - security yahoo / Yahoo! inc.
- [EMAIL PROTECTED] / [EMAIL PROTECTED]
ps. hi alfred.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe fre
ied.
examples:
# ifconfig fxp0 10.1.1.1 netmask 255.255.255.0
# ifconfig fxp0 10.1.1.2 netmask 255.255.255.255 alias # on the same subnet
# ifconfig fxp0 10.1.2.1 netmask 255.255.255.0 alias# not on the same subnet
--
Bill Fumerola - security yahoo / Yahoo! inc.
- [EM
On Wed, Jul 18, 2001 at 12:35:25PM +0200, Christophe Prévotaux wrote:
> I know that Juniper has implemented them and whole bunch of other
> neat thing
yes (including mpls).
> over FreeBSD
mostly wrong.
> and that the latest JUNOS is a somewhat modified
> FreeBSD 4.x
w
ds on
> a JunOS 4.4 and install it over a 4.x FreeBSD
> and see by yourself ?
because if I was going to do that, I'd just install olive.
and just because you install it over 4.x freebsd and it works, doesn't
mean its 4.x freebsd based, it means you have a working a.out interprete
#x27;t been able to come up with
actual code. just more names and rumors.
plus there are license issues that thorpej pointed out to me.
its a really cool idea, though...
--
Bill Fumerola - security yahoo / Yahoo! inc.
- [EMAIL PROTECTED] / [EMAIL PROTECTED]
To Unsubs
On Mon, Aug 06, 2001 at 10:11:56AM +0930, Andrew Reid wrote:
> > Maybe running it over something like IPSec, VPNs, etc. ?
>
> I use PPP over SSH when doing this sort of thing. Quick and easy.
... and absolutly horrible in times of packet loss or heavy latency.
--
Bill Fumerol
vy handed an approach,
you may also use the data-ready accept filter (assuming you actually have
a webserver and this isn't actually another troll).
--
Bill Fumerola / [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
size of the IPCB(struct inpcb) and TPCB(struct tcpcb) structure?
> > (ignoring platform specific alignment issues)
> >
> > Stevens v2 has 84(inpcb) and 140(tcpcb) bytes.
its more on topic for a C beginners mailing list. whats so hard about
including the header file and using sizeof(
:(
fwd just changes the nexthop (changes the routing decision). it doesn't rewrite
ports or addresses. you need natd & -redirect_port for that.
--
- bill fumerola / [EMAIL PROTECTED] / [EMAIL PROTECTED] / [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsub
s are
added: http://people.freebsd.org/~billf/bsdcon2000/presentation/graphics/
has a few of the graphics I used in my presentation to show what happens
to ipfw as you add more rules in the critical path. different types of
rules are effected differently (and can be optimized differently, but
thats
On Wed, Sep 19, 2001 at 07:39:13PM +0200, Leif Neland wrote:
> Or you could patch ipfw to be able to use a hash-db :-)
skipto caches the pointer of the rule its skipping to the first time
it uses that rule. not going to get a better hash hit then that...
--
- bill fumerola / [EMAIL PROTEC
polluting it with newbie questions.
--
- bill fumerola / [EMAIL PROTECTED] / [EMAIL PROTECTED] / [EMAIL PROTECTED]
- my anger management counselor can beat up your self-affirmation therapist
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
an 25 2001 /kernel
/kernel has the 'schg' flag set. you can learn more about flags in 'man
chflags'. if 'make install' doesn't clear this flag before installing
(and it does), that's a bug.
--
- bill fumerola / [EMAIL PROTECTED] / [EMAIL PROTECTED] / [EMA
'this' packet will be the only
> to be followed, there are no new verification on this packet with the
> next rule.
you need to change the sysctl 'net.inet.ip.fw.one_pass'. see ipfw(8).
--
- bill fumerola / [EMAIL PROTECTED] / [EMAIL PROTECTED] / [EMAIL PROTECTED]
-
etting 96% of X Mbps, they're referring to
ethernet frames, not cute little netscape download boxes.
2) the real world uses switches and runs full duplex, so collisions
aren't really a concern.
if you're going to dispute statistics, at least understand the metrics.
--
t.
just a reference point. I would argue that vlans are definitely "a
sub-layer which has no concept of bandwidth" too.
