From owner-freebsd-net Sun Apr 7 1:40:21 2002 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by hub.freebsd.org (Postfix) with ESMTP id DC81A37B405; Sun, 7 Apr 2002 01:40:17 -0800 (PST) Received: from InterJet.elischer.org ([12.232.206.8]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020407094017.IUUN21252.rwcrmhc53.attbi.com@InterJet.elischer.org>; Sun, 7 Apr 2002 09:40:17 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id BAA45224; Sun, 7 Apr 2002 01:35:20 -0800 (PST) Date: Sun, 7 Apr 2002 01:35:19 -0800 (PST) From: Julian Elischer To: "Crist J. Clark" Cc: Luigi Rizzo , Andreas Klemm , freebsd-net@FreeBSD.ORG Subject: Re: better DSL bandwidth usage by priorizing ACKs in outgoing packets over others In-Reply-To: <20020406184526.E70207@blossom.cjclark.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 6 Apr 2002, Crist J. Clark wrote: > > ...I'm getting some severe deja vu with this topic. But I can't recall > what the exact subject was previously. I once described a flow manager that did similar.. queuing the return acks per session to ensure that some sessions didn't over-run others.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun Apr 7 5:49:52 2002 Delivered-To: freebsd-net@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 6F60637B405 for ; Sun, 7 Apr 2002 05:49:45 -0700 (PDT) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.6/8.11.2) id g37CnTJ71922; Sun, 7 Apr 2002 15:49:29 +0300 (EEST) (envelope-from ru) Date: Sun, 7 Apr 2002 15:49:29 +0300 From: Ruslan Ermilov To: alexus Cc: freebsd-net@FreeBSD.ORG Subject: Re: Fw: /kernel: arplookup xx.xxx.x.xx failed: could not allocate llinfo Message-ID: <20020407124929.GC67968@sunbay.com> References: <006501c1bbc7$5be0f500$0d00a8c0@alexus> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="f+W+jCU1fRNres8c" Content-Disposition: inline In-Reply-To: <006501c1bbc7$5be0f500$0d00a8c0@alexus> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --f+W+jCU1fRNres8c Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Feb 22, 2002 at 12:35:45PM -0500, alexus wrote: > can someone explain me what does it means? i get this in my syslog >=20 > /kernel: arplookup xx.xxx.x.xx failed: could not allocate llinfo > /kernel: arpresolve: can't allocate llinfo for xx.xxx.x.xxrt >=20 This usually indicates for a misconfigured routing table; see the arp(4) manpage for details. Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --f+W+jCU1fRNres8c Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8sEBZUkv4P6juNwoRAnGpAJsFlaCfoLa2yyyRC9XaZSKb5Yd9iwCfb7Em ccZIUg2x7021VkGPxTRp27U= =4StR -----END PGP SIGNATURE----- --f+W+jCU1fRNres8c-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun Apr 7 13:24:32 2002 Delivered-To: freebsd-net@freebsd.org Received: from acs.sk (acs.sk [212.89.229.4]) by hub.freebsd.org (Postfix) with ESMTP id 13CEC37B404; Sun, 7 Apr 2002 13:24:14 -0700 (PDT) Received: from th (dial-46.zutom.sk [212.89.231.56]) by acs.sk (8.11.6/8.11.6) with ESMTP id g37KOOU78139; Sun, 7 Apr 2002 22:24:25 +0200 (CEST) (envelope-from tomas@hodan.sk) From: "Tomas Hodan" To: Cc: , Subject: Moxa C101 Date: Sun, 7 Apr 2002 22:19:29 +0200 Message-ID: <000a01c1de71$898c2b60$38e759d4@th> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_000B_01C1DE82.4D14FB60" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_000B_01C1DE82.4D14FB60 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hi all, is the moxa c101/isa (HD64570) supersync board supported? Thanks, tomas ------=_NextPart_000_000B_01C1DE82.4D14FB60 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi = all,

 

is the moxa c101/isa = (HD64570) supersync board supported? =

 

Thanks,

toma= s

------=_NextPart_000_000B_01C1DE82.4D14FB60-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun Apr 7 16:58:29 2002 Delivered-To: freebsd-net@freebsd.org Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by hub.freebsd.org (Postfix) with ESMTP id E357A37B416 for ; Sun, 7 Apr 2002 16:58:27 -0700 (PDT) Received: by elvis.mu.org (Postfix, from userid 1920) id B1580AE165; Sun, 7 Apr 2002 16:58:27 -0700 (PDT) Date: Sun, 7 Apr 2002 16:58:27 -0700 From: Maxime Henrion To: freebsd-net@FreeBSD.org Cc: Brooks Davis Subject: Re: review request: minor cloning API change Message-ID: <20020407235827.GE6519@elvis.mu.org> References: <20020405230719.A13516@Odin.AC.HMC.Edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020405230719.A13516@Odin.AC.HMC.Edu> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brooks Davis wrote: > The following patch reverts a previous API change which change the > return value of a clonable interfaces' destory function from void to > int to allow the interface to refuse to delete a unit. Since we now > manage unit creation in the generic cloning code and the only use mux or > I could thing of for refusing to delete a unit was forcing a certain > number of units to exist, I've added a new member to the cloner struct, > ifc_minifs which specifies the minimum number of units of this device > allowed. This changes the initilizer macro, but we already differ from > NetBSD in that area and we get to revert to function signatures that > match those from NetBSD in exchange. > > This diff also includes code to convert the disc interface to be > clonable and unloadable. This will be commited seperatly. This patch looks perfectly fine to me. Regarding Julian's mail, it would be straightforward to change the return type back to int if we ever need to (and I hope we won't), so I don't think this is really an issue. Maxime To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun Apr 7 18:18:12 2002 Delivered-To: freebsd-net@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id ED82437B400; Sun, 7 Apr 2002 18:18:08 -0700 (PDT) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id g381PXb20866; Sun, 7 Apr 2002 20:25:34 -0500 (CDT) (envelope-from nick@rogness.net) Date: Sun, 7 Apr 2002 20:25:33 -0500 (CDT) From: Nick Rogness X-Sender: nick@cody.jharris.com To: "Crist J. Clark" Cc: "Matthew D. Fuller" , Alex Rousskov , freebsd-net@FreeBSD.ORG Subject: Re: Forcing packets to the wire In-Reply-To: <20020406212822.G70207@blossom.cjclark.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >On Sat, 6 Apr 2002, Crist J. Clark wrote: >> On Sat, Apr 06, 2002 at 01:57:44PM -0600, Nick Rogness wrote: >> >>> On Fri, Apr 05, 2002 at 06:48:09PM -0600 I heard the voice of >>> On Fri, 5 Apr 2002, Matthew D. Fuller wrote: >>> >>> You MIGHT be able to use ipfw divert/pipe rules to somehow shove the >>> packets into a program on their way out, and write a program that >>> would use raw sockets to hand-assemble the IP datagram on the way out; >>> I'm not sure if the kernel would try to outsmart you on that. >> >> Yeh, I thought of that. The problem is packets never leave >> anywhere since the route for the other NIC is not "OUT" any >> interface...it is the machine itself. > > They never go over a _physical_ inteface, but they _do_ cross an > interface, lo0, the internal loopback. > > ipfw fwd ip from to in via lo0 AFAIK, the route to get from 1 interface to the other is not through the lo0. I'm not sure if the kernel sends these packets across lo0 (internally) or not. But the routing table would suggest not. Here is a snapshot of a machine with 3 network cards in it: lightning# netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif default 10.0.1.17 UGSc 6 472 tl0 10.0.1.16/28 link#1 UC 0 0 tl0 => 10.0.1.17 0:a0:c9:5e:6:6 UHLW 7 273 tl0 10.0.1.31 ff:ff:ff:ff:ff:ff UHLWb 1 31965 tl0 10.0.3/24 link#3 UC 0 0 de1 => 10.0.3.255 ff:ff:ff:ff:ff:ff UHLWb 1 31965 de1 10.0.5/24 link#2 UC 0 0 de0 => 10.0.5.255 ff:ff:ff:ff:ff:ff UHLWb 1 31965 de0 127.0.0.1 127.0.0.1 UH 0 5288 lo0 Nick Rogness - Don't mind me...I'm just sniffing your packets To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun Apr 7 20: 6:40 2002 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id 807BF37B416 for ; Sun, 7 Apr 2002 20:06:36 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020408030632.PHTR3676.rwcrmhc52.attbi.com@blossom.cjclark.org>; Mon, 8 Apr 2002 03:06:32 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g3836Vl28344; Sun, 7 Apr 2002 20:06:31 -0700 (PDT) (envelope-from cjc) Date: Sun, 7 Apr 2002 20:06:31 -0700 From: "Crist J. Clark" To: Nick Rogness Cc: "Matthew D. Fuller" , Alex Rousskov , freebsd-net@FreeBSD.ORG Subject: Re: Forcing packets to the wire Message-ID: <20020407200631.S70207@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20020406212822.G70207@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from nick@rogness.net on Sun, Apr 07, 2002 at 08:25:33PM -0500 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Apr 07, 2002 at 08:25:33PM -0500, Nick Rogness wrote: > > >On Sat, 6 Apr 2002, Crist J. Clark wrote: > >> On Sat, Apr 06, 2002 at 01:57:44PM -0600, Nick Rogness wrote: > >> > >>> On Fri, Apr 05, 2002 at 06:48:09PM -0600 I heard the voice of > >>> On Fri, 5 Apr 2002, Matthew D. Fuller wrote: > >>> > >>> You MIGHT be able to use ipfw divert/pipe rules to somehow shove the > >>> packets into a program on their way out, and write a program that > >>> would use raw sockets to hand-assemble the IP datagram on the way out; > >>> I'm not sure if the kernel would try to outsmart you on that. > >> > >> Yeh, I thought of that. The problem is packets never leave > >> anywhere since the route for the other NIC is not "OUT" any > >> interface...it is the machine itself. > > > > They never go over a _physical_ inteface, but they _do_ cross an > > interface, lo0, the internal loopback. > > > > ipfw fwd ip from to in via lo0 > > > AFAIK, the route to get from 1 interface to the other is not > through the lo0. I'm not sure if the kernel sends these packets > across lo0 (internally) or not. But the routing table would > suggest not. It sure looks like they do. I checked before suggesting this. $ ifconfig dc0 dc0: flags=8843 mtu 1500 inet 192.168.64.60 netmask 0xffffff00 broadcast 192.168.64.255 inet6 fe80::2c0:f0ff:fe5a:6c0a%dc0 prefixlen 64 scopeid 0x1 inet 192.168.64.61 netmask 0xffffffff broadcast 192.168.64.61 ether 00:c0:f0:5a:6c:0a media: Ethernet autoselect (10baseT/UTP) status: active $telnet -s 192.168.64.60 192.168.64.61 Trying 192.168.64.61... telnet: connect to address 192.168.64.61: Connection refused telnet: Unable to connect to remote host And I was sniffing the loopback when I did this, # tcpdump -n -ilo0 tcpdump: listening on lo0 20:02:34.300094 192.168.64.60.1979 > 192.168.64.61.23: S 2453490862:2453490862(0) win 65535 (DF) [tos 0x10] 20:02:34.300138 192.168.64.61.23 > 192.168.64.60.1979: R 0:0(0) ack 2453490863 win 0 I also put in some ipfw(8) 'count' rules like, # ipfw add count ip from 192.168.64.60 to 192.168.64.61 out via lo0 And they were hit by these packets. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Apr 8 0:58:29 2002 Delivered-To: freebsd-net@freebsd.org Received: from nanguo.chalmers.com.au (chalmers.com.au [203.1.96.5]) by hub.freebsd.org (Postfix) with ESMTP id 89E6737B405 for ; Mon, 8 Apr 2002 00:58:15 -0700 (PDT) Received: from carbon (carbon.chalmers.com.au [203.1.96.26]) by nanguo.chalmers.com.au (8.11.6/8.11.6) with SMTP id g38816J17786 for ; Mon, 8 Apr 2002 18:01:15 +1000 (EST) (envelope-from robert@quantum-radio.net.au) Message-ID: <02ab01c1ded3$7643dff0$1a6001cb@chalmers.com.au> Reply-To: "Merlin" From: "Merlin" To: "freebsd-net" Subject: IPv6 DNS question about host addressing. Date: Mon, 8 Apr 2002 18:00:21 +1000 Organization: Quantum Radio MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If I have two hosts on the same network, 2002:cb01:6006:: then they would be numbered thus - have I got it right? ruby IN AAAA 2002:cb01:6006::1 nanguo IN AAAA 2002:cb01:6006::2 $ifconfig ed0: flags=8843 mtu 1500 inet 203.1.96.6 netmask 0xffffff00 broadcast 203.1.96.255 inet6 fe80::240:5ff:fe4e:a982%ed0 prefixlen 64 scopeid 0x1 ether 00:40:05:4e:a9:82 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 stf0: flags=1 mtu 1280 inet6 2002:cb01:6006::1 prefixlen 16 Thanks Robert --- Quantum Radio: World Music with a difference. http://quantum-radio.net/ Now Playing: Tummel - Dybbuking To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Apr 8 1:12:50 2002 Delivered-To: freebsd-net@freebsd.org Received: from shuttle.wide.toshiba.co.jp (shuttle.wide.toshiba.co.jp [202.249.10.124]) by hub.freebsd.org (Postfix) with ESMTP id B1B9537B404 for ; Mon, 8 Apr 2002 01:12:45 -0700 (PDT) Received: from localhost ([3ffe:501:4819:2000:200:39ff:fed9:21d7]) by shuttle.wide.toshiba.co.jp (8.11.6/8.9.1) with ESMTP id g388Bho31442; Mon, 8 Apr 2002 17:11:43 +0900 (JST) Date: Mon, 08 Apr 2002 17:11:45 +0900 Message-ID: From: JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?= To: "Merlin" Cc: "freebsd-net" Subject: Re: IPv6 DNS question about host addressing. In-Reply-To: <02ab01c1ded3$7643dff0$1a6001cb@chalmers.com.au> References: <02ab01c1ded3$7643dff0$1a6001cb@chalmers.com.au> User-Agent: Wanderlust/2.6.1 (Upside Down) Emacs/21.1 Mule/5.0 (SAKAKI) Organization: Research & Development Center, Toshiba Corp., Kawasaki, Japan. MIME-Version: 1.0 (generated by SEMI 1.14.3 - "Ushinoya") Content-Type: text/plain; charset=US-ASCII X-Dispatcher: imput version 20000228(IM140) Lines: 14 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> On Mon, 8 Apr 2002 18:00:21 +1000, >>>>> "Merlin" said: > If I have two hosts on the same network, 2002:cb01:6006:: then they would be numbered thus - have I got it right? > ruby IN AAAA 2002:cb01:6006::1 > nanguo IN AAAA 2002:cb01:6006::2 If you asked if those lines above were correct as DNS configuration, yes, they are correct. JINMEI, Tatuya Communication Platform Lab. Corporate R&D Center, Toshiba Corp. jinmei@isl.rdc.toshiba.co.jp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Apr 8 2:37:58 2002 Delivered-To: freebsd-net@freebsd.org Received: from nanguo.chalmers.com.au (chalmers.com.au [203.1.96.5]) by hub.freebsd.org (Postfix) with ESMTP id E3F7E37B404 for ; Mon, 8 Apr 2002 02:37:09 -0700 (PDT) Received: from carbon (carbon.chalmers.com.au [203.1.96.26]) by nanguo.chalmers.com.au (8.11.6/8.11.6) with SMTP id g389cHJ18365 for ; Mon, 8 Apr 2002 19:39:02 +1000 (EST) (envelope-from robert@quantum-radio.net.au) Message-ID: <02cf01c1dee1$1ec465c0$1a6001cb@chalmers.com.au> Reply-To: "Merlin" From: "Merlin" To: "freebsd-net" References: <02ab01c1ded3$7643dff0$1a6001cb@chalmers.com.au> Subject: Re: IPv6 DNS question about host addressing. Date: Mon, 8 Apr 2002 19:36:54 +1000 Organization: Quantum Radio MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks, that's what I needed to know. Regards Robert > >>>>> On Mon, 8 Apr 2002 18:00:21 +1000, > >>>>> "Merlin" said: > > > If I have two hosts on the same network, 2002:cb01:6006:: then they would be numbered thus - have I got it right? > > ruby IN AAAA 2002:cb01:6006::1 > > nanguo IN AAAA 2002:cb01:6006::2 > > If you asked if those lines above were correct as DNS configuration, > yes, they are correct. > > JINMEI, Tatuya > Communication Platform Lab. > Corporate R&D Center, Toshiba Corp. > jinmei@isl.rdc.toshiba.co.jp > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Apr 8 7:27: 0 2002 Delivered-To: freebsd-net@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 79EF837B41A for ; Mon, 8 Apr 2002 07:26:54 -0700 (PDT) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id g38EYIC24306; Mon, 8 Apr 2002 09:34:19 -0500 (CDT) (envelope-from nick@rogness.net) Date: Mon, 8 Apr 2002 09:34:18 -0500 (CDT) From: Nick Rogness X-Sender: nick@cody.jharris.com To: cjclark@alum.mit.edu Cc: "Matthew D. Fuller" , Alex Rousskov , freebsd-net@FreeBSD.ORG Subject: Re: Forcing packets to the wire In-Reply-To: <20020407200631.S70207@blossom.cjclark.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 7 Apr 2002, Crist J. Clark wrote: > On Sun, Apr 07, 2002 at 08:25:33PM -0500, Nick Rogness wrote: > > [SNIP] > > > > AFAIK, the route to get from 1 interface to the other is not > > through the lo0. I'm not sure if the kernel sends these packets > > across lo0 (internally) or not. But the routing table would > > suggest not. > > It sure looks like they do. I checked before suggesting this. > > $ ifconfig dc0 > dc0: flags=8843 mtu 1500 > inet 192.168.64.60 netmask 0xffffff00 broadcast 192.168.64.255 > inet6 fe80::2c0:f0ff:fe5a:6c0a%dc0 prefixlen 64 scopeid 0x1 > inet 192.168.64.61 netmask 0xffffffff broadcast 192.168.64.61 > ether 00:c0:f0:5a:6c:0a > media: Ethernet autoselect (10baseT/UTP) > status: active > $telnet -s 192.168.64.60 192.168.64.61 > Trying 192.168.64.61... > telnet: connect to address 192.168.64.61: Connection refused > telnet: Unable to connect to remote host > > And I was sniffing the loopback when I did this, > > # tcpdump -n -ilo0 > tcpdump: listening on lo0 > 20:02:34.300094 192.168.64.60.1979 > 192.168.64.61.23: S > 2453490862:2453490862(0) win 65535 1,nop,nop,timestamp 11409532 0> (DF) [tos 0x10] > 20:02:34.300138 192.168.64.61.23 > 192.168.64.60.1979: R 0:0(0) ack > 2453490863 win 0 > > I also put in some ipfw(8) 'count' rules like, > > # ipfw add count ip from 192.168.64.60 to 192.168.64.61 out via lo0 > > And they were hit by these packets. WOW, that's interesting. Thanks for the heads up. Nick Rogness - Don't mind me...I'm just sniffing your packets To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Apr 8 9:51:39 2002 Delivered-To: freebsd-net@freebsd.org Received: from zibbi.icomtek.csir.co.za (zibbi.icomtek.csir.co.za [146.64.24.58]) by hub.freebsd.org (Postfix) with ESMTP id DC71337B419; Mon, 8 Apr 2002 09:51:30 -0700 (PDT) Received: (from jhay@localhost) by zibbi.icomtek.csir.co.za (8.11.6/8.11.6) id g38GoxF57492; Mon, 8 Apr 2002 18:50:59 +0200 (SAT) (envelope-from jhay) From: John Hay Message-Id: <200204081650.g38GoxF57492@zibbi.icomtek.csir.co.za> Subject: Re: Moxa C101 In-Reply-To: <000a01c1de71$898c2b60$38e759d4@th> from Tomas Hodan at "Apr 7, 2002 10:19:29 pm" To: tomas@hodan.sk (Tomas Hodan) Date: Mon, 8 Apr 2002 18:50:59 +0200 (SAT) Cc: freebsd-isp@FreeBSD.ORG, freebsd-net@FreeBSD.ORG, freebsd-question@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > is the moxa c101/isa (HD64570) supersync board supported? I don't know if there is a driver for the card, but there are 2 drivers that drive cards based on the HD64570 chip. They are ar(4) and sr(4). Maybe one of them are close enough or if you can get info on the card, maybe one of them can be adjusted to support it. John -- John Hay -- John.Hay@icomtek.csir.co.za / jhay@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Apr 8 10:52:44 2002 Delivered-To: freebsd-net@freebsd.org Received: from artemis.drwilco.net (diana.drwilco.net [66.48.127.79]) by hub.freebsd.org (Postfix) with ESMTP id 075B737B405 for ; Mon, 8 Apr 2002 10:52:38 -0700 (PDT) Received: from ceres.drwilco.net (docwilco.xs4all.nl [213.84.68.230]) by artemis.drwilco.net (8.11.6/8.11.6) with ESMTP id g38Hpwx13034 (using TLSv1/SSLv3 with cipher DES-CBC3-SHA (168 bits) verified NO) for ; Mon, 8 Apr 2002 13:52:00 -0400 (EDT) (envelope-from drwilco@drwilco.net) Message-Id: <5.1.0.14.0.20020408200151.01cac1f0@mail.drwilco.net> X-Sender: lists@mail.drwilco.net X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 08 Apr 2002 20:04:30 +0200 To: freebsd-net@freebsd.org From: "Rogier R. Mulhuijzen" Subject: IPsec tunnel mode In-Reply-To: <3CAC84C0.3000702@isi.edu> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I've been following the KAME vs. OpenBSD IPsec thread somewhat, and I gather that IPsec tunnel mode is not the same as using the gif interface (which is IPIP). My question is, can one get IPsec tunnel mode to work in BSD, and how is it done? I do not need a lengthy story, a few terse pointers would be quite enough. Thanx, Doc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Apr 8 10:54:19 2002 Delivered-To: freebsd-net@freebsd.org Received: from artemis.drwilco.net (diana.drwilco.net [66.48.127.79]) by hub.freebsd.org (Postfix) with ESMTP id 2AF2937B41B for ; Mon, 8 Apr 2002 10:53:58 -0700 (PDT) Received: from ceres.drwilco.net (docwilco.xs4all.nl [213.84.68.230]) by artemis.drwilco.net (8.11.6/8.11.6) with ESMTP id g38HrIx13076 (using TLSv1/SSLv3 with cipher DES-CBC3-SHA (168 bits) verified NO) for ; Mon, 8 Apr 2002 13:53:20 -0400 (EDT) (envelope-from drwilco@drwilco.net) Message-Id: <5.1.0.14.0.20020408200516.01cac080@mail.drwilco.net> X-Sender: lists@mail.drwilco.net X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 08 Apr 2002 20:05:51 +0200 To: freebsd-net@FreeBSD.ORG From: "Rogier R. Mulhuijzen" Subject: Re: IPsec tunnel mode In-Reply-To: <5.1.0.14.0.20020408200151.01cac1f0@mail.drwilco.net> References: <3CAC84C0.3000702@isi.