--
- bill fumerola / [EMAIL PROTECTED] / [EMAIL PROTECTED] / [EMAIL PROTECTED]
- my anger management counselor can beat up your self-affirmation therapist
To Unsubs
pleted work to
enter the tree. the quality of the code does. presumably, the people
that the foundation (or NAI or whoever) contracts to do FreeBSD work
are of high calibur and that isn't a problem.
--
- bill fumerola / [EMAIL PROTECTED] / [EMAIL PROTECTED] / [EMAIL PROTECTED]
- my a
ll summarize in my own special way:
JUNOS IS PROPRIETARY SOFTWARE THAT SHIPS WITH JUNIPER ROUTERS AND JUST
BECAUSE YOU CAN PHYSICALLY EXTRACT IT FROM THE ROUTER AND PLACE IT ON A
PC DOES NOT GIVE YOU THE RIGHT TO DO THAT.
just another happy juniper customer,
--
- bill fumerola / [EMAIL PROTECT
d lookup just in the ipfw code, but if
ip_input() did the lookup and passed it to both ipfw and the protocol
handler that would be nice.
--
- bill fumerola / [EMAIL PROTECTED] / [EMAIL PROTECTED] / [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
stly); ipfw would have to
be more careful then the generated code needs to be.
if brian feldman (the author of the ipfw uid/gid code) doesn't fix this
out of embarassment first, i'll backport my cache into the main ipfw
code.
--
- bill fumerola / [EMAIL PROTECTED] / [EMAIL PROTECTED] / [E
just cache the current socket credentials cr_uid, if that's wrong.
please let me know privately just what exactly i should be comparing
against (or functions i should be using, if an API exists now) in -current
with the changes to credentials.
when i mfc the cache, i'll just keep the current
On Tue, Mar 12, 2002 at 03:10:50PM -0500, Douglas Berry wrote:
> > The ipfw 'iplen' keyword should let you do this.
>
> i can't find this documented, Dan says he's using CURRENT.
>
> Will this make it to 4.6-RELEASE?
yes.
--
- bill fumerola / [EMAIL P
dr. specifically, which mac address do you use
when putting a frame onto the wire that was locally generated? forwarded?
--
- bill fumerola / [EMAIL PROTECTED] / [EMAIL PROTECTED] / [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
t gateway.
man ipfw, particularly the section describing 'fwd'.
for future reference, questions belong on <[EMAIL PROTECTED]>, not
cross-posted to -hackers & -net.
--
- bill fumerola / [EMAIL PROTECTED] / [EMAIL PROTECTED] / [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL
eria for a
dummynet pipe rule in the past.
--
- bill fumerola / [EMAIL PROTECTED] / [EMAIL PROTECTED] / [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
bsd
0
Press any key to continue...
perhaps you were looking for a cisco, windows, or ipsec forum. in the
mean time, i've moved this thread to the general discussion list.
--
- bill fumerola / [EMAIL PROTECTED] / [EMAIL PROTECTED]
1. patent
r.corp
PING choker.corp.yahoo.com (216.145.52.228): 56 data bytes
..
--- choker.corp.yahoo.com ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
--
- bill fumerola / [EMAIL PROTECTED] / [EMAIL PROTECTED]
is is the
most likely reason. msn/microsoft blocks icmp wholesale from their site
and yahoo^Wfreebsd.org has no such filter. this would break pmtud.
none of this belonged on -net, though...
--
- bill fumerola / [EMAIL PROTECTED] / [EMAIL PROTECTED]
rthcoming in the next week to build packages that have no direct
dependencies beyond glib for tethereal and gtk for ethereal.
--
- bill fumerola / [EMAIL PROTECTED] / [EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailm
whose data may be combined/joined/scaled
with information from the snmp agent's IF-MIB/ifXTable tables.
--
- bill fumerola / [EMAIL PROTECTED] / [EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
k it's great that a freebsd netflow implementation exists, it's
just a shame that you have to configure netkitchensink to use it..
--
- bill fumerola / [EMAIL PROTECTED] / [EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.fre
ed
and lookup from the table, add a least conns selection method, add a
round robin method, add the ability to point to a table of machines
(possibly allow marking a machine as 'no new connections') for picking
nexthops. that would bring us up to the basic hardware vendor
implementations
44 matches
Mail list logo