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 20:04 8-4-2002 +0200, Rogier R. Mulhuijzen wrote: >My question is, can one get IPsec tunnel mode to work in BSD, and how is >it done? I do not need a lengthy story, a few terse pointers would be >quite enough. Pardon me. I meant FreeBSD not BSD. Doc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Apr 8 10:54:37 2002 Delivered-To: freebsd-net@freebsd.org Received: from measurement-factory.com (measurement-factory.com [206.168.0.5]) by hub.freebsd.org (Postfix) with ESMTP id A691437B41D for ; Mon, 8 Apr 2002 10:54:28 -0700 (PDT) Received: (from rousskov@localhost) by measurement-factory.com (8.11.6/8.11.6) id g38HsR464303; Mon, 8 Apr 2002 11:54:27 -0600 (MDT) (envelope-from rousskov) Date: Mon, 8 Apr 2002 11:54:27 -0600 (MDT) From: Alex Rousskov To: freebsd-net@FreeBSD.ORG Subject: Re: Forcing packets to the wire In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Thanks a lot to all those who replied on and off the list! The winner is Andrew R. Reiter . Here is a possible solution to the problem, inspired by his response: ifconfig fxp1 fxp1_IP netmask 255.255.255.255 ifconfig fxp2 fxp2_IP netmask 255.255.255.255 route add fxp1_IP -iface -link fxp2:fxp1_MAC_address route add fxp2_IP -iface -link fxp1:fxp2_MAC_address The subnet doesn not have to be /32 as long as the two IPs are in different subnets. We are now testing the throughput limits of the above configuration and contemplating its effect on the rest of our setup. Thank you, Alex. On Fri, 5 Apr 2002, Alex Rousskov wrote: > Hi there, > > I have two Ethernet NICs inside a PC. I want TCP/IP packets to > leave one NIC, go on the wire, and eventually arrive at the other NIC. > I do not want the kernel to be smart and shortcut the path. I want the > outside world to see the packets and to think that my two NICs are two > PCs talking to each other. > > Could any networking guru answer the following questions: > > - Is it possible without kernel modifications? How? > > - If kernel modifications are required, how extensive > would they be (e.g., how many hours would it take a guru > to implement the required functionality)? > > I am flexible as far as IP addressing scheme is concerned, > though I would prefer to be able to put both NIC IP addresses on one > and on separate subnets (from the outside world point of view). Again, > I want the outside world think that these NICs are inside two PCs. > > If you want to know a "use case" for this strange requirement, > here it is: I am building an appliance to test HTTP proxies. I want an > appliance to have one NIC for the "client side" and one NIC for the > "server side". I want to be able to run no-proxy test through the > networking gear (a baseline experiment testing hubs/switches for > bottlenecks), and I want to test "transparent proxies" (clients think > they send requests directly to servers). > > > Thank you, > > Alex. > > P.S. So far, all attempts to make this work have failed. Even jail > environment does not go far enough and lets the "jailed" packet to > traverse the kernel instead of using the wires... > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Apr 8 11: 7:37 2002 Delivered-To: freebsd-net@freebsd.org Received: from cobalt.hytekblue.com (adsl-208-191-100-47.dsl.stlsmo.swbell.net [208.191.100.47]) by hub.freebsd.org (Postfix) with ESMTP id 5382A37B405 for ; Mon, 8 Apr 2002 11:07:29 -0700 (PDT) Received: (from nobody@localhost) by cobalt.hytekblue.com (8.9.3/8.9.3) id NAA45347; Mon, 8 Apr 2002 13:07:17 -0500 (CDT) (envelope-from mgt@hytekblue.com) Date: Mon, 8 Apr 2002 13:07:17 -0500 (CDT) Message-Id: <200204081807.NAA45347@cobalt.hytekblue.com> X-Authentication-Warning: cobalt.hytekblue.com: nobody set sender to mgt@hytekblue.com using -f From: "Matthew" To: "Rogier R. Mulhuijzen" , freebsd-net@FreeBSD.ORG Reply-To: mgt@hytekblue.com Subject: Re: IPsec tunnel mode X-Mailer: NeoMail 1.25 X-IPAddress: 128.242.166.77 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org check out this link... they were a great deal of help to me when i went to setup ipsec on freebsd... Best wishes Hytekblue http://www.x-itec.de/projects/tuts/ipsec-howto.txt > At 20:04 8-4-2002 +0200, Rogier R. Mulhuijzen wrote: > >My question is, can one get IPsec tunnel mode to work in BSD, and how is > >it done? I do not need a lengthy story, a few terse pointers would be > >quite enough. > > Pardon me. I meant FreeBSD not BSD. > > Doc > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Apr 8 11:21:15 2002 Delivered-To: freebsd-net@freebsd.org Received: from artemis.drwilco.net (diana.drwilco.net [66.48.127.79]) by hub.freebsd.org (Postfix) with ESMTP id 384A537B405 for ; Mon, 8 Apr 2002 11:20:58 -0700 (PDT) Received: from ceres.drwilco.net (docwilco.xs4all.nl [213.84.68.230]) by artemis.drwilco.net (8.11.6/8.11.6) with ESMTP id g38IKHx15522 (using TLSv1/SSLv3 with cipher DES-CBC3-SHA (168 bits) verified NO); Mon, 8 Apr 2002 14:20:19 -0400 (EDT) (envelope-from drwilco@drwilco.net) Message-Id: <5.1.0.14.0.20020408202757.01cac470@mail.drwilco.net> X-Sender: lists@mail.drwilco.net X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 08 Apr 2002 20:32:50 +0200 To: mgt@hytekblue.com, freebsd-net@FreeBSD.ORG From: "Rogier R. Mulhuijzen" Subject: Re: IPsec tunnel mode In-Reply-To: <200204081807.NAA45347@cobalt.hytekblue.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 13:07 8-4-2002 -0500, Matthew wrote: >check out this link... they were a great deal of help to me when i went >to setup ipsec on freebsd... > > Best wishes > Hytekblue > >http://www.x-itec.de/projects/tuts/ipsec-howto.txt Unfortunately this howto, like any other mention of IPsec & tunneling on the net uses the gif interface. Which is IPoverIP, and this does not seem to match with IPsec tunnel devices. I quote the gif(4) manpage: "For example, you cannot usually use gif to talk with IPsec devices that use IPsec tunnel mode." The problem is I have to make a FreeBSD box at work talk with a Firebox IPsec machine. I have set the machine up to use racoon & gif. Key exchange goes fine, but when we try to ping eachother the packets go over the wire and arrive at the other machine but neither side seems to want to receive them. Any ideas? Doc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Apr 8 13: 3:30 2002 Delivered-To: freebsd-net@freebsd.org Received: from ambrisko.com (adsl-64-174-51-42.dsl.snfc21.pacbell.net [64.174.51.42]) by hub.freebsd.org (Postfix) with ESMTP id 88BCB37B416 for ; Mon, 8 Apr 2002 13:03:21 -0700 (PDT) Received: (from ambrisko@localhost) by ambrisko.com (8.11.6/8.11.6) id g38K3IF74682 for freebsd-net@freebsd.org; Mon, 8 Apr 2002 13:03:18 -0700 (PDT) (envelope-from ambrisko) From: Doug Ambrisko Message-Id: <200204082003.g38K3IF74682@ambrisko.com> Subject: Review for BOOTP/DHCP Vendor identifier To: freebsd-net@ambrisko.com Date: Mon, 8 Apr 2002 13:00:41 -0700 (PDT) X-Mailer: ELM [version 2.4ME+ PL94b (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I put together a patch that adds option 60 to the FreeBSD kernel BOOTP code. I fill in the vendor indentifier string as: :: partially based on how NetBSD does it. However, NetBSD uses this format: ::kernel: I wonder how usefull the "kernel" part is. Should we just do it to follow suit with NetBSD. I'm thinking we probably should do it the same way as NetBSD. Note I started on adding this code and then looked at what NetBSD did. I can add similar code to the pxeboot loader. The goal is that via the vendor identifier I can have various OS and BOOTP/DHCP configured type things get the right info at the right time and avoid tag conflicts. I think the part would be useful for those that netboot various different types off one server. Attached is my patch to -current. After a review I'd like to commit something like this. TIA for a review, Doug A. Index: bootp_subr.c =================================================================== RCS file: /cvs/src/sys/nfsclient/bootp_subr.c,v retrieving revision 1.35 diff -u -r1.35 bootp_subr.c --- bootp_subr.c 28 Feb 2002 03:07:35 -0000 1.35 +++ bootp_subr.c 8 Apr 2002 19:44:16 -0000 @@ -55,6 +55,7 @@ #include #include #include +#include #include #include @@ -203,6 +204,8 @@ #define TAG_DHCP_SERVERID 54 #define TAG_DHCP_LEASETIME 51 +#define TAG_VENDOR_INDENTIFIER 60 + #define DHCP_NOMSG 0 #define DHCP_DISCOVER 1 #define DHCP_OFFER 2 @@ -1303,7 +1306,9 @@ struct bootpc_globalcontext *gctx, struct thread *td) { unsigned char *vendp; + unsigned char vendor_client[64]; uint32_t leasetime; + uint8_t vendor_client_len; ifctx->gotrootpath = 0; @@ -1328,6 +1333,14 @@ *vendp++ = 2; *vendp++ = (sizeof(struct bootp_packet) >> 8) & 255; *vendp++ = sizeof(struct bootp_packet) & 255; + + snprintf(vendor_client, sizeof(vendor_client), "%s:%s:%s", + ostype, MACHINE, osrelease); + vendor_client_len = strlen(vendor_client); + *vendp++ = TAG_VENDOR_INDENTIFIER; + *vendp++ = vendor_client_len; + memcpy(vendp, vendor_client, vendor_client_len); + vendp += vendor_client_len;; ifctx->dhcpquerytype = DHCP_NOMSG; switch (ifctx->state) { case IF_DHCP_UNRESOLVED: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Apr 8 13:15:37 2002 Delivered-To: freebsd-net@freebsd.org Received: from web13003.mail.yahoo.com (web13003.mail.yahoo.com [216.136.174.13]) by hub.freebsd.org (Postfix) with SMTP id 1FA6037B404 for ; Mon, 8 Apr 2002 13:15:32 -0700 (PDT) Message-ID: <20020408201531.3751.qmail@web13003.mail.yahoo.com> Received: from [212.166.160.116] by web13003.mail.yahoo.com via HTTP; Mon, 08 Apr 2002 13:15:31 PDT Date: Mon, 8 Apr 2002 13:15:31 -0700 (PDT) From: Russo Roberto Subject: TCP window SIZE vs. RECEIVE/SEND socket size To: freebsd-net@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hi, I am using on FreeBSD 4.5 the application NETPERF to do TCP/UDP benchmark ! can someone give me the general relation between the TCP/IP WINDOW SIZE and RECEIVE/SEND socket size doing a TCP_STREAM test ? setting for example an Received socket size of 5000 byte means that the TCP window size will be of 5000 byte ? For this reason the size of all the TCP packet transmitted will be equal at the RECEIVE SOCKET SIZE ? really thank you! Roberto __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Apr 8 13:52: 9 2002 Delivered-To: freebsd-net@freebsd.org Received: from daydreamer.dk (213.237.14.128.adsl.ho.worldonline.dk [213.237.14.128]) by hub.freebsd.org (Postfix) with SMTP id 64B0B37B404 for ; Mon, 8 Apr 2002 13:52:03 -0700 (PDT) Received: (qmail 40450 invoked from network); 8 Apr 2002 20:51:58 -0000 Received: from unknown (HELO dpws) (192.168.1.3) by 0 with SMTP; 8 Apr 2002 20:51:58 -0000 Message-ID: <007501c1df3f$326d92a0$0301a8c0@dpws> From: "Dennis Pedersen" To: References: <5.1.0.14.0.20020408200151.01cac1f0@mail.drwilco.net> Subject: Re: IPsec tunnel mode Date: Mon, 8 Apr 2002 22:51:46 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "Rogier R. Mulhuijzen" To: Sent: Monday, April 08, 2002 8:04 PM Subject: IPsec tunnel mode > I've been following the KAME vs. OpenBSD IPsec thread somewhat, and I > gather that IPsec tunnel mode is not the same as using the gif interface > (which is IPIP). The howto below is this an real IPIP version of IPsec? Because on the snap-users@kame.net Lars Eggert said something about using transport mode, not tunnel mode. This confused me a bit because isnt transport between 2 hosts only I have also read the ftp://ftp.ietf.org/internet-drafts/draft-touch-ipsec-vpn-03.txt a couple of times, but i still cant seem to figure how the transport mode fits into this? Is the howto below a "real" IPIP version or? http://www.freebsddiary.org/ipsec-tunnel.php Regards, Dennis To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Apr 8 14:20:33 2002 Delivered-To: freebsd-net@freebsd.org Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by hub.freebsd.org (Postfix) with ESMTP id 391DE37B400 for ; Mon, 8 Apr 2002 14:20:27 -0700 (PDT) Received: from isi.edu (acbxgj2ds3ju51bb@hbo.isi.edu [128.9.160.75]) by boreas.isi.edu (8.11.6/8.11.2) with ESMTP id g38LKDT03979; Mon, 8 Apr 2002 14:20:13 -0700 (PDT) Message-ID: <3CB2098C.5080904@isi.edu> Date: Mon, 08 Apr 2002 14:20:12 -0700 From: Lars Eggert User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.9) Gecko/20020329 X-Accept-Language: en-us, de-de MIME-Version: 1.0 To: "Rogier R. Mulhuijzen" Cc: mgt@hytekblue.com, freebsd-net@FreeBSD.ORG Subject: Re: IPsec tunnel mode References: <5.1.0.14.0.20020408202757.01cac470@mail.drwilco.net> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms000906070407080108010409" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a cryptographically signed message in MIME format. --------------ms000906070407080108010409 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Rogier R. Mulhuijzen wrote: >> http://www.x-itec.de/projects/tuts/ipsec-howto.txt > > Unfortunately this howto, like any other mention of IPsec & > tunneling on the net uses the gif interface. Which is IPoverIP, and > this does not seem to match with IPsec tunnel devices. There are no IPsec tunnel devices in KAME. IPsec defines "security associations" (SAs), which are not represented as devices in the routing table in KAME. Thus, you can't use routes to direct traffic into these tunnel mode SAs, you need to set up your security policies with the correct selectors (think firewall-like matching). *Many* tutorials on the net do not understand this disctinction, and tell you to set up an IPIP tunnel (using a gif) and an IPsec tunnel mode SA in parallel. This is a bad hack, since you (ab)use a side effect of creating an IPIP tunnel device (it can be used for route entries) to redirect traffic into your (separate) tunnel mode SA. Very roughly, you set up the IPIP tunnel, then yank out the packets destined for it during outbound processing and force them over an IPsec tunnel mode SA. Use EITHER IPsec tunnel mode alone OR IPIP tunnels and IP transport mode (draft-touch-ipsec-vpn). Mixing both can work in some scenarios where the dependencies between side effects are just right, but in general, it's a broken approach. Lars -- Lars Eggert Information Sciences Institute http://www.isi.edu/larse/ University of Southern California --------------ms000906070407080108010409 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIInzCC ArUwggIeoAMCAQICAwWBRzANBgkqhkiG9w0BAQIFADCBkjELMAkGA1UEBhMCWkExFTATBgNV BAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUx HTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVl bWFpbCBSU0EgMjAwMC44LjMwMB4XDTAxMDgyNDE2NDAwMFoXDTAyMDgyNDE2NDAwMFowVDEP MA0GA1UEBBMGRWdnZXJ0MQ0wCwYDVQQqEwRMYXJzMRQwEgYDVQQDEwtMYXJzIEVnZ2VydDEc MBoGCSqGSIb3DQEJARYNbGFyc2VAaXNpLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEA0AvLBsD78nxcUHeHkaMgl3b4qYPnfgbf8Lh+HQP8RgGMRG/Yb+vTpkGezlwt9pkJxiD1 1uZDy4CNNJUu3gKxKSb+zRV70O+lkwwftuHoLHoH4xwo3LcQ2LGDpd+I95tUN4dfJ3TmeEcU SF50dC/SuUI4w8AlhXQ8IxrhgdayTpECAwEAAaNWMFQwKgYFK2UBBAEEITAfAgEAMBowGAIB BAQTTDJ1TXlmZkJOVWJOSkpjZFoyczAYBgNVHREEETAPgQ1sYXJzZUBpc2kuZWR1MAwGA1Ud EwEB/wQCMAAwDQYJKoZIhvcNAQECBQADgYEAheZhn0pQA8zI7U2K1ZIAl11j0a1DKxnp3GtT vOUrGRB3WvYxidvdZ1kizhEsWeXU81TkNDH0DaRqtOEeu6Q2OhB+jeKEqY7IDAJE4/fI0e+d 6PnG1hd+vEvYmsKHkmzBhPc94XUOKNWO+qVNP2NGyNI3QIDy5wX4fdcOo1S34r4wggK1MIIC HqADAgECAgMFgUcwDQYJKoZIhvcNAQECBQAwgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxX ZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYD VQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwg UlNBIDIwMDAuOC4zMDAeFw0wMTA4MjQxNjQwMDBaFw0wMjA4MjQxNjQwMDBaMFQxDzANBgNV BAQTBkVnZ2VydDENMAsGA1UEKhMETGFyczEUMBIGA1UEAxMLTGFycyBFZ2dlcnQxHDAaBgkq hkiG9w0BCQEWDWxhcnNlQGlzaS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANAL ywbA+/J8XFB3h5GjIJd2+KmD534G3/C4fh0D/EYBjERv2G/r06ZBns5cLfaZCcYg9dbmQ8uA jTSVLt4CsSkm/s0Ve9DvpZMMH7bh6Cx6B+McKNy3ENixg6XfiPebVDeHXyd05nhHFEhedHQv 0rlCOMPAJYV0PCMa4YHWsk6RAgMBAAGjVjBUMCoGBStlAQQBBCEwHwIBADAaMBgCAQQEE0wy dU15ZmZCTlViTkpKY2RaMnMwGAYDVR0RBBEwD4ENbGFyc2VAaXNpLmVkdTAMBgNVHRMBAf8E AjAAMA0GCSqGSIb3DQEBAgUAA4GBAIXmYZ9KUAPMyO1NitWSAJddY9GtQysZ6dxrU7zlKxkQ d1r2MYnb3WdZIs4RLFnl1PNU5DQx9A2karThHrukNjoQfo3ihKmOyAwCROP3yNHvnej5xtYX frxL2JrCh5JswYT3PeF1DijVjvqlTT9jRsjSN0CA8ucF+H3XDqNUt+K+MIIDKTCCApKgAwIB AgIBDDANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4g Q2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEo MCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhh d3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVl bWFpbEB0aGF3dGUuY29tMB4XDTAwMDgzMDAwMDAwMFoXDTAyMDgyOTIzNTk1OVowgZIxCzAJ BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEP MA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UE AxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMDCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEA3jMypmPHCSVFPtJueCdngcXaiBmClw7jRCmKYzUqbXA8+tyu9+50bzC8M5B/ +TRxoKNtmPHDT6Jl2w36S/HW3WGl+YXNVZo1Gp2Sdagnrthy+boC9tewkd4c6avgGAOofENC UFGHgzzwObSbVIoTh/+zm51JZgAtCYnslGvpoWkCAwEAAaNOMEwwKQYDVR0RBCIwIKQeMBwx GjAYBgNVBAMTEVByaXZhdGVMYWJlbDEtMjk3MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P BAQDAgEGMA0GCSqGSIb3DQEBBAUAA4GBAHMbbyZli/8VNEtZYortRL5Jx+gNu4+5DWomKmKE H7iHY3QcbbfPGlORS+HN5jjZ7VD0Omw0kqzmkpxuwSMBwgmn70uuct0GZ/VQby5YuLYLwVBX tewc1+8XttWIm7eiiBrtOVs5fTT8tpYYJU1q9J3Fw5EvqZa4BTxS/N3pYgNIMYICpjCCAqIC AQEwgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcT CUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2 aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAIDBYFHMAkG BSsOAwIaBQCgggFhMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8X DTAyMDQwODIxMjAxMlowIwYJKoZIhvcNAQkEMRYEFMLv1pKjM3nmIGtBXxt7jeKEdSjlMFIG CSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMC AgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGtBgsqhkiG9w0BCRACCzGBnaCBmjCBkjEL MAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du MQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYD VQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMFgUcwDQYJKoZIhvcNAQEB BQAEgYBMUsvvxb3A1Zm6LrcZlPGk5pZonoM7KTGhr4CgV+34abP5ocxtJPfYSsq13EVHlO5b 5TDzYfEOd0L7JNsjIJy5mg13TusJlM1dFI3rBNUk4ZsNtgtM6lYtOeoZUVOSU0lC6kNNok4O nDbdKmUNWP32DW4APY7nsuMUoBMPXd+j7AAAAAAAAA== --------------ms000906070407080108010409-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Apr 8 14:24: 9 2002 Delivered-To: freebsd-net@freebsd.org Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by hub.freebsd.org (Postfix) with ESMTP id 78B9337B41B for ; Mon, 8 Apr 2002 14:24:02 -0700 (PDT) Received: from isi.edu (vkq9hoa3340mf768@hbo.isi.edu [128.9.160.75]) by boreas.isi.edu (8.11.6/8.11.2) with ESMTP id g38LNwT06520; Mon, 8 Apr 2002 14:23:58 -0700 (PDT) Message-ID: <3CB20A6D.3040704@isi.edu> Date: Mon, 08 Apr 2002 14:23:57 -0700 From: Lars Eggert User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.9) Gecko/20020329 X-Accept-Language: en-us, de-de MIME-Version: 1.0 To: Dennis Pedersen Cc: freebsd-net@freebsd.org Subject: Re: IPsec tunnel mode References: <5.1.0.14.0.20020408200151.01cac1f0@mail.drwilco.net> <007501c1df3f$326d92a0$0301a8c0@dpws> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms060302050007020900070805" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a cryptographically signed message in MIME format. --------------ms060302050007020900070805 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Dennis Pedersen wrote: > Because on the snap-users@kame.net Lars Eggert said something about using > transport mode, not tunnel mode. This confused me a bit because isnt > transport between 2 hosts only I said a possibility would be to use IPsec transport mode OVER AN IPIP TUNNEL, which is not he same as using transport mode alone (which is restricted to host pairs). On the wire, packets generated by either approach look identical. > I have also read the > ftp://ftp.ietf.org/internet-drafts/draft-touch-ipsec-vpn-03.txt a couple of > times, but i still cant seem to figure how the transport mode fits into > this? Forget about security for a moment. Set up a virtual topology using IPIP tunnels, and make sure it works. *Then* turn on transport-mode IKE over the IPIP tunnels to secure it. > Is the howto below a "real" IPIP version or? I'm not sure what you mean here. Lars -- Lars Eggert Information Sciences Institute http://www.isi.edu/larse/ University of Southern California --------------ms060302050007020900070805 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIInzCC ArUwggIeoAMCAQICAwWBRzANBgkqhkiG9w0BAQIFADCBkjELMAkGA1UEBhMCWkExFTATBgNV BAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUx HTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVl bWFpbCBSU0EgMjAwMC44LjMwMB4XDTAxMDgyNDE2NDAwMFoXDTAyMDgyNDE2NDAwMFowVDEP MA0GA1UEBBMGRWdnZXJ0MQ0wCwYDVQQqEwRMYXJzMRQwEgYDVQQDEwtMYXJzIEVnZ2VydDEc MBoGCSqGSIb3DQEJARYNbGFyc2VAaXNpLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEA0AvLBsD78nxcUHeHkaMgl3b4qYPnfgbf8Lh+HQP8RgGMRG/Yb+vTpkGezlwt9pkJxiD1 1uZDy4CNNJUu3gKxKSb+zRV70O+lkwwftuHoLHoH4xwo3LcQ2LGDpd+I95tUN4dfJ3TmeEcU SF50dC/SuUI4w8AlhXQ8IxrhgdayTpECAwEAAaNWMFQwKgYFK2UBBAEEITAfAgEAMBowGAIB BAQTTDJ1TXlmZkJOVWJOSkpjZFoyczAYBgNVHREEETAPgQ1sYXJzZUBpc2kuZWR1MAwGA1Ud EwEB/wQCMAAwDQYJKoZIhvcNAQECBQADgYEAheZhn0pQA8zI7U2K1ZIAl11j0a1DKxnp3GtT vOUrGRB3WvYxidvdZ1kizhEsWeXU81TkNDH0DaRqtOEeu6Q2OhB+jeKEqY7IDAJE4/fI0e+d 6PnG1hd+vEvYmsKHkmzBhPc94XUOKNWO+qVNP2NGyNI3QIDy5wX4fdcOo1S34r4wggK1MIIC HqADAgECAgMFgUcwDQYJKoZIhvcNAQECBQAwgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxX ZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYD VQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwg UlNBIDIwMDAuOC4zMDAeFw0wMTA4MjQxNjQwMDBaFw0wMjA4MjQxNjQwMDBaMFQxDzANBgNV BAQTBkVnZ2VydDENMAsGA1UEKhMETGFyczEUMBIGA1UEAxMLTGFycyBFZ2dlcnQxHDAaBgkq hkiG9w0BCQEWDWxhcnNlQGlzaS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANAL ywbA+/J8XFB3h5GjIJd2+KmD534G3/C4fh0D/EYBjERv2G/r06ZBns5cLfaZCcYg9dbmQ8uA jTSVLt4CsSkm/s0Ve9DvpZMMH7bh6Cx6B+McKNy3ENixg6XfiPebVDeHXyd05nhHFEhedHQv 0rlCOMPAJYV0PCMa4YHWsk6RAgMBAAGjVjBUMCoGBStlAQQBBCEwHwIBADAaMBgCAQQEE0wy dU15ZmZCTlViTkpKY2RaMnMwGAYDVR0RBBEwD4ENbGFyc2VAaXNpLmVkdTAMBgNVHRMBAf8E AjAAMA0GCSqGSIb3DQEBAgUAA4GBAIXmYZ9KUAPMyO1NitWSAJddY9GtQysZ6dxrU7zlKxkQ d1r2MYnb3WdZIs4RLFnl1PNU5DQx9A2karThHrukNjoQfo3ihKmOyAwCROP3yNHvnej5xtYX frxL2JrCh5JswYT3PeF1DijVjvqlTT9jRsjSN0CA8ucF+H3XDqNUt+K+MIIDKTCCApKgAwIB AgIBDDANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4g Q2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEo MCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhh d3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVl bWFpbEB0aGF3dGUuY29tMB4XDTAwMDgzMDAwMDAwMFoXDTAyMDgyOTIzNTk1OVowgZIxCzAJ BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEP MA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UE AxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMDCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEA3jMypmPHCSVFPtJueCdngcXaiBmClw7jRCmKYzUqbXA8+tyu9+50bzC8M5B/ +TRxoKNtmPHDT6Jl2w36S/HW3WGl+YXNVZo1Gp2Sdagnrthy+boC9tewkd4c6avgGAOofENC UFGHgzzwObSbVIoTh/+zm51JZgAtCYnslGvpoWkCAwEAAaNOMEwwKQYDVR0RBCIwIKQeMBwx GjAYBgNVBAMTEVByaXZhdGVMYWJlbDEtMjk3MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P BAQDAgEGMA0GCSqGSIb3DQEBBAUAA4GBAHMbbyZli/8VNEtZYortRL5Jx+gNu4+5DWomKmKE H7iHY3QcbbfPGlORS+HN5jjZ7VD0Omw0kqzmkpxuwSMBwgmn70uuct0GZ/VQby5YuLYLwVBX tewc1+8XttWIm7eiiBrtOVs5fTT8tpYYJU1q9J3Fw5EvqZa4BTxS/N3pYgNIMYICpjCCAqIC AQEwgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcT CUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2 aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAIDBYFHMAkG BSsOAwIaBQCgggFhMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8X DTAyMDQwODIxMjM1OFowIwYJKoZIhvcNAQkEMRYEFHLIyUvPFDM78yP5Pds+f1mT806gMFIG CSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMC AgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGtBgsqhkiG9w0BCRACCzGBnaCBmjCBkjEL MAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du MQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYD VQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMFgUcwDQYJKoZIhvcNAQEB BQAEgYAxfAhw/J31/VEhk5XTGt42SOtRBgfgmGxUG579Om38PpdgEewF70ctYIlXR/NcJWLa sLGH+tJKqA9jInvt5GTZPJk6qujCgI1g8gwzMyhZmeALSnufkfOzpbqFWdUBLBY3nIhCRZrU G2rbRWrty/O8x1te5O1DtftcRifXWSbceAAAAAAAAA== --------------ms060302050007020900070805-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Apr 8 14:40:23 2002 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by hub.freebsd.org (Postfix) with ESMTP id 3C77137B417 for ; Mon, 8 Apr 2002 14:40:08 -0700 (PDT) Received: from InterJet.elischer.org ([12.232.206.8]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020408214007.CKCE21252.rwcrmhc53.attbi.com@InterJet.elischer.org>; Mon, 8 Apr 2002 21:40:07 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id OAA53026; Mon, 8 Apr 2002 14:30:14 -0700 (PDT) Date: Mon, 8 Apr 2002 14:30:13 -0700 (PDT) From: Julian Elischer To: Lars Eggert Cc: "Rogier R. Mulhuijzen" , mgt@hytekblue.com, freebsd-net@FreeBSD.ORG Subject: Re: IPsec tunnel mode In-Reply-To: <3CB2098C.5080904@isi.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org you can do another form of tunnelling by using a netgraph interface. Assign the required address to the netgraph interface and then use the IP-over-UDP example in the netgraph examples. tehn set up teh security associations so that the UDP packets generated are encrypted.. this is basically the same as doing a gif interface, except using UDP as the carrier. Be careful about creating loops however If I had copious free time I think IPSEC could be hacked to interract with netgraph to give the kind of interaction you are talkign about however. On Mon, 8 Apr 2002, Lars Eggert wrote: > Rogier R. Mulhuijzen wrote: > >> http://www.x-itec.de/projects/tuts/ipsec-howto.txt > > > > Unfortunately this howto, like any other mention of IPsec & > > tunneling on the net uses the gif interface. Which is IPoverIP, and > > this does not seem to match with IPsec tunnel devices. > > There are no IPsec tunnel devices in KAME. IPsec defines "security > associations" (SAs), which are not represented as devices in the routing > table in KAME. Thus, you can't use routes to direct traffic into these > tunnel mode SAs, you need to set up your security policies with the > correct selectors (think firewall-like matching). > > *Many* tutorials on the net do not understand this disctinction, and > tell you to set up an IPIP tunnel (using a gif) and an IPsec tunnel > mode SA in parallel. This is a bad hack, since you (ab)use a side effect > of creating an IPIP tunnel device (it can be used for route entries) to > redirect traffic into your (separate) tunnel mode SA. Very roughly, you > set up the IPIP tunnel, then yank out the packets destined for it during > outbound processing and force them over an IPsec tunnel mode SA. > > Use EITHER IPsec tunnel mode alone OR IPIP tunnels and IP transport > mode (draft-touch-ipsec-vpn). Mixing both can work in some scenarios > where the dependencies between side effects are just right, but in > general, it's a broken approach. > > Lars > -- > Lars Eggert Information Sciences Institute > http://www.isi.edu/larse/ University of Southern California > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Apr 8 14:44: 3 2002 Delivered-To: freebsd-net@freebsd.org Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by hub.freebsd.org (Postfix) with ESMTP id DEA4D37B404 for ; Mon, 8 Apr 2002 14:43:54 -0700 (PDT) Received: from isi.edu (lwgvvkn8m1i86z4m@hbo.isi.edu [128.9.160.75]) by boreas.isi.edu (8.11.6/8.11.2) with ESMTP id g38LhpT18579; Mon, 8 Apr 2002 14:43:51 -0700 (PDT) Message-ID: <3CB20F16.3000904@isi.edu> Date: Mon, 08 Apr 2002 14:43:50 -0700 From: Lars Eggert User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.9) Gecko/20020329 X-Accept-Language: en-us, de-de MIME-Version: 1.0 To: Julian Elischer Cc: "Rogier R. Mulhuijzen" , mgt@hytekblue.com, freebsd-net@FreeBSD.ORG Subject: Re: IPsec tunnel mode References: Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms040708090607080308090405" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a cryptographically signed message in MIME format. --------------ms040708090607080308090405 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Julian Elischer wrote: > Assign the required address to the netgraph interface and then > use the IP-over-UDP example in the netgraph examples. Good idea. IP-over-UDP has advantages when it comes to firewall- and NAT-traversal. IP-over-IP has the advantage that it looks like IPsec tunnel mode on the wire and to the receiver, so it can interoperate. > On Mon, 8 Apr 2002, Lars Eggert wrote: > > >>Rogier R. Mulhuijzen wrote: >> >> http://www.x-itec.de/projects/tuts/ipsec-howto.txt >> > >> > Unfortunately this howto, like any other mention of IPsec & >> > tunneling on the net uses the gif interface. Which is IPoverIP, and >> > this does not seem to match with IPsec tunnel devices. >> >>There are no IPsec tunnel devices in KAME. IPsec defines "security >>associations" (SAs), which are not represented as devices in the routing >>table in KAME. Thus, you can't use routes to direct traffic into these >>tunnel mode SAs, you need to set up your security policies with the >>correct selectors (think firewall-like matching). >> >>*Many* tutorials on the net do not understand this disctinction, and >>tell you to set up an IPIP tunnel (using a gif) and an IPsec tunnel >>mode SA in parallel. This is a bad hack, since you (ab)use a side effect >>of creating an IPIP tunnel device (it can be used for route entries) to >>redirect traffic into your (separate) tunnel mode SA. Very roughly, you >>set up the IPIP tunnel, then yank out the packets destined for it during >>outbound processing and force them over an IPsec tunnel mode SA. >> >>Use EITHER IPsec tunnel mode alone OR IPIP tunnels and IP transport >>mode (draft-touch-ipsec-vpn). Mixing both can work in some scenarios >>where the dependencies between side effects are just right, but in >>general, it's a broken approach. >> >>Lars >>-- >>Lars Eggert Information Sciences Institute >>http://www.isi.edu/larse/ University of Southern California >> > -- Lars Eggert Information Sciences Institute http://www.isi.edu/larse/ University of Southern California --------------ms040708090607080308090405 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIInzCC ArUwggIeoAMCAQICAwWBRzANBgkqhkiG9w0BAQIFADCBkjELMAkGA1UEBhMCWkExFTATBgNV BAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUx HTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVl bWFpbCBSU0EgMjAwMC44LjMwMB4XDTAxMDgyNDE2NDAwMFoXDTAyMDgyNDE2NDAwMFowVDEP MA0GA1UEBBMGRWdnZXJ0MQ0wCwYDVQQqEwRMYXJzMRQwEgYDVQQDEwtMYXJzIEVnZ2VydDEc MBoGCSqGSIb3DQEJARYNbGFyc2VAaXNpLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEA0AvLBsD78nxcUHeHkaMgl3b4qYPnfgbf8Lh+HQP8RgGMRG/Yb+vTpkGezlwt9pkJxiD1 1uZDy4CNNJUu3gKxKSb+zRV70O+lkwwftuHoLHoH4xwo3LcQ2LGDpd+I95tUN4dfJ3TmeEcU SF50dC/SuUI4w8AlhXQ8IxrhgdayTpECAwEAAaNWMFQwKgYFK2UBBAEEITAfAgEAMBowGAIB BAQTTDJ1TXlmZkJOVWJOSkpjZFoyczAYBgNVHREEETAPgQ1sYXJzZUBpc2kuZWR1MAwGA1Ud EwEB/wQCMAAwDQYJKoZIhvcNAQECBQADgYEAheZhn0pQA8zI7U2K1ZIAl11j0a1DKxnp3GtT vOUrGRB3WvYxidvdZ1kizhEsWeXU81TkNDH0DaRqtOEeu6Q2OhB+jeKEqY7IDAJE4/fI0e+d 6PnG1hd+vEvYmsKHkmzBhPc94XUOKNWO+qVNP2NGyNI3QIDy5wX4fdcOo1S34r4wggK1MIIC HqADAgECAgMFgUcwDQYJKoZIhvcNAQECBQAwgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxX ZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYD VQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwg UlNBIDIwMDAuOC4zMDAeFw0wMTA4MjQxNjQwMDBaFw0wMjA4MjQxNjQwMDBaMFQxDzANBgNV BAQTBkVnZ2VydDENMAsGA1UEKhMETGFyczEUMBIGA1UEAxMLTGFycyBFZ2dlcnQxHDAaBgkq hkiG9w0BCQEWDWxhcnNlQGlzaS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANAL ywbA+/J8XFB3h5GjIJd2+KmD534G3/C4fh0D/EYBjERv2G/r06ZBns5cLfaZCcYg9dbmQ8uA jTSVLt4CsSkm/s0Ve9DvpZMMH7bh6Cx6B+McKNy3ENixg6XfiPebVDeHXyd05nhHFEhedHQv 0rlCOMPAJYV0PCMa4YHWsk6RAgMBAAGjVjBUMCoGBStlAQQBBCEwHwIBADAaMBgCAQQEE0wy dU15ZmZCTlViTkpKY2RaMnMwGAYDVR0RBBEwD4ENbGFyc2VAaXNpLmVkdTAMBgNVHRMBAf8E AjAAMA0GCSqGSIb3DQEBAgUAA4GBAIXmYZ9KUAPMyO1NitWSAJddY9GtQysZ6dxrU7zlKxkQ d1r2MYnb3WdZIs4RLFnl1PNU5DQx9A2karThHrukNjoQfo3ihKmOyAwCROP3yNHvnej5xtYX frxL2JrCh5JswYT3PeF1DijVjvqlTT9jRsjSN0CA8ucF+H3XDqNUt+K+MIIDKTCCApKgAwIB AgIBDDANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4g Q2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEo MCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhh d3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVl bWFpbEB0aGF3dGUuY29tMB4XDTAwMDgzMDAwMDAwMFoXDTAyMDgyOTIzNTk1OVowgZIxCzAJ BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEP MA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UE AxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMDCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEA3jMypmPHCSVFPtJueCdngcXaiBmClw7jRCmKYzUqbXA8+tyu9+50bzC8M5B/ +TRxoKNtmPHDT6Jl2w36S/HW3WGl+YXNVZo1Gp2Sdagnrthy+boC9tewkd4c6avgGAOofENC UFGHgzzwObSbVIoTh/+zm51JZgAtCYnslGvpoWkCAwEAAaNOMEwwKQYDVR0RBCIwIKQeMBwx GjAYBgNVBAMTEVByaXZhdGVMYWJlbDEtMjk3MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P BAQDAgEGMA0GCSqGSIb3DQEBBAUAA4GBAHMbbyZli/8VNEtZYortRL5Jx+gNu4+5DWomKmKE H7iHY3QcbbfPGlORS+HN5jjZ7VD0Omw0kqzmkpxuwSMBwgmn70uuct0GZ/VQby5YuLYLwVBX tewc1+8XttWIm7eiiBrtOVs5fTT8tpYYJU1q9J3Fw5EvqZa4BTxS/N3pYgNIMYICpjCCAqIC AQEwgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcT CUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2 aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAIDBYFHMAkG BSsOAwIaBQCgggFhMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8X DTAyMDQwODIxNDM1MFowIwYJKoZIhvcNAQkEMRYEFNTdXc+B4cU+6VP2GzQj6xtfZC2KMFIG CSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMC AgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGtBgsqhkiG9w0BCRACCzGBnaCBmjCBkjEL MAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du MQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYD VQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMFgUcwDQYJKoZIhvcNAQEB BQAEgYBL3YZeb0dPMHPFT9y2r+Qr4Oer3iJf7EiTTD2xdMKVtbEwqsEbXpzNdMADbynKzP2H cYGBuyRkq4SOkVBNFVFhD9ZU3ulFxRW7mrduBtjF00CJgKZx6MSP8WXpcJo9h6VcZeXP7eAS S806e2R9fY2s/Bdw0coFVjCKoEpjwyEv3gAAAAAAAA== --------------ms040708090607080308090405-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Apr 8 16:30:13 2002 Delivered-To: freebsd-net@freebsd.org Received: from artemis.drwilco.net (diana.drwilco.net [66.48.127.79]) by hub.freebsd.org (Postfix) with ESMTP id 9326637B417 for ; Mon, 8 Apr 2002 16:30:04 -0700 (PDT) Received: from ceres.drwilco.net (docwilco.xs4all.nl [213.84.68.230]) by artemis.drwilco.net (8.11.6/8.11.6) with ESMTP id g38NTKx41809 (using TLSv1/SSLv3 with cipher DES-CBC3-SHA (168 bits) verified NO); Mon, 8 Apr 2002 19:29:23 -0400 (EDT) (envelope-from drwilco@drwilco.net) Message-Id: <5.1.0.14.0.20020409013356.02a51cf8@mail.drwilco.net> X-Sender: drwilco@mail.drwilco.net X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 09 Apr 2002 01:41:53 +0200 To: Lars Eggert From: "Rogier R. Mulhuijzen" Subject: Re: IPsec tunnel mode Cc: mgt@hytekblue.com, freebsd-net@FreeBSD.ORG In-Reply-To: <3CB2098C.5080904@isi.edu> References: <5.1.0.14.0.20020408202757.01cac470@mail.drwilco.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 14:20 8-4-2002 -0700, Lars Eggert wrote: >There are no IPsec tunnel devices in KAME. IPsec defines "security >associations" (SAs), which are not represented as devices in the routing >table in KAME. Thus, you can't use routes to direct traffic into these >tunnel mode SAs, you need to set up your security policies with the >correct selectors (think firewall-like matching). > >*Many* tutorials on the net do not understand this disctinction, and >tell you to set up an IPIP tunnel (using a gif) and an IPsec tunnel >mode SA in parallel. This is a bad hack, since you (ab)use a side effect >of creating an IPIP tunnel device (it can be used for route entries) to >redirect traffic into your (separate) tunnel mode SA. Very roughly, you >set up the IPIP tunnel, then yank out the packets destined for it during >outbound processing and force them over an IPsec tunnel mode SA. > >Use EITHER IPsec tunnel mode alone OR IPIP tunnels and IP transport >mode (draft-touch-ipsec-vpn). Mixing both can work in some scenarios where >the dependencies between side effects are just right, but in general, it's >a broken approach. Well see, nowhere does it say how to actually do IPsec tunnel mode VPN from between 2 internet hosts. I just got the VPN connection to the Watchguard Firebox working using IPIP & IPsec tunnel mode. There's a few quirks with ipfw and something odd with setting things up while a ping to a remote private host is going, but it's working fine otherwise. I'd like to hear how to do it the proper way though. Feel like clueing me in? Doc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Apr 8 16:42:49 2002 Delivered-To: freebsd-net@freebsd.org Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by hub.freebsd.org (Postfix) with ESMTP id 6538737B434 for ; Mon, 8 Apr 2002 16:42:27 -0700 (PDT) Received: from isi.edu (kacoypohrgwdnmbf@hbo.isi.edu [128.9.160.75]) by boreas.isi.edu (8.11.6/8.11.2) with ESMTP id g38NgJT29702; Mon, 8 Apr 2002 16:42:19 -0700 (PDT) Message-ID: <3CB22ADB.1060704@isi.edu> Date: Mon, 08 Apr 2002 16:42:19 -0700 From: Lars Eggert User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.9) Gecko/20020329 X-Accept-Language: en-us, de-de MIME-Version: 1.0 To: "Rogier R. Mulhuijzen" Cc: mgt@hytekblue.com, freebsd-net@FreeBSD.ORG Subject: Re: IPsec tunnel mode References: <5.1.0.14.0.20020408202757.01cac470@mail.drwilco.net> <5.1.0.14.0.20020409013356.02a51cf8@mail.drwilco.net> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms040308090605080708050005" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a cryptographically signed message in MIME format. --------------ms040308090605080708050005 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Rogier R. Mulhuijzen wrote: > I'd like to hear how to do it the proper way though. Feel like clueing > me in? Check the KAME newsletters (e.g. http://www.kame.net/newsletter/20001119/) for configuration examples. There are also some examples in the IMPLEMENTATION and USAGE files under CVS (web-browsable at http://www.kame.net/). Lars -- Lars Eggert Information Sciences Institute http://www.isi.edu/larse/ University of Southern California --------------ms040308090605080708050005 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIInzCC ArUwggIeoAMCAQICAwWBRzANBgkqhkiG9w0BAQIFADCBkjELMAkGA1UEBhMCWkExFTATBgNV BAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUx HTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVl bWFpbCBSU0EgMjAwMC44LjMwMB4XDTAxMDgyNDE2NDAwMFoXDTAyMDgyNDE2NDAwMFowVDEP MA0GA1UEBBMGRWdnZXJ0MQ0wCwYDVQQqEwRMYXJzMRQwEgYDVQQDEwtMYXJzIEVnZ2VydDEc MBoGCSqGSIb3DQEJARYNbGFyc2VAaXNpLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEA0AvLBsD78nxcUHeHkaMgl3b4qYPnfgbf8Lh+HQP8RgGMRG/Yb+vTpkGezlwt9pkJxiD1 1uZDy4CNNJUu3gKxKSb+zRV70O+lkwwftuHoLHoH4xwo3LcQ2LGDpd+I95tUN4dfJ3TmeEcU SF50dC/SuUI4w8AlhXQ8IxrhgdayTpECAwEAAaNWMFQwKgYFK2UBBAEEITAfAgEAMBowGAIB BAQTTDJ1TXlmZkJOVWJOSkpjZFoyczAYBgNVHREEETAPgQ1sYXJzZUBpc2kuZWR1MAwGA1Ud EwEB/wQCMAAwDQYJKoZIhvcNAQECBQADgYEAheZhn0pQA8zI7U2K1ZIAl11j0a1DKxnp3GtT vOUrGRB3WvYxidvdZ1kizhEsWeXU81TkNDH0DaRqtOEeu6Q2OhB+jeKEqY7IDAJE4/fI0e+d 6PnG1hd+vEvYmsKHkmzBhPc94XUOKNWO+qVNP2NGyNI3QIDy5wX4fdcOo1S34r4wggK1MIIC HqADAgECAgMFgUcwDQYJKoZIhvcNAQECBQAwgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxX ZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYD VQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwg UlNBIDIwMDAuOC4zMDAeFw0wMTA4MjQxNjQwMDBaFw0wMjA4MjQxNjQwMDBaMFQxDzANBgNV BAQTBkVnZ2VydDENMAsGA1UEKhMETGFyczEUMBIGA1UEAxMLTGFycyBFZ2dlcnQxHDAaBgkq hkiG9w0BCQEWDWxhcnNlQGlzaS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANAL ywbA+/J8XFB3h5GjIJd2+KmD534G3/C4fh0D/EYBjERv2G/r06ZBns5cLfaZCcYg9dbmQ8uA jTSVLt4CsSkm/s0Ve9DvpZMMH7bh6Cx6B+McKNy3ENixg6XfiPebVDeHXyd05nhHFEhedHQv 0rlCOMPAJYV0PCMa4YHWsk6RAgMBAAGjVjBUMCoGBStlAQQBBCEwHwIBADAaMBgCAQQEE0wy dU15ZmZCTlViTkpKY2RaMnMwGAYDVR0RBBEwD4ENbGFyc2VAaXNpLmVkdTAMBgNVHRMBAf8E AjAAMA0GCSqGSIb3DQEBAgUAA4GBAIXmYZ9KUAPMyO1NitWSAJddY9GtQysZ6dxrU7zlKxkQ d1r2MYnb3WdZIs4RLFnl1PNU5DQx9A2karThHrukNjoQfo3ihKmOyAwCROP3yNHvnej5xtYX frxL2JrCh5JswYT3PeF1DijVjvqlTT9jRsjSN0CA8ucF+H3XDqNUt+K+MIIDKTCCApKgAwIB AgIBDDANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4g Q2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEo MCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhh d3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVl bWFpbEB0aGF3dGUuY29tMB4XDTAwMDgzMDAwMDAwMFoXDTAyMDgyOTIzNTk1OVowgZIxCzAJ BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEP MA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UE AxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMDCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEA3jMypmPHCSVFPtJueCdngcXaiBmClw7jRCmKYzUqbXA8+tyu9+50bzC8M5B/ +TRxoKNtmPHDT6Jl2w36S/HW3WGl+YXNVZo1Gp2Sdagnrthy+boC9tewkd4c6avgGAOofENC UFGHgzzwObSbVIoTh/+zm51JZgAtCYnslGvpoWkCAwEAAaNOMEwwKQYDVR0RBCIwIKQeMBwx GjAYBgNVBAMTEVByaXZhdGVMYWJlbDEtMjk3MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P BAQDAgEGMA0GCSqGSIb3DQEBBAUAA4GBAHMbbyZli/8VNEtZYortRL5Jx+gNu4+5DWomKmKE H7iHY3QcbbfPGlORS+HN5jjZ7VD0Omw0kqzmkpxuwSMBwgmn70uuct0GZ/VQby5YuLYLwVBX tewc1+8XttWIm7eiiBrtOVs5fTT8tpYYJU1q9J3Fw5EvqZa4BTxS/N3pYgNIMYICpjCCAqIC AQEwgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcT CUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2 aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAIDBYFHMAkG BSsOAwIaBQCgggFhMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8X DTAyMDQwODIzNDIxOVowIwYJKoZIhvcNAQkEMRYEFD8rCvN09NGZMY51MngAyQLwDmmmMFIG CSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMC AgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGtBgsqhkiG9w0BCRACCzGBnaCBmjCBkjEL MAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du MQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYD VQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMFgUcwDQYJKoZIhvcNAQEB BQAEgYC6csE3ZCoNATEJuNRE1+pWtoCkSLvn96zIpPoIZeJrYuICs/5zBcWn3M/AJkApM/5w 18gGHf6BicQRNfN2W0LYqwkqP09iYIcXd2CEUwVmcMufWkTjjCeOsFp9P//P4YBmOT483Ecd QKD+OxG4yKABnka4CRWSC6nDP5Jjt+2nMAAAAAAAAA== --------------ms040308090605080708050005-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Apr 8 18: 8:54 2002 Delivered-To: freebsd-net@freebsd.org Received: from nanguo.chalmers.com.au (chalmers.com.au [203.1.96.5]) by hub.freebsd.org (Postfix) with ESMTP id 0EE8437B400 for ; Mon, 8 Apr 2002 18:08:48 -0700 (PDT) Received: from carbon (carbon.chalmers.com.au [203.1.96.26]) by nanguo.chalmers.com.au (8.11.6/8.11.6) with SMTP id g391C7J22957 for ; Tue, 9 Apr 2002 11:12:11 +1000 (EST) (envelope-from robert@quantum-radio.net.au) Message-ID: <015701c1df63$75c118f0$1a6001cb@chalmers.com.au> Reply-To: "Merlin" From: "Merlin" To: "freebsd-net" Subject: IPv6 on a host only. Autoconfigure - right ? Date: Tue, 9 Apr 2002 11:11:15 +1000 Organization: Quantum Radio MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If I understand it correctly, all I need to do on a network host is set ipv6_enable="YES" and the rest is done automagically. net.inet6.forwarding=0 net.inet6.accept_rtadv=1 rtsol are all set automatically from the rc.network6 startup ? Do I have to have this set? or is it all done for the host as well - automatically. #ipv6_network_interfaces="auto" # List of network interfaces (or "auto"). thanks Robert --- Quantum Radio: World Music with a difference. http://quantum-radio.net/ Now Playing: Raglan Road - Psycho Reels To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 0: 2:24 2002 Delivered-To: freebsd-net@freebsd.org Received: from hanoi.cronyx.ru (hanoi.cronyx.ru [144.206.181.53]) by hub.freebsd.org (Postfix) with ESMTP id 171F237B400 for ; Tue, 9 Apr 2002 00:02:15 -0700 (PDT) Received: by hanoi.cronyx.ru id KAA16562 for freebsd-net@FreeBSD.ORG.checked; (8.9.3/vak/2.1) Tue, 9 Apr 2002 10:59:02 +0400 (MSD) (envelope-from rik@cronyx.ru) Received: from cronyx.ru by hanoi.cronyx.ru with ESMTP id KAA16472; (8.9.3/vak/2.1) Tue, 9 Apr 2002 10:56:55 +0400 (MSD) (envelope-from rik@cronyx.ru) Message-ID: <3CB291F1.8060903@cronyx.ru> Date: Tue, 09 Apr 2002 11:02:09 +0400 From: Roman Kurakin User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4) Gecko/20011019 Netscape6/6.2 X-Accept-Language: en-us MIME-Version: 1.0 To: John Hay Cc: Tomas Hodan , freebsd-isp@FreeBSD.ORG, freebsd-net@FreeBSD.ORG, freebsd-question@FreeBSD.ORG Subject: Re: Moxa C101 References: <200204081650.g38GoxF57492@zibbi.icomtek.csir.co.za> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, If you want sync/async cards look at: http://www.cronyx.ru/hardware/sigma22.html http://www.cronyx.ru/hardware/taupci.html Best regards, Roman Kurakin John Hay wrote: >> >>is the moxa c101/isa (HD64570) supersync board supported? >> > >I don't know if there is a driver for the card, but there are 2 drivers >that drive cards based on the HD64570 chip. They are ar(4) and sr(4). >Maybe one of them are close enough or if you can get info on the card, >maybe one of them can be adjusted to support it. > >John > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 1: 1:18 2002 Delivered-To: freebsd-net@freebsd.org Received: from nanguo.chalmers.com.au (chalmers.com.au [203.1.96.5]) by hub.freebsd.org (Postfix) with ESMTP id 6225337B41B for ; Tue, 9 Apr 2002 01:01:04 -0700 (PDT) Received: from carbon (carbon.chalmers.com.au [203.1.96.26]) by nanguo.chalmers.com.au (8.11.6/8.11.6) with SMTP id g3983bw00487 for ; Tue, 9 Apr 2002 18:03:45 +1000 (EST) (envelope-from robert@chalmers.com.au) Message-ID: <01f401c1df9d$0a1a9ba0$1a6001cb@chalmers.com.au> From: "Robert" To: "freebsd-net" Subject: still cant see IPV6 host from IPv6 gateway Date: Tue, 9 Apr 2002 18:03:21 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ruby is the gateway machine. DNS is set up ok, and the addressing appears to be ok. but.... they can't see each other ????? Everything appears to work fine on each machine - but they cant see each other. From nanguo: $ ping6 ruby ping6: UDP connect: No route to host $ From ruby: $ ping6 nanguo PING6(56=40+8+8 bytes) 2002:cb01:6006::1 --> 2002:cb01:6006::2 --- nanguo.chalmers.com.au ping6 statistics --- 15 packets transmitted, 0 packets received, 100% packet loss ================================================= ruby.chalmers.com.au IPv6 address = 2002:cb01:6006::1 nanguo.chalmers.com.au IPv6 address = 2002:cb01:6006::2 ================================================== Ruby: $ ifconfig ed0: flags=8843 mtu 1500 inet 203.1.96.6 netmask 0xffffff00 broadcast 203.1.96.255 inet6 fe80::240:5ff:fe4e:a982%ed0 prefixlen 64 scopeid 0x1 ether 00:40:05:4e:a9:82 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 stf0: flags=1 mtu 1280 inet6 2002:cb01:6006::1 prefixlen 16 $ ===================== Nanguo $ ifconfig rl0: flags=8943 mtu 1500 inet 203.1.96.5 netmask 0xffffff00 broadcast 203.1.96.255 inet6 fe80::210:b5ff:fee4:4386%rl0 prefixlen 64 scopeid 0x1 ether 00:10:b5:e4:43:86 media: Ethernet 10baseT/UTP status: active lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 faith0: flags=8002 mtu 1500 stf0: flags=0<> mtu 1280 tun0: flags=8051 mtu 1500 inet6 fe80::210:b5ff:fee4:4386%tun0 prefixlen 64 scopeid 0x5 inet 203.1.96.5 --> 139.130.78.1 netmask 0xffffff00 Opened by PID 53 does anyone have any ideas ? thanks Robert To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 3:16:34 2002 Delivered-To: freebsd-net@freebsd.org Received: from daydreamer.dk (213.237.14.128.adsl.ho.worldonline.dk [213.237.14.128]) by hub.freebsd.org (Postfix) with SMTP id F126C37B416 for ; Tue, 9 Apr 2002 03:16:29 -0700 (PDT) Received: (qmail 32177 invoked from network); 9 Apr 2002 10:16:25 -0000 Received: from unknown (HELO dpws) (192.168.1.3) by 0 with SMTP; 9 Apr 2002 10:16:25 -0000 Message-ID: <00a801c1dfaf$925aa750$0301a8c0@dpws> From: "Dennis Pedersen" To: Cc: "Lars Eggert" References: <5.1.0.14.0.20020408200151.01cac1f0@mail.drwilco.net> <007501c1df3f$326d92a0$0301a8c0@dpws> <3CB20A6D.3040704@isi.edu> Subject: Re: IPsec tunnel mode Date: Tue, 9 Apr 2002 12:16:10 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "Lars Eggert" To: "Dennis Pedersen" Cc: Sent: Monday, April 08, 2002 11:23 PM Subject: Re: IPsec tunnel mode > Dennis Pedersen wrote: > > Because on the snap-users@kame.net Lars Eggert said something about using > > transport mode, not tunnel mode. This confused me a bit because isnt > > transport between 2 hosts only > > I said a possibility would be to use IPsec transport mode OVER AN IPIP > TUNNEL, which is not he same as using transport mode alone (which is > restricted to host pairs). On the wire, packets generated by either > approach look identical. My bad, i think i got the big picture now where you are going with the IPIP and transport mode.. > > I have also read the > > ftp://ftp.ietf.org/internet-drafts/draft-touch-ipsec-vpn-03.txt a couple of > > times, but i still cant seem to figure how the transport mode fits into > > this? > > Forget about security for a moment. Set up a virtual topology using IPIP > tunnels, and make sure it works. *Then* turn on transport-mode IKE over > the IPIP tunnels to secure it. But uhm is there a 'simple' way of doing this? (as in just adding the IP of the other ends gif interface as destinatio in my routes? The setup today i an exact copy of (other IP's of course) www.freebsddiary.org/ipsec-tunnel.php This works just fine besides til problem with my routes, arcording to the draft IPIP is the solution. My Question is now how do i set up with an IPIP tunnel? On http://rr.sans.org/firewall/IPSec_VPN.php there is an example, from my point of view it looks kind of complicated. Can it be made any simpler? If this is the way to do it, can i run mutible natd on both my external interface and the virtual gif interface (the howto creates the gif tunnel and diverts all trafic into this tunnel with natd on both ends) and how? (because i can't really se how the ipfw add divert natd can tell the difference between te 2 sessions of natd) Regards, Dennis To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 3:26:46 2002 Delivered-To: freebsd-net@freebsd.org Received: from artemis.drwilco.net (diana.drwilco.net [66.48.127.79]) by hub.freebsd.org (Postfix) with ESMTP id 1D4AB37B41A for ; Tue, 9 Apr 2002 03:26:43 -0700 (PDT) Received: from ceres.drwilco.net (docwilco.xs4all.nl [213.84.68.230]) by artemis.drwilco.net (8.11.6/8.11.6) with ESMTP id g39AQ0x96890 (using TLSv1/SSLv3 with cipher DES-CBC3-SHA (168 bits) verified NO); Tue, 9 Apr 2002 06:26:02 -0400 (EDT) (envelope-from drwilco@drwilco.net) Message-Id: <5.1.0.14.0.20020409123453.01d16880@mail.drwilco.net> X-Sender: lists@mail.drwilco.net X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 09 Apr 2002 12:38:35 +0200 To: "Dennis Pedersen" , From: "Rogier R. Mulhuijzen" Subject: Re: IPsec tunnel mode Cc: "Lars Eggert" In-Reply-To: <00a801c1dfaf$925aa750$0301a8c0@dpws> References: <5.1.0.14.0.20020408200151.01cac1f0@mail.drwilco.net> <007501c1df3f$326d92a0$0301a8c0@dpws> <3CB20A6D.3040704@isi.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:16 9-4-2002 +0200, Dennis Pedersen wrote: >But uhm is there a 'simple' way of doing this? (as in just adding the IP of >the other ends gif interface as destinatio in my routes? >The setup today i an exact copy of (other IP's of course) >www.freebsddiary.org/ipsec-tunnel.php >This works just fine besides til problem with my routes, arcording to the >draft IPIP is the solution. My Question is now how do i set up with an IPIP >tunnel? >On http://rr.sans.org/firewall/IPSec_VPN.php there is an example, from my >point of view it looks kind of complicated. Can it be made any simpler? >If this is the way to do it, can i run mutible natd on both my external >interface and the virtual gif interface (the howto creates the gif tunnel >and diverts all trafic into this tunnel with natd on both ends) and how? >(because i can't really se how the ipfw add divert natd can tell the >difference between te 2 sessions of natd) That 2nd example is actually quite straightforward. It's just rather extensive. And yes you can use 2 nat daemons. The 'natd' in the ipfw divert rule is just a port number. You can start a second nat on a different divert port, and use that other portnumber in the ipfw divert rule. Good luck, Doc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 3:59:32 2002 Delivered-To: freebsd-net@freebsd.org Received: from hotmail.com (law2-oe70.hotmail.com [216.32.180.163]) by hub.freebsd.org (Postfix) with ESMTP id 507C437B404 for ; Tue, 9 Apr 2002 03:59:29 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 9 Apr 2002 03:59:29 -0700 X-Originating-IP: [213.82.66.51] From: "Marco Berizzi" To: Subject: ipsec & udp-encaps Date: Tue, 9 Apr 2002 12:58:50 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-Mimeole: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-ID: X-OriginalArrivalTime: 09 Apr 2002 10:59:29.0314 (UTC) FILETIME=[9F062820:01C1DFB5] Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello. Since I keep running into problems with NAT traversal when implementing IPSEC solutions, I've been looking at solutions offered by quite a few of the commerical setups. Seems that a pretty widely used solution is to send ESP encapsulated in udp packets. Specifics for this kind of configuration can be found as Internet drafts: http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-01.txt http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-justific ation-00.txt http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-01.txt Is there any interest or plan for inclusion of this kind of implementation into FreeBSD IPSec stack? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 4:36:45 2002 Delivered-To: freebsd-net@freebsd.org Received: from daydreamer.dk (213.237.14.128.adsl.ho.worldonline.dk [213.237.14.128]) by hub.freebsd.org (Postfix) with SMTP id 0771C37B41E for ; Tue, 9 Apr 2002 04:36:41 -0700 (PDT) Received: (qmail 41397 invoked from network); 9 Apr 2002 11:36:42 -0000 Received: from unknown (HELO dpws) (192.168.1.3) by 0 with SMTP; 9 Apr 2002 11:36:42 -0000 Message-ID: <00bd01c1dfba$c93724f0$0301a8c0@dpws> From: "Dennis Pedersen" To: , "Rogier R. Mulhuijzen" References: <5.1.0.14.0.20020408200151.01cac1f0@mail.drwilco.net> <007501c1df3f$326d92a0$0301a8c0@dpws> <3CB20A6D.3040704@isi.edu> <5.1.0.14.0.20020409123453.01d16880@mail.drwilco.net> Subject: Re: IPsec tunnel mode Date: Tue, 9 Apr 2002 13:36:27 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org From: "Rogier R. Mulhuijzen" > At 12:16 9-4-2002 +0200, Dennis Pedersen wrote: > >But uhm is there a 'simple' way of doing this? (as in just adding the IP of > >the other ends gif interface as destinatio in my routes? > >The setup today i an exact copy of (other IP's of course) > >www.freebsddiary.org/ipsec-tunnel.php > >This works just fine besides til problem with my routes, arcording to the > >draft IPIP is the solution. My Question is now how do i set up with an IPIP > >tunnel? > >On http://rr.sans.org/firewall/IPSec_VPN.php there is an example, from my > >point of view it looks kind of complicated. Can it be made any simpler? > >If this is the way to do it, can i run mutible natd on both my external > >interface and the virtual gif interface (the howto creates the gif tunnel > >and diverts all trafic into this tunnel with natd on both ends) and how? > >(because i can't really se how the ipfw add divert natd can tell the > >difference between te 2 sessions of natd) > > That 2nd example is actually quite straightforward. It's just rather extensive. Okai i'll try it then , thanx :) > > And yes you can use 2 nat daemons. The 'natd' in the ipfw divert rule is > just a port number. You can start a second nat on a different divert port, > and use that other portnumber in the ipfw divert rule. Uhm okai, but where do i see the port number for the 2 natd processes? , kan i specify it somewhere or? /Dennis To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 5:18:43 2002 Delivered-To: freebsd-net@freebsd.org Received: from web21201.mail.yahoo.com (web21201.mail.yahoo.com [216.136.129.59]) by hub.freebsd.org (Postfix) with SMTP id 1364637B400 for ; Tue, 9 Apr 2002 05:18:39 -0700 (PDT) Message-ID: <20020409121838.97905.qmail@web21201.mail.yahoo.com> Received: from [202.127.108.4] by web21201.mail.yahoo.com via HTTP; Tue, 09 Apr 2002 05:18:38 PDT Date: Tue, 9 Apr 2002 05:18:38 -0700 (PDT) From: yudin tr Subject: problem with my dumb terminal To: freebsd-net@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have problem with my dumb terminal. I'm new employee is my office, and I'm a newbie at FreeBSD Unix. At my office, there is one set of computer : 1 unit Digital Server with processors Alpha (at the monitor and Casing writed DIGITAL), this server using OS Digital Unix Ver 3.2C 5 unit dumb terminal (only Keyboard and monitor, at the monitor writed DIGITAL). For connected My server and Dumb terminal : Server using Coaxial Cable and T-Connector to connect with hub (I don't know that is Hub or MultiSerial Port, there is one T-Connector hole and some RJ-xx hole) and Dumb terminal using UTP Cable and Connector such as RJ-45 (this connector smaller than RJ-45, such as Phone Connector). Now my server is broken and can't to repaired. I'm planning to change my server with PC Intel Pentium II with OS FreeBSD Unix. My question about dumb terminal is : 1. Can I connect My PC Intel Pentium II with my Dumb Terminal ? 2. If yes, What are Hardware added to connect them ? 3. If I must adding some hardware, Where i can buy it and how much ? 4. What are the Version of FreeBSD Unix can do it ? 5. How to configuration FreeBSD Unix to connect with dumb terminal ? 6. Where I can downloading manual book for Installation it ? thank you very much for your answer ! Best Regards Yudin __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 5:19: 6 2002 Delivered-To: freebsd-net@freebsd.org Received: from mgo.iij.ad.jp (mgo.iij.ad.jp [202.232.15.6]) by hub.freebsd.org (Postfix) with ESMTP id EAA3237B404 for ; Tue, 9 Apr 2002 05:19:02 -0700 (PDT) Received: from ns.iij.ad.jp (ns.iij.ad.jp [192.168.2.8]) by mgo.iij.ad.jp (8.8.8/MGO1.0) with ESMTP id VAA01518 for ; Tue, 9 Apr 2002 21:19:01 +0900 (JST) Received: from localhost (keiichi01.osaka.iij.ad.jp [192.168.65.66]) by ns.iij.ad.jp (8.8.5/3.5Wpl7) with ESMTP id VAA28935 for ; Tue, 9 Apr 2002 21:19:00 +0900 (JST) Date: Tue, 09 Apr 2002 21:18:45 +0900 (JST) Message-Id: <20020409.211845.167288433.keiichi@iij.ad.jp> To: freebsd-net@FreeBSD.ORG Subject: Re: IPv6 on a host only. Autoconfigure - right ? From: Keiichi SHIMA / =?iso-2022-jp?B?GyRCRWc3RDBsGyhC?= In-Reply-To: <015701c1df63$75c118f0$1a6001cb@chalmers.com.au> References: <015701c1df63$75c118f0$1a6001cb@chalmers.com.au> X-Mailer: Mew version 3.0.55 on XEmacs 21.1.14 (Cuyahoga Valley) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org From: "Merlin" > If I understand it correctly, all I need to do on a network host is set > ipv6_enable="YES" > > and the rest is done automagically. Correct. > net.inet6.forwarding=0 > net.inet6.accept_rtadv=1 > rtsol > > are all set automatically from the rc.network6 startup ? Yes. > Do I have to have this set? or is it all done for the host as well - automatically. > #ipv6_network_interfaces="auto" # List of network interfaces (or "auto"). No, unless you want not to use specific interfaces. you can leave it default. --- Keiichi SHIMA IIJ Research Laboratory KAME Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 5:27:35 2002 Delivered-To: freebsd-net@freebsd.org Received: from web21210.mail.yahoo.com (web21210.mail.yahoo.com [216.136.175.253]) by hub.freebsd.org (Postfix) with SMTP id E428737B41C for ; Tue, 9 Apr 2002 05:27:29 -0700 (PDT) Message-ID: <20020409122729.32958.qmail@web21210.mail.yahoo.com> Received: from [202.127.108.4] by web21210.mail.yahoo.com via HTTP; Tue, 09 Apr 2002 05:27:29 PDT Date: Tue, 9 Apr 2002 05:27:29 -0700 (PDT) From: yudin tr Subject: I'm newbie with my dumb terminal To: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have problem with my dumb terminal. I'm new employee is my office, and I'm a newbie at FreeBSD Unix. At my office, there is one set of computer : 1 unit Digital Server with processors Alpha (at the monitor and Casing writed DIGITAL), this server using OS Digital Unix Ver 3.2C 5 unit dumb terminal (only Keyboard and monitor, at the monitor writed DIGITAL). For connected My server and Dumb terminal : Server using Coaxial Cable and T-Connector to connect with hub (I don't know that is Hub or MultiSerial Port, there is one T-Connector hole and some RJ-xx hole) and Dumb terminal using UTP Cable and Connector such as RJ-45 (this connector smaller than RJ-45, such as Phone Connector). Now my server is broken and can't to repaired. I'm planning to change my server with PC Intel Pentium II with OS FreeBSD Unix. My question about dumb terminal is : 1. Can I connect My PC Intel Pentium II with my Dumb Terminal ? 2. If yes, What are Hardware added to connect them ? 3. If I must adding some hardware, Where i can buy it and how much ? 4. What are the Version of FreeBSD Unix can do it ? 5. How to configuration FreeBSD Unix to connect with dumb terminal ? 6. Where I can downloading manual book for Installation it ? thank you very much for your answer ! Best Regards Yudin __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 5:33: 9 2002 Delivered-To: freebsd-net@freebsd.org Received: from tokyo.ccrle.nec.de (tokyo.ccrle.nec.de [195.37.70.2]) by hub.freebsd.org (Postfix) with ESMTP id F0D0437B404 for ; Tue, 9 Apr 2002 05:33:01 -0700 (PDT) Received: from wallace.heidelberg.ccrle.nec.de (root@wallace.heidelberg.ccrle.nec.de [192.168.102.1]) by tokyo.ccrle.nec.de (8.11.6/8.11.6) with ESMTP id g39CX0801484; Tue, 9 Apr 2002 14:33:00 +0200 (CEST) (envelope-from Martin.Stiemerling@ccrle.nec.de) Received: from imap.heidelberg.ccrle.nec.de (imap.heidelberg.ccrle.nec.de [192.168.102.11]) by wallace.heidelberg.ccrle.nec.de (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with ESMTP id OAA28536; Tue, 9 Apr 2002 14:32:27 +0200 Received: from ccrle.nec.de (elgar.heidelberg.ccrle.nec.de [192.168.102.180]) by imap.heidelberg.ccrle.nec.de (Postfix on SuSE Linux eMail Server 3.0) with ESMTP id E872F11219; Tue, 9 Apr 2002 14:32:17 +0200 (CEST) Message-ID: <3CB2DF56.5060700@ccrle.nec.de> Date: Tue, 09 Apr 2002 14:32:22 +0200 From: Martin Stiemerling User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.7) Gecko/20020305 X-Accept-Language: en-us MIME-Version: 1.0 To: Robert Cc: freebsd-net Subject: Re: still cant see IPV6 host from IPv6 gateway References: <01f401c1df9d$0a1a9ba0$1a6001cb@chalmers.com.au> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Robert wrote: > Ruby is the gateway machine. DNS is set up ok, and the addressing appears to be ok. but.... they can't see each other > ????? > Everything appears to work fine on each machine - but they cant see each other. > > From nanguo: > $ ping6 ruby > ping6: UDP connect: No route to host > $ > > > From ruby: > $ ping6 nanguo Naguo has no IP address of 2002:cb01:6006::2 configured at any interface. To try if both machines have an on-link connection try: ping6 ff02::1%, e.g. on ruby ping6 ff02::1%ed0 For configuring these 2002:: addresses see: man ifconfig man rc.conf Martin > PING6(56=40+8+8 bytes) 2002:cb01:6006::1 --> 2002:cb01:6006::2 > --- nanguo.chalmers.com.au ping6 statistics --- > 15 packets transmitted, 0 packets received, 100% packet loss > > ================================================= > ruby.chalmers.com.au IPv6 address = 2002:cb01:6006::1 > nanguo.chalmers.com.au IPv6 address = 2002:cb01:6006::2 > > ================================================== > > Ruby: > $ ifconfig > ed0: flags=8843 mtu 1500 > inet 203.1.96.6 netmask 0xffffff00 broadcast 203.1.96.255 > inet6 fe80::240:5ff:fe4e:a982%ed0 prefixlen 64 scopeid 0x1 > ether 00:40:05:4e:a9:82 > lo0: flags=8049 mtu 16384 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 > inet 127.0.0.1 netmask 0xff000000 > stf0: flags=1 mtu 1280 > inet6 2002:cb01:6006::1 prefixlen 16 > $ > ===================== > Nanguo > $ ifconfig > rl0: flags=8943 mtu 1500 > inet 203.1.96.5 netmask 0xffffff00 broadcast 203.1.96.255 > inet6 fe80::210:b5ff:fee4:4386%rl0 prefixlen 64 scopeid 0x1 > ether 00:10:b5:e4:43:86 > media: Ethernet 10baseT/UTP > status: active > lo0: flags=8049 mtu 16384 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 > inet 127.0.0.1 netmask 0xff000000 > faith0: flags=8002 mtu 1500 > stf0: flags=0<> mtu 1280 > tun0: flags=8051 mtu 1500 > inet6 fe80::210:b5ff:fee4:4386%tun0 prefixlen 64 scopeid 0x5 > inet 203.1.96.5 --> 139.130.78.1 netmask 0xffffff00 > Opened by PID 53 > > > > > > > > does anyone have any ideas ? > > thanks > Robert > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > -- Martin Stiemerling NEC Europe Ltd. -- Network Laboratories Stiemerling@ccrle.nec.de IPv4: http://www.ccrle.nec.de IPv6: http://www.ipv6.ccrle.nec.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 6:42:44 2002 Delivered-To: freebsd-net@freebsd.org Received: from rerun.avayactc.com (rerun.avayactc.com [199.93.237.2]) by hub.freebsd.org (Postfix) with ESMTP id A604937B416 for ; Tue, 9 Apr 2002 06:42:38 -0700 (PDT) Received: by rerun.avayactc.com with Internet Mail Service (5.5.2653.19) id <2L3VDMLF>; Tue, 9 Apr 2002 09:40:25 -0400 Message-ID: <3A6D367EA1EFD4118C9B00A0C9DD99D706567C@rerun.avayactc.com> From: "Cambria, Mike" To: freebsd-net@FreeBSD.ORG Subject: RE: kame ipsec vs. openbsd ipsec Date: Tue, 9 Apr 2002 09:40:24 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > -----Original Message----- > From: Jun-ichiro itojun Hagino [mailto:itojun@iijlab.net] > > 4 is also incorrect. SPD is implemented as a radix > tree, separate > from IPv4 (or IPv6) routing table. therefore, it has nothing > to do with normal routing table. Is there one SPD per interface (e.g. one radix tree/interface)? I ask because of recent clarification (again) on the ipsec mailing list on the requirement for each interface to have an SPD. I don't see multiple SPD in my FreeBSD 4.5-Stable, nor any way to configure it. In other words, if the next hop lookup is to go out ipsec enabled IF-A, use SPD-A go out ipsec enabled IF-B, use SPD-B go out non-ipsec enabled IF-C, no SPD exists Thanks, MikeC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 8:30:29 2002 Delivered-To: freebsd-net@freebsd.org Received: from mail.numachi.com (numachi.numachi.com [198.175.254.2]) by hub.freebsd.org (Postfix) with SMTP id 8763437B400 for ; Tue, 9 Apr 2002 08:30:23 -0700 (PDT) Received: (qmail 15938 invoked by uid 3001); 9 Apr 2002 15:30:21 -0000 Received: from natto.numachi.com (198.175.254.216) by numachi.numachi.com with SMTP; 9 Apr 2002 15:30:21 -0000 Received: (qmail 9126 invoked by uid 1001); 9 Apr 2002 15:30:21 -0000 Date: Tue, 9 Apr 2002 11:30:21 -0400 From: Brian Reichert To: yudin tr Cc: freebsd-net@freebsd.org Subject: Re: I'm newbie with my dumb terminal Message-ID: <20020409113021.Y43150@numachi.com> References: <20020409122729.32958.qmail@web21210.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020409122729.32958.qmail@web21210.mail.yahoo.com>; from e_yud@yahoo.com on Tue, Apr 09, 2002 at 05:27:29AM -0700 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Apr 09, 2002 at 05:27:29AM -0700, yudin tr wrote: > My question about dumb terminal is : > 1. Can I connect My PC Intel Pentium II with my Dumb > Terminal ? If this dumb terminal uses a serial cable, then yes, you can connect this to a PC. > 2. If yes, What are Hardware added to connect them ? For all of these questions, see > 3. If I must adding some hardware, Where i can buy it > and how much ? > 4. What are the Version of FreeBSD Unix can do it ? > 5. How to configuration FreeBSD Unix to connect with > dumb terminal ? > 6. Where I can downloading manual book for > Installation it ? > > > > thank you very much for your answer ! Good luck. > > Best Regards > > Yudin > -- Brian 'you Bastard' Reichert 37 Crystal Ave. #303 Daytime number: (603) 434-6842 Derry NH 03038-1713 USA Intel architecture: the left-hand path To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 9: 5:34 2002 Delivered-To: freebsd-net@freebsd.org Received: from shiva.jussieu.fr (shiva.jussieu.fr [134.157.0.129]) by hub.freebsd.org (Postfix) with ESMTP id 3898537B417; Tue, 9 Apr 2002 09:05:27 -0700 (PDT) Received: from heho.snv.jussieu.fr (heho.snv.jussieu.fr [134.157.37.22]) by shiva.jussieu.fr (8.12.1/jtpda-5.4) with ESMTP id g39G5PYD095757 ; Tue, 9 Apr 2002 18:05:25 +0200 (CEST) Received: from (arno@localhost) by heho.snv.jussieu.fr (8.11.6/jtpda-5.2) id g39G56r05625 ; Tue, 9 Apr 2002 18:05:06 +0200 (MEST) To: freebsd-net@freebsd.org Cc: freebsd-stable@freebsd.org Subject: diskless booting and memory size?? From: arno@heho.snv.jussieu.fr Date: 09 Apr 2002 18:05:06 +0200 Message-ID: Lines: 37 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hello, I installed an ASUS A7N266 with an Athlon XP 1700+ as a diskless machine booting pxeboot over a 3Com 3c905C-TX connecting to a isc-dhcp3-3.0.1.r6 server installed from ports. With a 128M DIMM installed, everything works fine: bootpc_init: wired to interface 'xl0' Sending DHCP Discover packet from interface xl0 (00:04:76:a3:3b:e4) Received DHCP Offer packet on xl0 from 192.168.0.1 (accepted) (no root path) Sending DHCP Request packet from interface xl0 (00:04:76:a3:3b:e4) Received DHCP Ack packet on xl0 from 192.168.0.1 (accepted) (got root path) When I replace the 128M DIMM by a 512M one, I get: bootpc_init: wired to interface 'xl0' Sending DHCP Discover packet from interface xl0 (00:04:76:a3:3b:e4) DHCP/BOOTP timeout for server 255.255.255.255 Does anyone have a clue where this might come from? Thanx a lot in advance. Arno -- Arno J. Klaassen SCITO S.A. 7, chemin Fortune Ferrini 38700 La Tronche arno@ccr.jussieu.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 9:19:15 2002 Delivered-To: freebsd-net@freebsd.org Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by hub.freebsd.org (Postfix) with ESMTP id 12F4137B400 for ; Tue, 9 Apr 2002 09:19:08 -0700 (PDT) Received: from isi.edu (v2ybp0kl7rzyy2ud@hbo.isi.edu [128.9.160.75]) by boreas.isi.edu (8.11.6/8.11.2) with ESMTP id g39GIpT28264; Tue, 9 Apr 2002 09:18:51 -0700 (PDT) Message-ID: <3CB3146A.7080906@isi.edu> Date: Tue, 09 Apr 2002 09:18:50 -0700 From: Lars Eggert User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.9) Gecko/20020329 X-Accept-Language: en-us, de-de MIME-Version: 1.0 To: Dennis Pedersen Cc: freebsd-net@freebsd.org Subject: Re: IPsec tunnel mode References: <5.1.0.14.0.20020408200151.01cac1f0@mail.drwilco.net> <007501c1df3f$326d92a0$0301a8c0@dpws> <3CB20A6D.3040704@isi.edu> <00a801c1dfaf$925aa750$0301a8c0@dpws> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms020700070809060704090609" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a cryptographically signed message in MIME format. --------------ms020700070809060704090609 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Dennis Pedersen wrote: > But uhm is there a 'simple' way of doing this? (as in just adding the IP of > the other ends gif interface as destinatio in my routes? > The setup today i an exact copy of (other IP's of course) > www.freebsddiary.org/ipsec-tunnel.php > This works just fine besides til problem with my routes, arcording to the > draft IPIP is the solution. My Question is now how do i set up with an IPIP > tunnel? > On http://rr.sans.org/firewall/IPSec_VPN.php there is an example, from my > point of view it looks kind of complicated. Can it be made any simpler? > If this is the way to do it, can i run mutible natd on both my external > interface and the virtual gif interface (the howto creates the gif tunnel > and diverts all trafic into this tunnel with natd on both ends) and how? > (because i can't really se how the ipfw add divert natd can tell the > difference between te 2 sessions of natd) Both setup instructions you gave URLs for are broken in the respect that they tell you to set up IPIP tunnels and IPsec tunnel mode SAs in parallel. IPsec tunnel mode under KAME does not use gif interfaces. This works in some situations, because the interaction of side effects is just right. These instructions in fact set up a secure and a non-secure path between the two security gateways, and work by intercepting packets sent over the non-secure path and pushing them into the secure tunnel. This can have all sorts of interesting failure modes. Setting up the other approach (IPIP tunnel + IPsec transport mode) works by first setting up the tunnels (see the gifconfig/ifconfig man pages) and stringing the topology together with route (route man page). No other commands are needed. Once this works (i.e. you see correctly encapsulated packets flow between your machines) you can then manually configure IPsec transport mode SAs (via setkey) or use IKE. Lars -- Lars Eggert Information Sciences Institute http://www.isi.edu/larse/ University of Southern California --------------ms020700070809060704090609 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIInzCC ArUwggIeoAMCAQICAwWBRzANBgkqhkiG9w0BAQIFADCBkjELMAkGA1UEBhMCWkExFTATBgNV BAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUx HTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVl bWFpbCBSU0EgMjAwMC44LjMwMB4XDTAxMDgyNDE2NDAwMFoXDTAyMDgyNDE2NDAwMFowVDEP MA0GA1UEBBMGRWdnZXJ0MQ0wCwYDVQQqEwRMYXJzMRQwEgYDVQQDEwtMYXJzIEVnZ2VydDEc MBoGCSqGSIb3DQEJARYNbGFyc2VAaXNpLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEA0AvLBsD78nxcUHeHkaMgl3b4qYPnfgbf8Lh+HQP8RgGMRG/Yb+vTpkGezlwt9pkJxiD1 1uZDy4CNNJUu3gKxKSb+zRV70O+lkwwftuHoLHoH4xwo3LcQ2LGDpd+I95tUN4dfJ3TmeEcU SF50dC/SuUI4w8AlhXQ8IxrhgdayTpECAwEAAaNWMFQwKgYFK2UBBAEEITAfAgEAMBowGAIB BAQTTDJ1TXlmZkJOVWJOSkpjZFoyczAYBgNVHREEETAPgQ1sYXJzZUBpc2kuZWR1MAwGA1Ud EwEB/wQCMAAwDQYJKoZIhvcNAQECBQADgYEAheZhn0pQA8zI7U2K1ZIAl11j0a1DKxnp3GtT vOUrGRB3WvYxidvdZ1kizhEsWeXU81TkNDH0DaRqtOEeu6Q2OhB+jeKEqY7IDAJE4/fI0e+d 6PnG1hd+vEvYmsKHkmzBhPc94XUOKNWO+qVNP2NGyNI3QIDy5wX4fdcOo1S34r4wggK1MIIC HqADAgECAgMFgUcwDQYJKoZIhvcNAQECBQAwgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxX ZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYD VQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwg UlNBIDIwMDAuOC4zMDAeFw0wMTA4MjQxNjQwMDBaFw0wMjA4MjQxNjQwMDBaMFQxDzANBgNV BAQTBkVnZ2VydDENMAsGA1UEKhMETGFyczEUMBIGA1UEAxMLTGFycyBFZ2dlcnQxHDAaBgkq hkiG9w0BCQEWDWxhcnNlQGlzaS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANAL ywbA+/J8XFB3h5GjIJd2+KmD534G3/C4fh0D/EYBjERv2G/r06ZBns5cLfaZCcYg9dbmQ8uA jTSVLt4CsSkm/s0Ve9DvpZMMH7bh6Cx6B+McKNy3ENixg6XfiPebVDeHXyd05nhHFEhedHQv 0rlCOMPAJYV0PCMa4YHWsk6RAgMBAAGjVjBUMCoGBStlAQQBBCEwHwIBADAaMBgCAQQEE0wy dU15ZmZCTlViTkpKY2RaMnMwGAYDVR0RBBEwD4ENbGFyc2VAaXNpLmVkdTAMBgNVHRMBAf8E AjAAMA0GCSqGSIb3DQEBAgUAA4GBAIXmYZ9KUAPMyO1NitWSAJddY9GtQysZ6dxrU7zlKxkQ d1r2MYnb3WdZIs4RLFnl1PNU5DQx9A2karThHrukNjoQfo3ihKmOyAwCROP3yNHvnej5xtYX frxL2JrCh5JswYT3PeF1DijVjvqlTT9jRsjSN0CA8ucF+H3XDqNUt+K+MIIDKTCCApKgAwIB AgIBDDANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4g Q2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEo MCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhh d3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVl bWFpbEB0aGF3dGUuY29tMB4XDTAwMDgzMDAwMDAwMFoXDTAyMDgyOTIzNTk1OVowgZIxCzAJ BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEP MA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UE AxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMDCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEA3jMypmPHCSVFPtJueCdngcXaiBmClw7jRCmKYzUqbXA8+tyu9+50bzC8M5B/ +TRxoKNtmPHDT6Jl2w36S/HW3WGl+YXNVZo1Gp2Sdagnrthy+boC9tewkd4c6avgGAOofENC UFGHgzzwObSbVIoTh/+zm51JZgAtCYnslGvpoWkCAwEAAaNOMEwwKQYDVR0RBCIwIKQeMBwx GjAYBgNVBAMTEVByaXZhdGVMYWJlbDEtMjk3MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P BAQDAgEGMA0GCSqGSIb3DQEBBAUAA4GBAHMbbyZli/8VNEtZYortRL5Jx+gNu4+5DWomKmKE H7iHY3QcbbfPGlORS+HN5jjZ7VD0Omw0kqzmkpxuwSMBwgmn70uuct0GZ/VQby5YuLYLwVBX tewc1+8XttWIm7eiiBrtOVs5fTT8tpYYJU1q9J3Fw5EvqZa4BTxS/N3pYgNIMYICpjCCAqIC AQEwgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcT CUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2 aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAIDBYFHMAkG BSsOAwIaBQCgggFhMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8X DTAyMDQwOTE2MTg1MFowIwYJKoZIhvcNAQkEMRYEFJXp2fbYkDTTm9TKm6hOOKyi40pnMFIG CSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMC AgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGtBgsqhkiG9w0BCRACCzGBnaCBmjCBkjEL MAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du MQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYD VQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMFgUcwDQYJKoZIhvcNAQEB BQAEgYAU9bgGx0HIYFrNuIaVQrJFwjl7SNX506Tw/jOApAAlZzXM3Ag6AMATnk3f8suBDbBx MVaRb6sT7b9fSf2PXKsZxdokL3xwS/1Qm5awTjO7UARx5DunuYck6qhg4ms8EkAbKCl8LAgm TZU9XrVXZfLxEOcimCVSa7UhsB7vilxhCQAAAAAAAA== --------------ms020700070809060704090609-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 9:19:52 2002 Delivered-To: freebsd-net@freebsd.org Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by hub.freebsd.org (Postfix) with ESMTP id B467837B41A for ; Tue, 9 Apr 2002 09:19:39 -0700 (PDT) Received: from isi.edu (bz8ww5qhp97imp2u@hbo.isi.edu [128.9.160.75]) by boreas.isi.edu (8.11.6/8.11.2) with ESMTP id g39GJaT28656; Tue, 9 Apr 2002 09:19:36 -0700 (PDT) Message-ID: <3CB31497.5040306@isi.edu> Date: Tue, 09 Apr 2002 09:19:35 -0700 From: Lars Eggert User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.9) Gecko/20020329 X-Accept-Language: en-us, de-de MIME-Version: 1.0 To: Dennis Pedersen Cc: freebsd-net@freebsd.org Subject: Re: IPsec tunnel mode References: <5.1.0.14.0.20020408200151.01cac1f0@mail.drwilco.net> <007501c1df3f$326d92a0$0301a8c0@dpws> <3CB20A6D.3040704@isi.edu> <00a801c1dfaf$925aa750$0301a8c0@dpws> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms060700030601080506030207" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a cryptographically signed message in MIME format. --------------ms060700030601080506030207 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Dennis Pedersen wrote: > But uhm is there a 'simple' way of doing this? Did you look at the KAME newsletters? (URL in a previous email) Lars -- Lars Eggert Information Sciences Institute http://www.isi.edu/larse/ University of Southern California --------------ms060700030601080506030207 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIInzCC ArUwggIeoAMCAQICAwWBRzANBgkqhkiG9w0BAQIFADCBkjELMAkGA1UEBhMCWkExFTATBgNV BAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUx HTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVl bWFpbCBSU0EgMjAwMC44LjMwMB4XDTAxMDgyNDE2NDAwMFoXDTAyMDgyNDE2NDAwMFowVDEP MA0GA1UEBBMGRWdnZXJ0MQ0wCwYDVQQqEwRMYXJzMRQwEgYDVQQDEwtMYXJzIEVnZ2VydDEc MBoGCSqGSIb3DQEJARYNbGFyc2VAaXNpLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEA0AvLBsD78nxcUHeHkaMgl3b4qYPnfgbf8Lh+HQP8RgGMRG/Yb+vTpkGezlwt9pkJxiD1 1uZDy4CNNJUu3gKxKSb+zRV70O+lkwwftuHoLHoH4xwo3LcQ2LGDpd+I95tUN4dfJ3TmeEcU SF50dC/SuUI4w8AlhXQ8IxrhgdayTpECAwEAAaNWMFQwKgYFK2UBBAEEITAfAgEAMBowGAIB BAQTTDJ1TXlmZkJOVWJOSkpjZFoyczAYBgNVHREEETAPgQ1sYXJzZUBpc2kuZWR1MAwGA1Ud EwEB/wQCMAAwDQYJKoZIhvcNAQECBQADgYEAheZhn0pQA8zI7U2K1ZIAl11j0a1DKxnp3GtT vOUrGRB3WvYxidvdZ1kizhEsWeXU81TkNDH0DaRqtOEeu6Q2OhB+jeKEqY7IDAJE4/fI0e+d 6PnG1hd+vEvYmsKHkmzBhPc94XUOKNWO+qVNP2NGyNI3QIDy5wX4fdcOo1S34r4wggK1MIIC HqADAgECAgMFgUcwDQYJKoZIhvcNAQECBQAwgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxX ZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYD VQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwg UlNBIDIwMDAuOC4zMDAeFw0wMTA4MjQxNjQwMDBaFw0wMjA4MjQxNjQwMDBaMFQxDzANBgNV BAQTBkVnZ2VydDENMAsGA1UEKhMETGFyczEUMBIGA1UEAxMLTGFycyBFZ2dlcnQxHDAaBgkq hkiG9w0BCQEWDWxhcnNlQGlzaS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANAL ywbA+/J8XFB3h5GjIJd2+KmD534G3/C4fh0D/EYBjERv2G/r06ZBns5cLfaZCcYg9dbmQ8uA jTSVLt4CsSkm/s0Ve9DvpZMMH7bh6Cx6B+McKNy3ENixg6XfiPebVDeHXyd05nhHFEhedHQv 0rlCOMPAJYV0PCMa4YHWsk6RAgMBAAGjVjBUMCoGBStlAQQBBCEwHwIBADAaMBgCAQQEE0wy dU15ZmZCTlViTkpKY2RaMnMwGAYDVR0RBBEwD4ENbGFyc2VAaXNpLmVkdTAMBgNVHRMBAf8E AjAAMA0GCSqGSIb3DQEBAgUAA4GBAIXmYZ9KUAPMyO1NitWSAJddY9GtQysZ6dxrU7zlKxkQ d1r2MYnb3WdZIs4RLFnl1PNU5DQx9A2karThHrukNjoQfo3ihKmOyAwCROP3yNHvnej5xtYX frxL2JrCh5JswYT3PeF1DijVjvqlTT9jRsjSN0CA8ucF+H3XDqNUt+K+MIIDKTCCApKgAwIB AgIBDDANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4g Q2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEo MCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhh d3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVl bWFpbEB0aGF3dGUuY29tMB4XDTAwMDgzMDAwMDAwMFoXDTAyMDgyOTIzNTk1OVowgZIxCzAJ BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEP MA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UE AxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMDCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEA3jMypmPHCSVFPtJueCdngcXaiBmClw7jRCmKYzUqbXA8+tyu9+50bzC8M5B/ +TRxoKNtmPHDT6Jl2w36S/HW3WGl+YXNVZo1Gp2Sdagnrthy+boC9tewkd4c6avgGAOofENC UFGHgzzwObSbVIoTh/+zm51JZgAtCYnslGvpoWkCAwEAAaNOMEwwKQYDVR0RBCIwIKQeMBwx GjAYBgNVBAMTEVByaXZhdGVMYWJlbDEtMjk3MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P BAQDAgEGMA0GCSqGSIb3DQEBBAUAA4GBAHMbbyZli/8VNEtZYortRL5Jx+gNu4+5DWomKmKE H7iHY3QcbbfPGlORS+HN5jjZ7VD0Omw0kqzmkpxuwSMBwgmn70uuct0GZ/VQby5YuLYLwVBX tewc1+8XttWIm7eiiBrtOVs5fTT8tpYYJU1q9J3Fw5EvqZa4BTxS/N3pYgNIMYICpjCCAqIC AQEwgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcT CUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2 aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAIDBYFHMAkG BSsOAwIaBQCgggFhMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8X DTAyMDQwOTE2MTkzNVowIwYJKoZIhvcNAQkEMRYEFBK2LGqj3S9kxRj3m6RTLbHszUH2MFIG CSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMC AgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGtBgsqhkiG9w0BCRACCzGBnaCBmjCBkjEL MAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du MQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYD VQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMFgUcwDQYJKoZIhvcNAQEB BQAEgYCkejrkOoNuQrm/L/7CM6+FprnuHDz5YNrjC36aMzN3bYQPdjZFWEuPbHTDBylnBaow Xfs9Ysp7wEiUUUVkecVmthqyYxPN4KKkHyvGskt8WEf4uN0NaZ/S0tJU3r5nx/QPehfHPqFN GTqpD4YLMQgLTL0SZgAC6sLcDUb/uPvVMgAAAAAAAA== --------------ms060700030601080506030207-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 9:48:28 2002 Delivered-To: freebsd-net@freebsd.org Received: from hotmail.com (f41.law14.hotmail.com [64.4.21.41]) by hub.freebsd.org (Postfix) with ESMTP id 6B69837B405 for ; Tue, 9 Apr 2002 09:48:24 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 9 Apr 2002 09:48:24 -0700 Received: from 135.180.144.113 by lw14fd.law14.hotmail.msn.com with HTTP; Tue, 09 Apr 2002 16:48:24 GMT X-Originating-IP: [135.180.144.113] From: "ipver four" To: freebsd-net@freebsd.org Subject: TCP Timestamp option? Date: Tue, 09 Apr 2002 12:48:24 -0400 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 09 Apr 2002 16:48:24.0243 (UTC) FILETIME=[5D36D030:01C1DFE6] Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org My packet traces show that FreeBSD 4.5 TCP connections conatin TCP timestamp option in the TCP header. So, the TCP/IP header size is 52 bytes (instead of 40) most of the time. Is there a reason for including the timestamp option on most of the TCP packets? _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 9:50: 5 2002 Delivered-To: freebsd-net@freebsd.org Received: from daydreamer.dk (213.237.14.128.adsl.ho.worldonline.dk [213.237.14.128]) by hub.freebsd.org (Postfix) with SMTP id 7F1C637B404 for ; Tue, 9 Apr 2002 09:49:52 -0700 (PDT) Received: (qmail 77334 invoked from network); 9 Apr 2002 16:49:47 -0000 Received: from unknown (HELO dpws) (192.168.1.3) by 0 with SMTP; 9 Apr 2002 16:49:47 -0000 Message-ID: <003c01c1dfe6$8460e7e0$0301a8c0@dpws> From: "Dennis Pedersen" To: "Lars Eggert" Cc: References: <5.1.0.14.0.20020408200151.01cac1f0@mail.drwilco.net> <007501c1df3f$326d92a0$0301a8c0@dpws> <3CB20A6D.3040704@isi.edu> <00a801c1dfaf$925aa750$0301a8c0@dpws> <3CB3146A.7080906@isi.edu> Subject: Re: IPsec tunnel mode Date: Tue, 9 Apr 2002 18:49:29 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "Lars Eggert" To: "Dennis Pedersen" Cc: Sent: Tuesday, April 09, 2002 6:18 PM Subject: Re: IPsec tunnel mode > Dennis Pedersen wrote: > > But uhm is there a 'simple' way of doing this? (as in just adding the IP of > > the other ends gif interface as destinatio in my routes? > > The setup today i an exact copy of (other IP's of course) > > www.freebsddiary.org/ipsec-tunnel.php > > This works just fine besides til problem with my routes, arcording to the > > draft IPIP is the solution. My Question is now how do i set up with an IPIP > > tunnel? > > On http://rr.sans.org/firewall/IPSec_VPN.php there is an example, from my > > point of view it looks kind of complicated. Can it be made any simpler? > > If this is the way to do it, can i run mutible natd on both my external > > interface and the virtual gif interface (the howto creates the gif tunnel > > and diverts all trafic into this tunnel with natd on both ends) and how? > > (because i can't really se how the ipfw add divert natd can tell the > > difference between te 2 sessions of natd) > > Both setup instructions you gave URLs for are broken in the respect that > they tell you to set up IPIP tunnels and IPsec tunnel mode SAs in > parallel. IPsec tunnel mode under KAME does not use gif interfaces. This > works in some situations, because the interaction of side effects is > just right. > These instructions in fact set up a secure and a non-secure path between > the two security gateways, and work by intercepting packets sent over > the non-secure path and pushing them into the secure tunnel. This can > have all sorts of interesting failure modes. Oooh, bummer.. > Setting up the other approach (IPIP tunnel + IPsec transport mode) works > by first setting up the tunnels (see the gifconfig/ifconfig man pages) > and stringing the topology together with route (route man page). No > other commands are needed. Once this works (i.e. you see correctly > encapsulated packets flow between your machines) you can then manually > configure IPsec transport mode SAs (via setkey) or use IKE. Well the problem is that i have read the man pages a couple of times but im having some problems getting big picture (=as in lack of brain cells keeps me from comming up with a plan that should work..) But the last document where the auther creates some alias to lo0 and runs natd on the gif interface isnt that the right way of doing it (lets just forget ipsec for now and look stricktly on IPIP) or? According to what you are writing this isnt the way of doing it? (and there you seem to have lost me..) About the Kame Newsletters i belive to have read all of them that have relevance of ÏPsec, anything specifik im missing? Regards, Dennis To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 9:55:12 2002 Delivered-To: freebsd-net@freebsd.org Received: from artemis.drwilco.net (diana.drwilco.net [66.48.127.79]) by hub.freebsd.org (Postfix) with ESMTP id 1810437B405 for ; Tue, 9 Apr 2002 09:55:08 -0700 (PDT) Received: from ceres.drwilco.net (docwilco.xs4all.nl [213.84.68.230]) by artemis.drwilco.net (8.11.6/8.11.6) with ESMTP id g39GsPx30157 (using TLSv1/SSLv3 with cipher DES-CBC3-SHA (168 bits) verified NO); Tue, 9 Apr 2002 12:54:27 -0400 (EDT) (envelope-from drwilco@drwilco.net) Message-Id: <5.1.0.14.0.20020409190509.0295b720@mail.drwilco.net> X-Sender: lists@mail.drwilco.net X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 09 Apr 2002 19:07:00 +0200 To: "Dennis Pedersen" , From: "Rogier R. Mulhuijzen" Subject: Re: IPsec tunnel mode In-Reply-To: <00bd01c1dfba$c93724f0$0301a8c0@dpws> References: <5.1.0.14.0.20020408200151.01cac1f0@mail.drwilco.net> <007501c1df3f$326d92a0$0301a8c0@dpws> <3CB20A6D.3040704@isi.edu> <5.1.0.14.0.20020409123453.01d16880@mail.drwilco.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 13:36 9-4-2002 +0200, Dennis Pedersen wrote: >Uhm okai, but where do i see the port number for the 2 natd processes? , kan >i specify it somewhere or? From natd(8): -port | -p port Read from and write to divert(4) port port, distinguishing packets as ``incoming'' or ``outgoing'' using the rules spec- ified in divert(4). If port is not numeric, it is searched for in the services(5) database. If this option is not spec- ified, the divert port named natd will be used as a default. In /etc/services 'natd' is 8668/divert Greets, Doc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 10: 5: 8 2002 Delivered-To: freebsd-net@freebsd.org Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by hub.freebsd.org (Postfix) with ESMTP id 5A02D37B404 for ; Tue, 9 Apr 2002 10:04:59 -0700 (PDT) Received: from isi.edu (k2g2417j05bap721@hbo.isi.edu [128.9.160.75]) by boreas.isi.edu (8.11.6/8.11.2) with ESMTP id g39H4tT03313; Tue, 9 Apr 2002 10:04:55 -0700 (PDT) Message-ID: <3CB31F37.7020504@isi.edu> Date: Tue, 09 Apr 2002 10:04:55 -0700 From: Lars Eggert User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.9) Gecko/20020404 X-Accept-Language: en-us, de-de MIME-Version: 1.0 To: Dennis Pedersen Cc: freebsd-net@freebsd.org Subject: Re: IPsec tunnel mode References: <5.1.0.14.0.20020408200151.01cac1f0@mail.drwilco.net> <007501c1df3f$326d92a0$0301a8c0@dpws> <3CB20A6D.3040704@isi.edu> <00a801c1dfaf$925aa750$0301a8c0@dpws> <3CB3146A.7080906@isi.edu> <003c01c1dfe6$8460e7e0$0301a8c0@dpws> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms020508050401080708070405" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a cryptographically signed message in MIME format. --------------ms020508050401080708070405 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Dennis Pedersen wrote: >>Setting up the other approach (IPIP tunnel + IPsec transport mode) works >>by first setting up the tunnels (see the gifconfig/ifconfig man pages) >>and stringing the topology together with route (route man page). No >>other commands are needed. Once this works (i.e. you see correctly >>encapsulated packets flow between your machines) you can then manually >>configure IPsec transport mode SAs (via setkey) or use IKE. > > But the last document where the auther creates some alias to lo0 and runs > natd on the gif interface isnt that the right way of doing it (lets just > forget ipsec for now and look stricktly on IPIP) or? The alias on loopback is simply working around a small bug with gif interfaces. (Normally you can ping the local address of a any interface; with KAME gifs you can't. The alias works around that.) NAT is not required to make the overlay setup work. (The example you gave includes it so that overlay nodes with RFC1918 addresses can talk to the real Internet. This is an orthogonal issue.) > According to what you are writing this isnt the way of doing it? (and there > you seem to have lost me..) There are TWO ways of doing this: 1. IPsec tunnel mode - you don't need any gifs - you must use IPsec selectors to match & forward your traffic 2. IPIP tunnels + transport mode - you do need gifs but ONLY with IPsec TRANSPORT mode SAs - you use regular routes to forward your traffic Pick one. > About the Kame Newsletters i belive to have read all of them that have > relevance of ÏPsec, anything specifik im missing? Configuring KAME for IPsec: manual keying http://www.kame.net/newsletter/19980626/ Simple Configuration Sample of IPsec/Racoon http://www.kame.net/newsletter/20001119/ Changed manual key configuration for IPsec http://www.kame.net/newsletter/19991007/ Lars -- Lars Eggert Information Sciences Institute http://www.isi.edu/larse/ University of Southern California --------------ms020508050401080708070405 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIInzCC ArUwggIeoAMCAQICAwWBRzANBgkqhkiG9w0BAQIFADCBkjELMAkGA1UEBhMCWkExFTATBgNV BAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUx HTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVl bWFpbCBSU0EgMjAwMC44LjMwMB4XDTAxMDgyNDE2NDAwMFoXDTAyMDgyNDE2NDAwMFowVDEP MA0GA1UEBBMGRWdnZXJ0MQ0wCwYDVQQqEwRMYXJzMRQwEgYDVQQDEwtMYXJzIEVnZ2VydDEc MBoGCSqGSIb3DQEJARYNbGFyc2VAaXNpLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEA0AvLBsD78nxcUHeHkaMgl3b4qYPnfgbf8Lh+HQP8RgGMRG/Yb+vTpkGezlwt9pkJxiD1 1uZDy4CNNJUu3gKxKSb+zRV70O+lkwwftuHoLHoH4xwo3LcQ2LGDpd+I95tUN4dfJ3TmeEcU SF50dC/SuUI4w8AlhXQ8IxrhgdayTpECAwEAAaNWMFQwKgYFK2UBBAEEITAfAgEAMBowGAIB BAQTTDJ1TXlmZkJOVWJOSkpjZFoyczAYBgNVHREEETAPgQ1sYXJzZUBpc2kuZWR1MAwGA1Ud EwEB/wQCMAAwDQYJKoZIhvcNAQECBQADgYEAheZhn0pQA8zI7U2K1ZIAl11j0a1DKxnp3GtT vOUrGRB3WvYxidvdZ1kizhEsWeXU81TkNDH0DaRqtOEeu6Q2OhB+jeKEqY7IDAJE4/fI0e+d 6PnG1hd+vEvYmsKHkmzBhPc94XUOKNWO+qVNP2NGyNI3QIDy5wX4fdcOo1S34r4wggK1MIIC HqADAgECAgMFgUcwDQYJKoZIhvcNAQECBQAwgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxX ZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYD VQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwg UlNBIDIwMDAuOC4zMDAeFw0wMTA4MjQxNjQwMDBaFw0wMjA4MjQxNjQwMDBaMFQxDzANBgNV BAQTBkVnZ2VydDENMAsGA1UEKhMETGFyczEUMBIGA1UEAxMLTGFycyBFZ2dlcnQxHDAaBgkq hkiG9w0BCQEWDWxhcnNlQGlzaS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANAL ywbA+/J8XFB3h5GjIJd2+KmD534G3/C4fh0D/EYBjERv2G/r06ZBns5cLfaZCcYg9dbmQ8uA jTSVLt4CsSkm/s0Ve9DvpZMMH7bh6Cx6B+McKNy3ENixg6XfiPebVDeHXyd05nhHFEhedHQv 0rlCOMPAJYV0PCMa4YHWsk6RAgMBAAGjVjBUMCoGBStlAQQBBCEwHwIBADAaMBgCAQQEE0wy dU15ZmZCTlViTkpKY2RaMnMwGAYDVR0RBBEwD4ENbGFyc2VAaXNpLmVkdTAMBgNVHRMBAf8E AjAAMA0GCSqGSIb3DQEBAgUAA4GBAIXmYZ9KUAPMyO1NitWSAJddY9GtQysZ6dxrU7zlKxkQ d1r2MYnb3WdZIs4RLFnl1PNU5DQx9A2karThHrukNjoQfo3ihKmOyAwCROP3yNHvnej5xtYX frxL2JrCh5JswYT3PeF1DijVjvqlTT9jRsjSN0CA8ucF+H3XDqNUt+K+MIIDKTCCApKgAwIB AgIBDDANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4g Q2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEo MCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhh d3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVl bWFpbEB0aGF3dGUuY29tMB4XDTAwMDgzMDAwMDAwMFoXDTAyMDgyOTIzNTk1OVowgZIxCzAJ BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEP MA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UE AxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMDCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEA3jMypmPHCSVFPtJueCdngcXaiBmClw7jRCmKYzUqbXA8+tyu9+50bzC8M5B/ +TRxoKNtmPHDT6Jl2w36S/HW3WGl+YXNVZo1Gp2Sdagnrthy+boC9tewkd4c6avgGAOofENC UFGHgzzwObSbVIoTh/+zm51JZgAtCYnslGvpoWkCAwEAAaNOMEwwKQYDVR0RBCIwIKQeMBwx GjAYBgNVBAMTEVByaXZhdGVMYWJlbDEtMjk3MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P BAQDAgEGMA0GCSqGSIb3DQEBBAUAA4GBAHMbbyZli/8VNEtZYortRL5Jx+gNu4+5DWomKmKE H7iHY3QcbbfPGlORS+HN5jjZ7VD0Omw0kqzmkpxuwSMBwgmn70uuct0GZ/VQby5YuLYLwVBX tewc1+8XttWIm7eiiBrtOVs5fTT8tpYYJU1q9J3Fw5EvqZa4BTxS/N3pYgNIMYICpjCCAqIC AQEwgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcT CUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2 aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAIDBYFHMAkG BSsOAwIaBQCgggFhMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8X DTAyMDQwOTE3MDQ1NVowIwYJKoZIhvcNAQkEMRYEFHygaScg6Y4g7IYijrj2ocPuBWsuMFIG CSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMC AgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGtBgsqhkiG9w0BCRACCzGBnaCBmjCBkjEL MAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du MQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYD VQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMFgUcwDQYJKoZIhvcNAQEB BQAEgYCDV2t0g+2RCgEmOkvW25C6hB+YQNava+x1dzvtgI9aMF6tR7fqwiTSZqQ+Jvve6G2a npyw/v4SWbCejZdMMRGlBdu6oqg+JUQWdZjTSj7ykSbrxfhtaGwqtUyvy2r8ZGFuEiApIjvA X/wdWEd+F59aD3ak4grXiD1u1qA4NngTHAAAAAAAAA== --------------ms020508050401080708070405-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 10:35:26 2002 Delivered-To: freebsd-net@freebsd.org Received: from bulwark.switch.com (bulwark.switch.com [206.181.77.34]) by hub.freebsd.org (Postfix) with SMTP id 0C44137B417 for ; Tue, 9 Apr 2002 10:35:23 -0700 (PDT) Received: by bulwark.switch.com; id NAA26690; Tue, 9 Apr 2002 13:35:22 -0400 Received: from isunix2.switch.com(199.234.168.6) by bulwark.switch.com via smap (V5.5) id xma026667; Tue, 9 Apr 02 13:34:26 -0400 Received: from exchptc1.switch.com ([199.234.168.10]) by isunix2.switch.com (PMDF V5.2-32 #37720) with ESMTP id <0GUB008G6A5D4Z@isunix2.switch.com> for freebsd-net@freebsd.org; Tue, 9 Apr 2002 13:34:25 -0400 (EDT) Received: by exchptc1.switch.com with Internet Mail Service (5.5.2653.19) id <2JCJC6ZJ>; Tue, 09 Apr 2002 13:35:30 -0400 Content-return: allowed Date: Tue, 09 Apr 2002 13:35:30 -0400 From: "Nelson, Trent ." Subject: Cisco VPN servers. To: "'freebsd-net@freebsd.org'" Message-id: <8F329FEDF58BD411BE5200508B10DA76056ED2FC@exchptc1.switch.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Few quick questions. 1. Has anyone been able to establish a successful VPN connection between FreeBSD and a Cisco VPN server? 2. If not, is it possible? 3. Has anyone attempted to port the Linux Cisco VPN client to FreeBSD? I'm not on the list, so please ensure to include me on all replies. Thanks. Regards, Trent. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 10:46:48 2002 Delivered-To: freebsd-net@freebsd.org Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by hub.freebsd.org (Postfix) with ESMTP id 28C7A37B41A for ; Tue, 9 Apr 2002 10:46:43 -0700 (PDT) Received: from isi.edu (u13rzq9bk7nnfsjq@hbo.isi.edu [128.9.160.75]) by boreas.isi.edu (8.11.6/8.11.2) with ESMTP id g39HkfT04938; Tue, 9 Apr 2002 10:46:41 -0700 (PDT) Message-ID: <3CB32901.1040102@isi.edu> Date: Tue, 09 Apr 2002 10:46:41 -0700 From: Lars Eggert User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.9) Gecko/20020404 X-Accept-Language: en-us, de-de MIME-Version: 1.0 To: "Nelson, Trent ." Cc: "'freebsd-net@freebsd.org'" Subject: Re: Cisco VPN servers. References: <8F329FEDF58BD411BE5200508B10DA76056ED2FC@exchptc1.switch.com> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms040908070605020306010603" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a cryptographically signed message in MIME format. --------------ms040908070605020306010603 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Nelson, Trent . wrote: > Few quick questions. > > 1. Has anyone been able to establish a successful VPN connection > between FreeBSD and a Cisco VPN server? What protocol? IPsec? PPTP? PPTP with mpd has some problems, at least with the Cisco box we have. The Cisco box likes to assign remote peers its own IP address, which would cause routing loops if mpd didn't catch it. (Note that this could be due to misconfiguration; I still haven't been able to find the support staff person who is in charge of the box...) Lars -- Lars Eggert Information Sciences Institute http://www.isi.edu/larse/ University of Southern California --------------ms040908070605020306010603 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIInzCC ArUwggIeoAMCAQICAwWBRzANBgkqhkiG9w0BAQIFADCBkjELMAkGA1UEBhMCWkExFTATBgNV BAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUx HTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVl bWFpbCBSU0EgMjAwMC44LjMwMB4XDTAxMDgyNDE2NDAwMFoXDTAyMDgyNDE2NDAwMFowVDEP MA0GA1UEBBMGRWdnZXJ0MQ0wCwYDVQQqEwRMYXJzMRQwEgYDVQQDEwtMYXJzIEVnZ2VydDEc MBoGCSqGSIb3DQEJARYNbGFyc2VAaXNpLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEA0AvLBsD78nxcUHeHkaMgl3b4qYPnfgbf8Lh+HQP8RgGMRG/Yb+vTpkGezlwt9pkJxiD1 1uZDy4CNNJUu3gKxKSb+zRV70O+lkwwftuHoLHoH4xwo3LcQ2LGDpd+I95tUN4dfJ3TmeEcU SF50dC/SuUI4w8AlhXQ8IxrhgdayTpECAwEAAaNWMFQwKgYFK2UBBAEEITAfAgEAMBowGAIB BAQTTDJ1TXlmZkJOVWJOSkpjZFoyczAYBgNVHREEETAPgQ1sYXJzZUBpc2kuZWR1MAwGA1Ud EwEB/wQCMAAwDQYJKoZIhvcNAQECBQADgYEAheZhn0pQA8zI7U2K1ZIAl11j0a1DKxnp3GtT vOUrGRB3WvYxidvdZ1kizhEsWeXU81TkNDH0DaRqtOEeu6Q2OhB+jeKEqY7IDAJE4/fI0e+d 6PnG1hd+vEvYmsKHkmzBhPc94XUOKNWO+qVNP2NGyNI3QIDy5wX4fdcOo1S34r4wggK1MIIC HqADAgECAgMFgUcwDQYJKoZIhvcNAQECBQAwgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxX ZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYD VQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwg UlNBIDIwMDAuOC4zMDAeFw0wMTA4MjQxNjQwMDBaFw0wMjA4MjQxNjQwMDBaMFQxDzANBgNV BAQTBkVnZ2VydDENMAsGA1UEKhMETGFyczEUMBIGA1UEAxMLTGFycyBFZ2dlcnQxHDAaBgkq hkiG9w0BCQEWDWxhcnNlQGlzaS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANAL ywbA+/J8XFB3h5GjIJd2+KmD534G3/C4fh0D/EYBjERv2G/r06ZBns5cLfaZCcYg9dbmQ8uA jTSVLt4CsSkm/s0Ve9DvpZMMH7bh6Cx6B+McKNy3ENixg6XfiPebVDeHXyd05nhHFEhedHQv 0rlCOMPAJYV0PCMa4YHWsk6RAgMBAAGjVjBUMCoGBStlAQQBBCEwHwIBADAaMBgCAQQEE0wy dU15ZmZCTlViTkpKY2RaMnMwGAYDVR0RBBEwD4ENbGFyc2VAaXNpLmVkdTAMBgNVHRMBAf8E AjAAMA0GCSqGSIb3DQEBAgUAA4GBAIXmYZ9KUAPMyO1NitWSAJddY9GtQysZ6dxrU7zlKxkQ d1r2MYnb3WdZIs4RLFnl1PNU5DQx9A2karThHrukNjoQfo3ihKmOyAwCROP3yNHvnej5xtYX frxL2JrCh5JswYT3PeF1DijVjvqlTT9jRsjSN0CA8ucF+H3XDqNUt+K+MIIDKTCCApKgAwIB AgIBDDANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4g Q2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEo MCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhh d3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVl bWFpbEB0aGF3dGUuY29tMB4XDTAwMDgzMDAwMDAwMFoXDTAyMDgyOTIzNTk1OVowgZIxCzAJ BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEP MA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UE AxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMDCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEA3jMypmPHCSVFPtJueCdngcXaiBmClw7jRCmKYzUqbXA8+tyu9+50bzC8M5B/ +TRxoKNtmPHDT6Jl2w36S/HW3WGl+YXNVZo1Gp2Sdagnrthy+boC9tewkd4c6avgGAOofENC UFGHgzzwObSbVIoTh/+zm51JZgAtCYnslGvpoWkCAwEAAaNOMEwwKQYDVR0RBCIwIKQeMBwx GjAYBgNVBAMTEVByaXZhdGVMYWJlbDEtMjk3MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P BAQDAgEGMA0GCSqGSIb3DQEBBAUAA4GBAHMbbyZli/8VNEtZYortRL5Jx+gNu4+5DWomKmKE H7iHY3QcbbfPGlORS+HN5jjZ7VD0Omw0kqzmkpxuwSMBwgmn70uuct0GZ/VQby5YuLYLwVBX tewc1+8XttWIm7eiiBrtOVs5fTT8tpYYJU1q9J3Fw5EvqZa4BTxS/N3pYgNIMYICpjCCAqIC AQEwgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcT CUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2 aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAIDBYFHMAkG BSsOAwIaBQCgggFhMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8X DTAyMDQwOTE3NDY0MVowIwYJKoZIhvcNAQkEMRYEFGCZ2shjH2bJIk2FuXAOmoQoyasFMFIG CSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMC AgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGtBgsqhkiG9w0BCRACCzGBnaCBmjCBkjEL MAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du MQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYD VQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMFgUcwDQYJKoZIhvcNAQEB BQAEgYCJIqveO4ZlXWjLW/OA9utmgYpx95wghN2jO0cmg7CcSBd89RoxAbP3olHuLsbRJb+k u/DZ6GRLaNe3X1Gc/soINLziu04Iovugh1EPhfPNiBV02OWH2xtl+WOG/Ak4NYSwH3HBZaVk hkenZC1B2McFjiygiDzWASOnwa76JZne5QAAAAAAAA== --------------ms040908070605020306010603-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 12:25:10 2002 Delivered-To: freebsd-net@freebsd.org Received: from mel-rto6.wanadoo.fr (smtp-out-6.wanadoo.fr [193.252.19.25]) by hub.freebsd.org (Postfix) with ESMTP id 7770637B41F for ; Tue, 9 Apr 2002 12:24:40 -0700 (PDT) Received: from mel-rta10.wanadoo.fr (193.252.19.193) by mel-rto6.wanadoo.fr; 9 Apr 2002 21:24:39 +0200 Received: from spe (80.11.164.190) by mel-rta10.wanadoo.fr; 9 Apr 2002 21:24:38 +0200 Message-ID: <004401c1dffc$38e1f690$020110ac@SPE> From: "Sebastien Petit" To: Subject: Netgraph question Date: Tue, 9 Apr 2002 21:24:51 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0041_01C1E00C.FC1E7B50" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Disposition-Notification-To: "Sebastien Petit" X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0041_01C1E00C.FC1E7B50 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, Actually I rewrote loadd (a load balancing daemon) for running with = netgraph. In the original version, loadd use Divert sockets with ipfw = for taking incoming/outgoing traffic. What node I must use for doing the same thing ? I try to use ng_ether but if I do that, People that run pppoe on the = same device as load balancing can't use it. Any idea ? Sebastien. --=20 spe@selectbourse.net ------=_NextPart_000_0041_01C1E00C.FC1E7B50 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi,
 
Actually I rewrote loadd (a load = balancing daemon)=20 for running with netgraph. In the original version, loadd use Divert = sockets=20 with ipfw for taking incoming/outgoing traffic.
What node I must use for doing the same = thing=20 ?
I try to use ng_ether but if I do that, = People that=20 run pppoe on the same device as load balancing can't use = it.
 
Any idea ?
 
Sebastien.
--
spe@selectbourse.net ------=_NextPart_000_0041_01C1E00C.FC1E7B50-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 12:40:20 2002 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by hub.freebsd.org (Postfix) with ESMTP id 8D31037B405 for ; Tue, 9 Apr 2002 12:40:09 -0700 (PDT) Received: from InterJet.elischer.org ([12.232.206.8]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020409194009.KTCQ21252.rwcrmhc53.attbi.com@InterJet.elischer.org>; Tue, 9 Apr 2002 19:40:09 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id MAA57616; Tue, 9 Apr 2002 12:35:33 -0700 (PDT) Date: Tue, 9 Apr 2002 12:35:32 -0700 (PDT) From: Julian Elischer To: Sebastien Petit Cc: net@freebsd.org Subject: Re: Netgraph question In-Reply-To: <004401c1dffc$38e1f690$020110ac@SPE> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org there is a node called etf (ethertype filter) that can allow different nodes to share an ethernet interface The ppp daemon needs to be modified a bit to be able to use it.. Brian, what does it take to allow one to specify a different node and hook? I.e. if I hook an ethertype filter onto the interface and set it up to send pppoe to hook A and everything else to hook B is there soem way I can tell PPP to uset node etf0:B rather than fxp0:orphans? The etf type is not MFC'd to 4.x yet.. I need to do that! thanks for reminding me.. On Tue, 9 Apr 2002, Sebastien Petit wrote: > Hi, > > Actually I rewrote loadd (a load balancing daemon) for running with > netgraph. In the original version, loadd use Divert sockets with ipfw > for taking incoming/outgoing traffic. What node I must use for doing > the same thing ? I try to use ng_ether but if I do that, People that > run pppoe on the same device as load balancing can't use it. > > Any idea ? > > Sebastien. > -- > spe@selectbourse.net > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 12:45: 6 2002 Delivered-To: freebsd-net@freebsd.org Received: from InterJet.dellroad.org (adsl-63-194-81-26.dsl.snfc21.pacbell.net [63.194.81.26]) by hub.freebsd.org (Postfix) with ESMTP id 3013E37B41A for ; Tue, 9 Apr 2002 12:45:03 -0700 (PDT) Received: from arch20m.dellroad.org (arch20m.dellroad.org [10.1.1.20]) by InterJet.dellroad.org (8.9.1a/8.9.1) with ESMTP id MAA98553; Tue, 9 Apr 2002 12:34:22 -0700 (PDT) Received: (from archie@localhost) by arch20m.dellroad.org (8.11.6/8.11.6) id g39JXOS02017; Tue, 9 Apr 2002 12:33:24 -0700 (PDT) (envelope-from archie) From: Archie Cobbs Message-Id: <200204091933.g39JXOS02017@arch20m.dellroad.org> Subject: Re: Netgraph question In-Reply-To: <004401c1dffc$38e1f690$020110ac@SPE> "from Sebastien Petit at Apr 9, 2002 09:24:51 pm" To: Sebastien Petit Date: Tue, 9 Apr 2002 12:33:24 -0700 (PDT) Cc: net@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL88 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sebastien Petit writes: > Actually I rewrote loadd (a load balancing daemon) for running with netgraph. In the original version, loadd use Divert sockets with ipfw for taking incoming/outgoing traffic. > What node I must use for doing the same thing ? > I try to use ng_ether but if I do that, People that run pppoe on the same device as load balancing can't use it. Doesn't pppoe use the 'orphans' hook? In which case you should be OK, because you only need the 'upper' and 'lower' hooks. -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 12:56:22 2002 Delivered-To: freebsd-net@freebsd.org Received: from mel-rto7.wanadoo.fr (smtp-out-7.wanadoo.fr [193.252.19.26]) by hub.freebsd.org (Postfix) with ESMTP id 7C82F37B416 for ; Tue, 9 Apr 2002 12:56:13 -0700 (PDT) Received: from mel-rta7.wanadoo.fr (193.252.19.61) by mel-rto7.wanadoo.fr; 9 Apr 2002 21:56:08 +0200 Received: from spe (80.11.164.190) by mel-rta7.wanadoo.fr; 9 Apr 2002 21:56:08 +0200 Message-ID: <006401c1e000$9fa977f0$020110ac@SPE> From: "Sebastien Petit" To: "Julian Elischer" Cc: References: Subject: Re: Netgraph question Date: Tue, 9 Apr 2002 21:56:21 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Disposition-Notification-To: "Sebastien Petit" X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ok julian, So I must write loadd with ng_ether for the moment and wait for ng_etf include in FreeBSD 4.x. I can modify my code after if ng_etf is available... Last question, when I write a packet on the lower hook, must I include a CRC32 field at the end of the ethernet packet ? I create a little test program for connecting lower <-> upper, but doesn't seem to work, what is wrong ? #include #include #include #include #include #include #include #define HOOKNAME "myhook" #define HOOKNAME2 "myhook2" int main(int argc, char **argv) { int csock, dsock; struct ngm_connect ngc; struct ngm_connect ngc2; int bytesread; char buf[4096]; char hookname[4096]; fd_set fds; u_short *csum; NgMkSockNode(NULL, &csock, &dsock); snprintf(ngc.path, sizeof(ngc.path), "xl0:"); snprintf(ngc.ourhook, sizeof(ngc.ourhook), HOOKNAME); snprintf(ngc.peerhook, sizeof(ngc.peerhook), "upper"); NgSendMsg(csock, ".", NGM_GENERIC_COOKIE, NGM_CONNECT, &ngc, sizeof(ngc)); snprintf(ngc2.path, sizeof(ngc2.path), "xl0:"); snprintf(ngc2.ourhook, sizeof(ngc2.ourhook), HOOKNAME2); snprintf(ngc2.peerhook, sizeof(ngc2.peerhook), "lower"); NgSendMsg(csock, ".", NGM_GENERIC_COOKIE, NGM_CONNECT, &ngc2, sizeof(ngc2)); for (;;) { bzero(buf, sizeof(buf)); bytesread = NgRecvData(dsock, buf, sizeof(buf), hookname); if (! strcmp(hookname, "myhook")) { printf("%s !\n", hookname); NgSendData(dsock, HOOKNAME2, buf, bytesread); } if (! strcmp(hookname, "myhook2")) { printf("%s !\n", hookname); NgSendData(dsock, HOOKNAME, buf, bytesread); } } } Thanks, Sebastien. -- spe@selectbourse.net ----- Original Message ----- From: "Julian Elischer" To: "Sebastien Petit" Cc: Sent: Tuesday, April 09, 2002 9:35 PM Subject: Re: Netgraph question > there is a node called etf (ethertype filter) > that can allow different nodes to share an ethernet interface > The ppp daemon needs to be modified a bit to be able to use it.. > > Brian, what does it take to allow one to specify a different node and > hook? > I.e. > > if I hook an ethertype filter onto the interface and set it up > to send pppoe to hook A and everything else to hook B is there soem way I > can tell PPP to uset node etf0:B rather than fxp0:orphans? > > The etf type is not MFC'd to 4.x yet.. > I need to do that! thanks for reminding me.. > > > > On Tue, 9 Apr 2002, Sebastien Petit wrote: > > > Hi, > > > > Actually I rewrote loadd (a load balancing daemon) for running with > > netgraph. In the original version, loadd use Divert sockets with ipfw > > for taking incoming/outgoing traffic. What node I must use for doing > > the same thing ? I try to use ng_ether but if I do that, People that > > run pppoe on the same device as load balancing can't use it. > > > > Any idea ? > > > > Sebastien. > > -- > > spe@selectbourse.net > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 12:59:44 2002 Delivered-To: freebsd-net@freebsd.org Received: from enterprise.francisscott.net (enterprise.francisscott.net [64.81.95.235]) by hub.freebsd.org (Postfix) with ESMTP id D886037B404; Tue, 9 Apr 2002 12:59:28 -0700 (PDT) Received: from cobalt.heavymetal.org (cobalt.heavymetal.org [64.81.95.242]) by enterprise.francisscott.net (Postfix) with ESMTP id 8FFF656E3; Tue, 9 Apr 2002 12:59:28 -0700 (PDT) Date: Tue, 9 Apr 2002 12:59:24 -0700 From: Scott Lampert To: freebsd-security@FreeBSD.org Cc: freebsd-net@FreeBSD.org Subject: IPFW bridges and, woe is me, ftp Message-Id: <20020409125924.365286ca.scott@lampert.org> X-Mailer: Sylpheed version 0.7.4claws (GTK+ 1.2.10; i386-portbld-freebsd4.5) X-Operating-System: FreeBSD4 Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=.tt8YAKaqlkSU3O" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=.tt8YAKaqlkSU3O Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit (If this shouldn't be on -net please accept my apologies. It seemed all the networking gurus are there and this sort of overlaps onto that subject.) I have a 4.5 release box that is acting as a bridging firewall with ipfw for an internet connected network and I'm having some issues with ftp (as usual). This network is NOT nat routed; the network has a real IP block. Using keep-state and tcp established rules the best I can come up with is to allow active ftp in and passive ftp out with the following three rules: add check-state add pass tcp from any to any established add pass tcp from any to ${ftphost} 21 in via ${OIF} setup keep-state All internal hosts can initiate connections to outside hosts at will. This sort of leaves anyone who needs to ftp into this network from behind their own firewall with a passive connection totally out of luck. The only functional solution to handle incoming passive connections seems to be to open up a range of ports which I'd prefer not to do for obvious reasons. I'd love to ditch ipfw and use ipfilter but that is not supported for bridging with FreeBSD unfortunately. OpenBSD is not an option on this box either as it has an old mylex raid controller that is unsupported by that OS. A quick scan of the archives seems to only address the issue with nat firewalls using natd and divert sockets. On that note, I had a quick look through the natd man page to see if I could set it up to just look at ftp connections and not actually do any network translations. Basically I just want it for its punchfw functionality and just for ftp connections. Is this even possible? I'm going to experiment with this today and I was hoping that someone might be able to give me a little guidance to save me some time and possibly fruitless efforts. If there are alternative and/or better ways of doing this I'd love to hear from someone. I know Crist J. Clark had an unofficial and unsupported patch to make ipfilter work with bridging on 4.x, but I'd prefer not to become dependant on something that won't be official until 5.0 comes out if I can avoid it. Thanks! -Scott -- Scott Lampert "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, 1759 Public Key: http://www.lampert.org/lampert.key --=.tt8YAKaqlkSU3O Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) iD8DBQE8s0ggSVL3/uWE7xYRAntdAJ42o+x4wDRTB9mWjdv2Qrmh1nxmCACcCC8I ZdJ3W61KaYitc4QRSG+XZbs= =emxC -----END PGP SIGNATURE----- --=.tt8YAKaqlkSU3O-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 13: 2: 7 2002 Delivered-To: freebsd-net@freebsd.org Received: from mel-rto6.wanadoo.fr (smtp-out-6.wanadoo.fr [193.252.19.25]) by hub.freebsd.org (Postfix) with ESMTP id 439E737B428 for ; Tue, 9 Apr 2002 13:01:12 -0700 (PDT) Received: from mel-rta8.wanadoo.fr (193.252.19.79) by mel-rto6.wanadoo.fr; 9 Apr 2002 22:01:11 +0200 Received: from SPE (80.11.164.190) by mel-rta8.wanadoo.fr; 9 Apr 2002 22:00:51 +0200 Message-ID: <006c01c1e001$485a4870$020110ac@SPE> From: "Sebastien Petit" To: "Archie Cobbs" Cc: References: <200204091933.g39JXOS02017@arch20m.dellroad.org> Subject: Re: Netgraph question Date: Tue, 9 Apr 2002 22:01:05 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Disposition-Notification-To: "Sebastien Petit" X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Sebastien Petit writes: > > Actually I rewrote loadd (a load balancing daemon) for running with netgraph. In the original version, loadd use Divert sockets with ipfw for taking incoming/outgoing traffic. > > What node I must use for doing the same thing ? > > I try to use ng_ether but if I do that, People that run pppoe on the same device as load balancing can't use it. > > Doesn't pppoe use the 'orphans' hook? In which case you should be OK, > because you only need the 'upper' and 'lower' hooks. yes, you're right pppoe use orphans hook. But I think it's cleaner to use ng_etf than ng_ether. Because if I use lower and upper for doing load balancing on a device, another program can't use it. So some applications may enter in a conflict mode. Sebastien. -- spe@selectbourse.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 13:21:32 2002 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by hub.freebsd.org (Postfix) with ESMTP id 842C037B416 for ; Tue, 9 Apr 2002 13:20:11 -0700 (PDT) Received: from InterJet.elischer.org ([12.232.206.8]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020409202009.MCWG21252.rwcrmhc53.attbi.com@InterJet.elischer.org>; Tue, 9 Apr 2002 20:20:09 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id NAA57834; Tue, 9 Apr 2002 13:20:04 -0700 (PDT) Date: Tue, 9 Apr 2002 13:20:00 -0700 (PDT) From: Julian Elischer To: Archie Cobbs Cc: Sebastien Petit , net@FreeBSD.ORG Subject: Re: Netgraph question In-Reply-To: <200204091933.g39JXOS02017@arch20m.dellroad.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 9 Apr 2002, Archie Cobbs wrote: > Sebastien Petit writes: > > Actually I rewrote loadd (a load balancing daemon) for running with netgraph. In the original version, loadd use Divert sockets with ipfw for taking incoming/outgoing traffic. > > What node I must use for doing the same thing ? > > I try to use ng_ether but if I do that, People that run pppoe on the same device as load balancing can't use it. > > Doesn't pppoe use the 'orphans' hook? In which case you should be OK, > because you only need the 'upper' and 'lower' hooks. Duh, I'm stupid...... (etf is probably overkill) > > -Archie > > __________________________________________________________________________ > Archie Cobbs * Packet Design * http://www.packetdesign.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 13:40:17 2002 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc54.attbi.com (rwcrmhc54.attbi.com [216.148.227.87]) by hub.freebsd.org (Postfix) with ESMTP id 9810437B405 for ; Tue, 9 Apr 2002 13:40:09 -0700 (PDT) Received: from InterJet.elischer.org ([12.232.206.8]) by rwcrmhc54.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020409204009.OMWK15826.rwcrmhc54.attbi.com@InterJet.elischer.org>; Tue, 9 Apr 2002 20:40:09 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id NAA57891; Tue, 9 Apr 2002 13:29:49 -0700 (PDT) Date: Tue, 9 Apr 2002 13:29:48 -0700 (PDT) From: Julian Elischer To: Sebastien Petit Cc: net@freebsd.org Subject: Re: Netgraph question In-Reply-To: <006401c1e000$9fa977f0$020110ac@SPE> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 9 Apr 2002, Sebastien Petit wrote: > Ok julian, > > So I must write loadd with ng_ether for the moment and wait for ng_etf > include in FreeBSD 4.x. > I can modify my code after if ng_etf is available... > Last question, when I write a packet on the lower hook, must I include a > CRC32 field at the end of the ethernet packet ? Actually you don't need etf. As archie pointed out.. you can do your own filtering and pass anything you don't want (e.g. PPPOE) back to the interface.. (the the 'upper' hook (and visa versa)) I just MFC'd the etf type BTW. The HARDWARE adds and strips the CRC.. you can ignore it. > > I create a little test program for connecting lower <-> upper, but doesn't > seem to work, what is wrong ? > > #include > #include > #include > #include > #include > #include > #include > > #define HOOKNAME "myhook" > #define HOOKNAME2 "myhook2" > > int main(int argc, char **argv) > { > int csock, dsock; > struct ngm_connect ngc; > struct ngm_connect ngc2; > int bytesread; > char buf[4096]; > char hookname[4096]; > fd_set fds; > u_short *csum; > > NgMkSockNode(NULL, &csock, &dsock); > snprintf(ngc.path, sizeof(ngc.path), "xl0:"); > snprintf(ngc.ourhook, sizeof(ngc.ourhook), HOOKNAME); > snprintf(ngc.peerhook, sizeof(ngc.peerhook), "upper"); > NgSendMsg(csock, ".", NGM_GENERIC_COOKIE, NGM_CONNECT, &ngc, > sizeof(ngc)); > snprintf(ngc2.path, sizeof(ngc2.path), "xl0:"); > snprintf(ngc2.ourhook, sizeof(ngc2.ourhook), HOOKNAME2); > snprintf(ngc2.peerhook, sizeof(ngc2.peerhook), "lower"); > NgSendMsg(csock, ".", NGM_GENERIC_COOKIE, NGM_CONNECT, &ngc2, > sizeof(ngc2)); > for (;;) { > bzero(buf, sizeof(buf)); > bytesread = NgRecvData(dsock, buf, sizeof(buf), hookname); > if (! strcmp(hookname, "myhook")) { > printf("%s !\n", hookname); > NgSendData(dsock, HOOKNAME2, buf, bytesread); > } > if (! strcmp(hookname, "myhook2")) { > printf("%s !\n", hookname); > NgSendData(dsock, HOOKNAME, buf, bytesread); > } printf("Neither!"); also: what does `ngctl show xl0:` show? (while it's supposed to be connected) > } > } > > Thanks, > Sebastien. > -- > spe@selectbourse.net > > ----- Original Message ----- > From: "Julian Elischer" > To: "Sebastien Petit" > Cc: > Sent: Tuesday, April 09, 2002 9:35 PM > Subject: Re: Netgraph question > > > > there is a node called etf (ethertype filter) > > that can allow different nodes to share an ethernet interface > > The ppp daemon needs to be modified a bit to be able to use it.. > > > > Brian, what does it take to allow one to specify a different node and > > hook? > > I.e. > > > > if I hook an ethertype filter onto the interface and set it up > > to send pppoe to hook A and everything else to hook B is there soem way I > > can tell PPP to uset node etf0:B rather than fxp0:orphans? > > > > The etf type is not MFC'd to 4.x yet.. > > I need to do that! thanks for reminding me.. DONE > > > > > > > > On Tue, 9 Apr 2002, Sebastien Petit wrote: > > > > > Hi, > > > > > > Actually I rewrote loadd (a load balancing daemon) for running with > > > netgraph. In the original version, loadd use Divert sockets with ipfw > > > for taking incoming/outgoing traffic. What node I must use for doing > > > the same thing ? I try to use ng_ether but if I do that, People that > > > run pppoe on the same device as load balancing can't use it. > > > > > > Any idea ? > > > > > > Sebastien. > > > -- > > > spe@selectbourse.net > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 13:40:30 2002 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc54.attbi.com (rwcrmhc54.attbi.com [216.148.227.87]) by hub.freebsd.org (Postfix) with ESMTP id C74E037B405 for ; Tue, 9 Apr 2002 13:40:18 -0700 (PDT) Received: from InterJet.elischer.org ([12.232.206.8]) by rwcrmhc54.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020409204018.OMZP15826.rwcrmhc54.attbi.com@InterJet.elischer.org>; Tue, 9 Apr 2002 20:40:18 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id NAA57899; Tue, 9 Apr 2002 13:31:55 -0700 (PDT) Date: Tue, 9 Apr 2002 13:31:54 -0700 (PDT) From: Julian Elischer To: Sebastien Petit Cc: Archie Cobbs , net@FreeBSD.ORG Subject: Re: Netgraph question In-Reply-To: <006c01c1e001$485a4870$020110ac@SPE> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I've been wondering if I shouldn't incorporate the etf functionality into the ether node.. On Tue, 9 Apr 2002, Sebastien Petit wrote: > > Sebastien Petit writes: > > > Actually I rewrote loadd (a load balancing daemon) for running with > netgraph. In the original version, loadd use Divert sockets with ipfw for > taking incoming/outgoing traffic. > > > What node I must use for doing the same thing ? > > > I try to use ng_ether but if I do that, People that run pppoe on the > same device as load balancing can't use it. > > > > Doesn't pppoe use the 'orphans' hook? In which case you should be OK, > > because you only need the 'upper' and 'lower' hooks. > > yes, you're right pppoe use orphans hook. But I think it's cleaner to use > ng_etf than ng_ether. Because if I use lower and upper for doing load > balancing on a device, another program can't use it. > So some applications may enter in a conflict mode. > > Sebastien. > -- > spe@selectbourse.net > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 15:31:43 2002 Delivered-To: freebsd-net@freebsd.org Received: from spe.homeunix.net (APlessis-Bouchard-103-1-1-190.abo.wanadoo.fr [80.11.164.190]) by hub.freebsd.org (Postfix) with ESMTP id F1EB437B400 for ; Tue, 9 Apr 2002 15:31:39 -0700 (PDT) Received: from there (win.bsdshell.net [172.16.1.2]) by spe.homeunix.net (Postfix) with SMTP id 639A26AA8; Tue, 9 Apr 2002 23:39:55 +0200 (CEST) Content-Type: text/plain; charset="iso-8859-1" From: Sebastien Petit Organization: BSDshell To: Julian Elischer Subject: Re: Netgraph question Date: Wed, 10 Apr 2002 00:31:51 +0200 X-Mailer: KMail [version 1.3.2] Cc: net@freebsd.org References: In-Reply-To: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <20020409213955.639A26AA8@spe.homeunix.net> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tuesday 09 April 2002 22:29, Julian Elischer wrote: > On Tue, 9 Apr 2002, Sebastien Petit wrote: > > Ok julian, > > > > So I must write loadd with ng_ether for the moment and wait for ng_etf > > include in FreeBSD 4.x. > > I can modify my code after if ng_etf is available... > > Last question, when I write a packet on the lower hook, must I include a > > CRC32 field at the end of the ethernet packet ? > > Actually you don't need etf. As archie pointed out.. you can do your own > filtering > and pass anything you don't want (e.g. PPPOE) back to the > interface.. (the the 'upper' hook (and visa versa)) > > I just MFC'd the etf type BTW. > > The HARDWARE adds and strips the CRC.. you can ignore it. > > > > also: what does `ngctl show xl0:` show? > (while it's supposed to be connected) > With tcpdump I see bad cksum 0!, so I think I must recompute ip checksum before resending the packet. Thank you for your help julian, Sebastien -- spe@selectbourse.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 15:42:53 2002 Delivered-To: freebsd-net@freebsd.org Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by hub.freebsd.org (Postfix) with ESMTP id C84A237B404 for ; Tue, 9 Apr 2002 15:42:45 -0700 (PDT) Received: from isi.edu (orrsyqth2de5jh38@hbo.isi.edu [128.9.160.75]) by boreas.isi.edu (8.11.6/8.11.2) with ESMTP id g39MgQT10447; Tue, 9 Apr 2002 15:42:26 -0700 (PDT) Message-ID: <3CB36E51.9060300@isi.edu> Date: Tue, 09 Apr 2002 15:42:25 -0700 From: Lars Eggert User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.9) Gecko/20020404 X-Accept-Language: en-us, de-de MIME-Version: 1.0 To: Sebastien Petit Cc: Julian Elischer , net@freebsd.org Subject: Re: Netgraph question References: <20020409213955.639A26AA8@spe.homeunix.net> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms000706030003020306070809" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a cryptographically signed message in MIME format. --------------ms000706030003020306070809 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sebastien Petit wrote: > With tcpdump I see bad cksum 0!, so I think I must recompute ip checksum > before resending the packet. The xl interface offloads checksumming to the NIC now, which is why you see zero checksums when you tcpdump on the source or sink hosts. (There was a thread on this a few weeks back; I stumbled over this then, too...) Lars -- Lars Eggert Information Sciences Institute http://www.isi.edu/larse/ University of Southern California --------------ms000706030003020306070809 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIInzCC ArUwggIeoAMCAQICAwWBRzANBgkqhkiG9w0BAQIFADCBkjELMAkGA1UEBhMCWkExFTATBgNV BAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUx HTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVl bWFpbCBSU0EgMjAwMC44LjMwMB4XDTAxMDgyNDE2NDAwMFoXDTAyMDgyNDE2NDAwMFowVDEP MA0GA1UEBBMGRWdnZXJ0MQ0wCwYDVQQqEwRMYXJzMRQwEgYDVQQDEwtMYXJzIEVnZ2VydDEc MBoGCSqGSIb3DQEJARYNbGFyc2VAaXNpLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEA0AvLBsD78nxcUHeHkaMgl3b4qYPnfgbf8Lh+HQP8RgGMRG/Yb+vTpkGezlwt9pkJxiD1 1uZDy4CNNJUu3gKxKSb+zRV70O+lkwwftuHoLHoH4xwo3LcQ2LGDpd+I95tUN4dfJ3TmeEcU SF50dC/SuUI4w8AlhXQ8IxrhgdayTpECAwEAAaNWMFQwKgYFK2UBBAEEITAfAgEAMBowGAIB BAQTTDJ1TXlmZkJOVWJOSkpjZFoyczAYBgNVHREEETAPgQ1sYXJzZUBpc2kuZWR1MAwGA1Ud EwEB/wQCMAAwDQYJKoZIhvcNAQECBQADgYEAheZhn0pQA8zI7U2K1ZIAl11j0a1DKxnp3GtT vOUrGRB3WvYxidvdZ1kizhEsWeXU81TkNDH0DaRqtOEeu6Q2OhB+jeKEqY7IDAJE4/fI0e+d 6PnG1hd+vEvYmsKHkmzBhPc94XUOKNWO+qVNP2NGyNI3QIDy5wX4fdcOo1S34r4wggK1MIIC HqADAgECAgMFgUcwDQYJKoZIhvcNAQECBQAwgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxX ZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYD VQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwg UlNBIDIwMDAuOC4zMDAeFw0wMTA4MjQxNjQwMDBaFw0wMjA4MjQxNjQwMDBaMFQxDzANBgNV BAQTBkVnZ2VydDENMAsGA1UEKhMETGFyczEUMBIGA1UEAxMLTGFycyBFZ2dlcnQxHDAaBgkq hkiG9w0BCQEWDWxhcnNlQGlzaS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANAL ywbA+/J8XFB3h5GjIJd2+KmD534G3/C4fh0D/EYBjERv2G/r06ZBns5cLfaZCcYg9dbmQ8uA jTSVLt4CsSkm/s0Ve9DvpZMMH7bh6Cx6B+McKNy3ENixg6XfiPebVDeHXyd05nhHFEhedHQv 0rlCOMPAJYV0PCMa4YHWsk6RAgMBAAGjVjBUMCoGBStlAQQBBCEwHwIBADAaMBgCAQQEE0wy dU15ZmZCTlViTkpKY2RaMnMwGAYDVR0RBBEwD4ENbGFyc2VAaXNpLmVkdTAMBgNVHRMBAf8E AjAAMA0GCSqGSIb3DQEBAgUAA4GBAIXmYZ9KUAPMyO1NitWSAJddY9GtQysZ6dxrU7zlKxkQ d1r2MYnb3WdZIs4RLFnl1PNU5DQx9A2karThHrukNjoQfo3ihKmOyAwCROP3yNHvnej5xtYX frxL2JrCh5JswYT3PeF1DijVjvqlTT9jRsjSN0CA8ucF+H3XDqNUt+K+MIIDKTCCApKgAwIB AgIBDDANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4g Q2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEo MCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhh d3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVl bWFpbEB0aGF3dGUuY29tMB4XDTAwMDgzMDAwMDAwMFoXDTAyMDgyOTIzNTk1OVowgZIxCzAJ BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEP MA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UE AxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMDCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEA3jMypmPHCSVFPtJueCdngcXaiBmClw7jRCmKYzUqbXA8+tyu9+50bzC8M5B/ +TRxoKNtmPHDT6Jl2w36S/HW3WGl+YXNVZo1Gp2Sdagnrthy+boC9tewkd4c6avgGAOofENC UFGHgzzwObSbVIoTh/+zm51JZgAtCYnslGvpoWkCAwEAAaNOMEwwKQYDVR0RBCIwIKQeMBwx GjAYBgNVBAMTEVByaXZhdGVMYWJlbDEtMjk3MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P BAQDAgEGMA0GCSqGSIb3DQEBBAUAA4GBAHMbbyZli/8VNEtZYortRL5Jx+gNu4+5DWomKmKE H7iHY3QcbbfPGlORS+HN5jjZ7VD0Omw0kqzmkpxuwSMBwgmn70uuct0GZ/VQby5YuLYLwVBX tewc1+8XttWIm7eiiBrtOVs5fTT8tpYYJU1q9J3Fw5EvqZa4BTxS/N3pYgNIMYICpjCCAqIC AQEwgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcT CUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2 aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAIDBYFHMAkG BSsOAwIaBQCgggFhMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8X DTAyMDQwOTIyNDIyNVowIwYJKoZIhvcNAQkEMRYEFKO/LCZzgnim2dfN1fXbxvz0u5YZMFIG CSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMC AgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGtBgsqhkiG9w0BCRACCzGBnaCBmjCBkjEL MAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du MQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYD VQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMFgUcwDQYJKoZIhvcNAQEB BQAEgYB0os5nPFw530ER4p7f18e6PsXHgrae/c0jUCtEqPrhakryY1ay8Rl4+ODFkabtwEPz kAr9R18U6c6wmqbm/VpUq7DgXLp5JZBGMuF7ZpPTIBdy+aOHvMM5sygYo9KYEVrOf38cd3VN T/6d8t51rLQF8cFgJ6RW4tNf+ZGG574nNQAAAAAAAA== --------------ms000706030003020306070809-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 15:55:19 2002 Delivered-To: freebsd-net@freebsd.org Received: from spe.homeunix.net (APlessis-Bouchard-103-1-1-190.abo.wanadoo.fr [80.11.164.190]) by hub.freebsd.org (Postfix) with ESMTP id 8E9CD37B405 for ; Tue, 9 Apr 2002 15:55:16 -0700 (PDT) Received: from there (win.bsdshell.net [172.16.1.2]) by spe.homeunix.net (Postfix) with SMTP id 623B56AA8; Wed, 10 Apr 2002 00:03:32 +0200 (CEST) Content-Type: text/plain; charset="iso-8859-1" From: Sebastien Petit Organization: BSDshell To: Lars Eggert Subject: Re: Netgraph question Date: Wed, 10 Apr 2002 00:55:28 +0200 X-Mailer: KMail [version 1.3.2] Cc: Julian Elischer , net@freebsd.org References: <20020409213955.639A26AA8@spe.homeunix.net> <3CB36E51.9060300@isi.edu> In-Reply-To: <3CB36E51.9060300@isi.edu> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <20020409220332.623B56AA8@spe.homeunix.net> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wednesday 10 April 2002 00:42, Lars Eggert wrote: > Sebastien Petit wrote: > > With tcpdump I see bad cksum 0!, so I think I must recompute ip checksum > > before resending the packet. > > The xl interface offloads checksumming to the NIC now, which is why you > see zero checksums when you tcpdump on the source or sink hosts. (There > was a thread on this a few weeks back; I stumbled over this then, too...) > > Lars Thanks Lars, And I apologize for my duplicate thread about this... Sebastien. -- spe@selectbourse.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 16: 0:22 2002 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id 74BFD37B417 for ; Tue, 9 Apr 2002 16:00:13 -0700 (PDT) Received: from InterJet.elischer.org ([12.232.206.8]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020409230013.WFWG1901.rwcrmhc52.attbi.com@InterJet.elischer.org>; Tue, 9 Apr 2002 23:00:13 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id PAA58470; Tue, 9 Apr 2002 15:56:49 -0700 (PDT) Date: Tue, 9 Apr 2002 15:56:49 -0700 (PDT) From: Julian Elischer To: Sebastien Petit Cc: net@freebsd.org Subject: Re: Netgraph question In-Reply-To: <20020409213955.639A26AA8@spe.homeunix.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 10 Apr 2002, Sebastien Petit wrote: > On Tuesday 09 April 2002 22:29, Julian Elischer wrote: > > On Tue, 9 Apr 2002, Sebastien Petit wrote: > > > Ok julian, > > > > > > So I must write loadd with ng_ether for the moment and wait for ng_etf > > > include in FreeBSD 4.x. > > > I can modify my code after if ng_etf is available... > > > Last question, when I write a packet on the lower hook, must I include a > > > CRC32 field at the end of the ethernet packet ? > > > > Actually you don't need etf. As archie pointed out.. you can do your own > > filtering > > and pass anything you don't want (e.g. PPPOE) back to the > > interface.. (the the 'upper' hook (and visa versa)) > > > > I just MFC'd the etf type BTW. > > > > The HARDWARE adds and strips the CRC.. you can ignore it. > > > > > > > > also: what does `ngctl show xl0:` show? > > (while it's supposed to be connected) > > > > With tcpdump I see bad cksum 0!, so I think I must recompute ip checksum > before resending the packet. > there is an algorythm for updating the checksum if you change just one byte.... see: http://www.FreeBSD.org/cgi/getmsg.cgi?fetch=236988+241215+/usr/local/www/db/text/1999/freebsd-hackers/19991128.freebsd-hackers > Thank you for your help julian, > > Sebastien > -- > spe@selectbourse.net > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 16: 2:24 2002 Delivered-To: freebsd-net@freebsd.org Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by hub.freebsd.org (Postfix) with ESMTP id 60AEA37B416 for ; Tue, 9 Apr 2002 16:02:10 -0700 (PDT) Received: from isi.edu (68i2xyxdbj0661nh@hbo.isi.edu [128.9.160.75]) by boreas.isi.edu (8.11.6/8.11.2) with ESMTP id g39N1pT22165; Tue, 9 Apr 2002 16:01:51 -0700 (PDT) Message-ID: <3CB372DE.5060304@isi.edu> Date: Tue, 09 Apr 2002 16:01:50 -0700 From: Lars Eggert User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.9) Gecko/20020404 X-Accept-Language: en-us, de-de MIME-Version: 1.0 To: Sebastien Petit Cc: Julian Elischer , net@freebsd.org Subject: Re: Netgraph question References: <20020409213955.639A26AA8@spe.homeunix.net> <3CB36E51.9060300@isi.edu> <20020409220332.623B56AA8@spe.homeunix.net> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms020308090607020502030005" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a cryptographically signed message in MIME format. --------------ms020308090607020502030005 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sebastien Petit wrote: > And I apologize for my duplicate thread about this... None needed - I wasn't trying to imply that the thread back then was about the netgraph issue you described and you had missed it (it was about the apparently incorrect checksums with tcpdump), and I'm sorry if I came across like that. Lars -- Lars Eggert Information Sciences Institute http://www.isi.edu/larse/ University of Southern California --------------ms020308090607020502030005 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIInzCC ArUwggIeoAMCAQICAwWBRzANBgkqhkiG9w0BAQIFADCBkjELMAkGA1UEBhMCWkExFTATBgNV BAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUx HTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVl bWFpbCBSU0EgMjAwMC44LjMwMB4XDTAxMDgyNDE2NDAwMFoXDTAyMDgyNDE2NDAwMFowVDEP MA0GA1UEBBMGRWdnZXJ0MQ0wCwYDVQQqEwRMYXJzMRQwEgYDVQQDEwtMYXJzIEVnZ2VydDEc MBoGCSqGSIb3DQEJARYNbGFyc2VAaXNpLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEA0AvLBsD78nxcUHeHkaMgl3b4qYPnfgbf8Lh+HQP8RgGMRG/Yb+vTpkGezlwt9pkJxiD1 1uZDy4CNNJUu3gKxKSb+zRV70O+lkwwftuHoLHoH4xwo3LcQ2LGDpd+I95tUN4dfJ3TmeEcU SF50dC/SuUI4w8AlhXQ8IxrhgdayTpECAwEAAaNWMFQwKgYFK2UBBAEEITAfAgEAMBowGAIB BAQTTDJ1TXlmZkJOVWJOSkpjZFoyczAYBgNVHREEETAPgQ1sYXJzZUBpc2kuZWR1MAwGA1Ud EwEB/wQCMAAwDQYJKoZIhvcNAQECBQADgYEAheZhn0pQA8zI7U2K1ZIAl11j0a1DKxnp3GtT vOUrGRB3WvYxidvdZ1kizhEsWeXU81TkNDH0DaRqtOEeu6Q2OhB+jeKEqY7IDAJE4/fI0e+d 6PnG1hd+vEvYmsKHkmzBhPc94XUOKNWO+qVNP2NGyNI3QIDy5wX4fdcOo1S34r4wggK1MIIC HqADAgECAgMFgUcwDQYJKoZIhvcNAQECBQAwgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxX ZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYD VQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwg UlNBIDIwMDAuOC4zMDAeFw0wMTA4MjQxNjQwMDBaFw0wMjA4MjQxNjQwMDBaMFQxDzANBgNV BAQTBkVnZ2VydDENMAsGA1UEKhMETGFyczEUMBIGA1UEAxMLTGFycyBFZ2dlcnQxHDAaBgkq hkiG9w0BCQEWDWxhcnNlQGlzaS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANAL ywbA+/J8XFB3h5GjIJd2+KmD534G3/C4fh0D/EYBjERv2G/r06ZBns5cLfaZCcYg9dbmQ8uA jTSVLt4CsSkm/s0Ve9DvpZMMH7bh6Cx6B+McKNy3ENixg6XfiPebVDeHXyd05nhHFEhedHQv 0rlCOMPAJYV0PCMa4YHWsk6RAgMBAAGjVjBUMCoGBStlAQQBBCEwHwIBADAaMBgCAQQEE0wy dU15ZmZCTlViTkpKY2RaMnMwGAYDVR0RBBEwD4ENbGFyc2VAaXNpLmVkdTAMBgNVHRMBAf8E AjAAMA0GCSqGSIb3DQEBAgUAA4GBAIXmYZ9KUAPMyO1NitWSAJddY9GtQysZ6dxrU7zlKxkQ d1r2MYnb3WdZIs4RLFnl1PNU5DQx9A2karThHrukNjoQfo3ihKmOyAwCROP3yNHvnej5xtYX frxL2JrCh5JswYT3PeF1DijVjvqlTT9jRsjSN0CA8ucF+H3XDqNUt+K+MIIDKTCCApKgAwIB AgIBDDANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4g Q2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEo MCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhh d3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVl bWFpbEB0aGF3dGUuY29tMB4XDTAwMDgzMDAwMDAwMFoXDTAyMDgyOTIzNTk1OVowgZIxCzAJ BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEP MA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UE AxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMDCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEA3jMypmPHCSVFPtJueCdngcXaiBmClw7jRCmKYzUqbXA8+tyu9+50bzC8M5B/ +TRxoKNtmPHDT6Jl2w36S/HW3WGl+YXNVZo1Gp2Sdagnrthy+boC9tewkd4c6avgGAOofENC UFGHgzzwObSbVIoTh/+zm51JZgAtCYnslGvpoWkCAwEAAaNOMEwwKQYDVR0RBCIwIKQeMBwx GjAYBgNVBAMTEVByaXZhdGVMYWJlbDEtMjk3MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P BAQDAgEGMA0GCSqGSIb3DQEBBAUAA4GBAHMbbyZli/8VNEtZYortRL5Jx+gNu4+5DWomKmKE H7iHY3QcbbfPGlORS+HN5jjZ7VD0Omw0kqzmkpxuwSMBwgmn70uuct0GZ/VQby5YuLYLwVBX tewc1+8XttWIm7eiiBrtOVs5fTT8tpYYJU1q9J3Fw5EvqZa4BTxS/N3pYgNIMYICpjCCAqIC AQEwgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcT CUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2 aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAIDBYFHMAkG BSsOAwIaBQCgggFhMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8X DTAyMDQwOTIzMDE1MFowIwYJKoZIhvcNAQkEMRYEFO+SU+H+OuUHAnRmUXvbhpLTP97bMFIG CSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMC AgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGtBgsqhkiG9w0BCRACCzGBnaCBmjCBkjEL MAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du MQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYD VQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMFgUcwDQYJKoZIhvcNAQEB BQAEgYB7SujhGVemfPAJfblhYAdanf6/NilLcpvoE3x0mbWVPFfkD2IBBbSikPzIdson0GXS vU7/yNJthB8JBIIN9jBwVooa+P8qRjc64go2hJy5BxD4Mt4JKyZUNTU0GFEt2ZuU9jjb9s39 fxyggIosDYC72sWcTuWGp8BeFv/EsElHVQAAAAAAAA== --------------ms020308090607020502030005-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 16:20:17 2002 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc54.attbi.com (rwcrmhc54.attbi.com [216.148.227.87]) by hub.freebsd.org (Postfix) with ESMTP id 63D9237B405 for ; Tue, 9 Apr 2002 16:20:12 -0700 (PDT) Received: from InterJet.elischer.org ([12.232.206.8]) by rwcrmhc54.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020409232007.UFWS15826.rwcrmhc54.attbi.com@InterJet.elischer.org> for ; Tue, 9 Apr 2002 23:20:07 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id QAA58521 for ; Tue, 9 Apr 2002 16:02:02 -0700 (PDT) Date: Tue, 9 Apr 2002 16:02:01 -0700 (PDT) From: Julian Elischer To: net@freebsd.org Subject: IP checksup update Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Several years ago I wrte the following macro to update a checksum when changing a word in an IP packet. here's the code... #define FIXSUM16(c, op, np) \ do { \ (c) -= (u_int16_t) ~*((u_int16_t *) (op)); \ if ((c) < 0) { \ (c) += 0xffff; \ } \ (c) -= (u_int16_t) *((u_int16_t *) (np)); \ if ((c) < 0) { \ (c) += 0xffff; \ } \ } while (0) The question is: apparently there are several "tricks" with this checksum and + and - 0. Does anyone know how to test if this macro gets it right? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 17:18:54 2002 Delivered-To: freebsd-net@freebsd.org Received: from sheffield.cnchost.com (sheffield.concentric.net [207.155.252.12]) by hub.freebsd.org (Postfix) with ESMTP id 080DA37B41B for ; Tue, 9 Apr 2002 17:18:50 -0700 (PDT) Received: from bitblocks.com (adsl-209-204-185-216.sonic.net [209.204.185.216]) by sheffield.cnchost.com id UAA13907; Tue, 9 Apr 2002 20:18:47 -0400 (EDT) [ConcentricHost SMTP Relay 1.14] Message-ID: <200204100018.UAA13907@sheffield.cnchost.com> To: Julian Elischer Cc: net@freebsd.org Subject: Re: IP checksup update In-reply-to: Your message of "Tue, 09 Apr 2002 16:02:01 PDT." Date: Tue, 09 Apr 2002 17:18:47 -0700 From: Bakul Shah Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > to update a checksum when changing a word > > #define FIXSUM16(c, op, np) \ > do { \ > (c) -= (u_int16_t) ~*((u_int16_t *) (op)); \ > if ((c) < 0) { \ > (c) += 0xffff; \ > } \ > (c) -= (u_int16_t) *((u_int16_t *) (np)); \ > if ((c) < 0) { \ > (c) += 0xffff; \ > } \ > } while (0) > > The question is: > apparently there are several "tricks" with this checksum > and + and - 0. Does anyone know how to test if this macro gets it > right? Looks like a straight forward implementation of rfc1624 eqn 4. "if (c < 0) c += 0xffff;" is needed to turn two's complement subtraction to one's complement. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 17:40:10 2002 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc54.attbi.com (rwcrmhc54.attbi.com [216.148.227.87]) by hub.freebsd.org (Postfix) with ESMTP id 8F38A37B400 for ; Tue, 9 Apr 2002 17:40:07 -0700 (PDT) Received: from InterJet.elischer.org ([12.232.206.8]) by rwcrmhc54.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020410004007.WYHM15826.rwcrmhc54.attbi.com@InterJet.elischer.org>; Wed, 10 Apr 2002 00:40:07 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id RAA58798; Tue, 9 Apr 2002 17:28:09 -0700 (PDT) Date: Tue, 9 Apr 2002 17:28:07 -0700 (PDT) From: Julian Elischer To: Bakul Shah Cc: net@freebsd.org Subject: Re: IP checksup update In-Reply-To: <200204100018.UAA13907@sheffield.cnchost.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org just looking at this.... (it's been a while....) On Tue, 9 Apr 2002, Bakul Shah wrote: > > to update a checksum when changing a word > > > > #define FIXSUM16(c, op, np) \ > > do { \ > > (c) -= (u_int16_t) ~*((u_int16_t *) (op)); \ > > if ((c) < 0) { \ > > (c) += 0xffff; \ > > } \ > > (c) -= (u_int16_t) *((u_int16_t *) (np)); \ ^^ hmm should that be "+=" ? > > if ((c) < 0) { \ > > (c) += 0xffff; \ > > } \ > > } while (0) > > > > The question is: > > apparently there are several "tricks" with this checksum > > and + and - 0. Does anyone know how to test if this macro gets it > > right? > > Looks like a straight forward implementation of rfc1624 eqn 4. > "if (c < 0) c += 0xffff;" is needed to turn two's complement > subtraction to one's complement. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 18:16:21 2002 Delivered-To: freebsd-net@freebsd.org Received: from nanguo.chalmers.com.au (chalmers.com.au [203.1.96.5]) by hub.freebsd.org (Postfix) with ESMTP id 8D60A37B400 for ; Tue, 9 Apr 2002 18:16:16 -0700 (PDT) Received: from carbon (carbon.chalmers.com.au [203.1.96.26]) by nanguo.chalmers.com.au (8.11.6/8.11.6) with SMTP id g3A1J8f00526; Wed, 10 Apr 2002 11:19:08 +1000 (EST) (envelope-from robert@quantum-radio.net.au) Message-ID: <001501c1e02d$af9ebad0$1a6001cb@chalmers.com.au> Reply-To: "Merlin" From: "Merlin" To: "freebsd-net" Cc: "6to4" <6to4@chalmers.com.au>, "ipv6users" Subject: Nearly there.... can't seem to get interface for 2002 right on client. Date: Wed, 10 Apr 2002 11:18:52 +1000 Organization: Quantum Radio MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have the Border router set up and working it seems, and the client/host on the same network and ping it - but it knows itself as the interface only ? (fe80+MAC) How do I convince the client that it is actually 2002:cb01:6006::2 I can't discover how to put a 2002 address onto the rl0 interface. I know I know,. ifconfig - but it doesn't seem to make any difference ? OK. From nanguo. (the client) Note it gives the source as the INTERFACE (rl0) $ping6 ruby PING6(56=40+8+8 bytes) fe80::210:b5ff:fee4:4386%rl0 --> 2002:cb01:6006::1 16 bytes from 2002:cb01:6006::1, icmp_seq=0 hlim=64 time=0.773 ms A ping6 from ruby to nanguo the client, just times out. HOWEVER - a ping6 to the interface works? PING6(56=40+8+8 bytes) fe80::240:5ff:fe4e:a982%ed0 --> fe80::210:b5ff:fee4:4386%ed0 16 bytes from fe80::210:b5ff:fee4:4386%ed0, icmp_seq=0 hlim=64 time=1.651 ms In short - I can't see what I need to do here. ............................................. client to router works. ping6 ruby ftp ruby telnet ruby all connect, and show the source address as the fe80+mac, but understand the address its going to correctly. 2002 address. router to client. Only works if I connect to the client using it's fe80+mac address ? It just doesn' want to know about the 2002 address. ............................................ How the heck to I get a 2002 address onto an interface on the client? and have it known about.... Thanks for the assistance folks. This is a real struggle. If I just put the fe80+mac addresses in the dns it would probably work fine - but would anything else then know abut it? ah well. I guess I'd better give it away and do something else. cheers Robert --- Quantum Radio: World Music with a difference. http://quantum-radio.net/ Now Playing: Ethnic Music - Las Calenas - Las Calenas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 19: 1:23 2002 Delivered-To: freebsd-net@freebsd.org Received: from glatton.cnchost.com (glatton.cnchost.com [207.155.248.47]) by hub.freebsd.org (Postfix) with ESMTP id DF64737B400 for ; Tue, 9 Apr 2002 19:01:19 -0700 (PDT) Received: from bitblocks.com (adsl-209-204-185-216.sonic.net [209.204.185.216]) by glatton.cnchost.com id WAA21112; Tue, 9 Apr 2002 22:01:18 -0400 (EDT) [ConcentricHost SMTP Relay 1.14] Message-ID: <200204100201.WAA21112@glatton.cnchost.com> To: Julian Elischer Cc: net@freebsd.org Subject: Re: IP checksup update In-reply-to: Your message of "Tue, 09 Apr 2002 17:28:07 PDT." Date: Tue, 09 Apr 2002 19:01:17 -0700 From: Bakul Shah Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > > (c) -= (u_int16_t) *((u_int16_t *) (np)); \ > ^^ hmm should that be "+=" ? I believe your original code is correct. See the paragraph right before section 6 on Page 4, rfc1624. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 19:14:13 2002 Delivered-To: freebsd-net@freebsd.org Received: from mailout04.sul.t-online.com (mailout04.sul.t-online.com [194.25.134.18]) by hub.freebsd.org (Postfix) with ESMTP id C4BB837B41F; Tue, 9 Apr 2002 19:14:07 -0700 (PDT) Received: from fwd00.sul.t-online.de by mailout04.sul.t-online.com with smtp id 16v7cc-00041i-00; Wed, 10 Apr 2002 04:14:06 +0200 Received: from frolic.no-support.loc (520094253176-0001@[217.225.44.95]) by fmrl00.sul.t-online.com with esmtp id 16v7cP-2LJnRwC; Wed, 10 Apr 2002 04:13:53 +0200 Received: (from bjoern@localhost) by frolic.no-support.loc (8.11.6/8.9.3) id g3A2Ct004403; Wed, 10 Apr 2002 04:12:55 +0200 (CEST) (envelope-from bjoern) From: Bjoern Fischer Date: Wed, 10 Apr 2002 04:12:55 +0200 To: freebsd-net@freebsd.org Cc: freebsd-mobile@freebsd.org Subject: ORiNOCO Gold wi0 <-> Lucent/Agere AS-2000 Message-ID: <20020410021255.GA4372@frolic.no-support.loc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.25i X-Sender: 520094253176-0001@t-dialin.net Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, has anyone successfully connected an ORiNOCO Gold or similar wi0 running under FreeBSD 4.5-STABLE to a Lucent/Agere Access Server AS-2000? Do I have to port the Lucent asclient for Linux to FreeBSD or will the usual FreeBSD included tools suffice? -Bjorn Fischer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Apr 9 23:47: 0 2002 Delivered-To: freebsd-net@freebsd.org Received: from spe.homeunix.net (APlessis-Bouchard-103-1-1-190.abo.wanadoo.fr [80.11.164.190]) by hub.freebsd.org (Postfix) with ESMTP id 6D08537B400 for ; Tue, 9 Apr 2002 23:46:53 -0700 (PDT) Received: from there (win.bsdshell.net [172.16.1.2]) by spe.homeunix.net (Postfix) with SMTP id 667326AA8; Wed, 10 Apr 2002 00:23:30 +0200 (CEST) Content-Type: text/plain; charset="iso-8859-1" From: Sebastien Petit Organization: BSDshell To: Lars Eggert Subject: Re: Netgraph question Date: Wed, 10 Apr 2002 01:15:26 +0200 X-Mailer: KMail [version 1.3.2] References: <20020409220332.623B56AA8@spe.homeunix.net> <3CB372DE.5060304@isi.edu> In-Reply-To: <3CB372DE.5060304@isi.edu> Cc: net@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <20020409222330.667326AA8@spe.homeunix.net> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wednesday 10 April 2002 01:01, you wrote: > Sebastien Petit wrote: > > And I apologize for my duplicate thread about this... > > None needed - I wasn't trying to imply that the thread back then was > about the netgraph issue you described and you had missed it (it was > about the apparently incorrect checksums with tcpdump), and I'm sorry if > I came across like that. > > Lars You're right, xl is the only interface that reset the checksum to 0. I don't need to recompute checksum for other interfaces like vr etc... Thank you, Sebastien. -- spe@selectbourse.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Apr 10 2: 6:50 2002 Delivered-To: freebsd-net@freebsd.org Received: from noname.csdl.lt (noname.csdl.lt [194.176.40.182]) by hub.freebsd.org (Postfix) with SMTP id 2DEB337B416 for ; Wed, 10 Apr 2002 02:06:46 -0700 (PDT) Received: (qmail 9591 invoked by uid 1000); 10 Apr 2002 09:06:44 -0000 Date: Wed, 10 Apr 2002 11:06:44 +0200 From: Paulius Bulotas To: freebsd-net@freebsd.org Subject: strange network conversation Message-ID: <20020410090644.GB8914@kaktusas.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello list, I'm seeing strange? networking behaviour with my FreeBSD server, and it seems that this list is tne right to ask ;) Suppose, there is outgoing connection for whom dynamic rule is created (that's how I noticed it - ipfw logs denied packets). My 4.4-Release FreeBSD is hostA, something on the next end is hostB - smtp server. That's how the end of smtp session looks: _Host tcpflags seq nseq ack data_ hostA ( [PSH,ACK], seq1, nseq1, ack1, "QUIT" ) hostA ( [FIN,ACK], nseq1, -- , ack1 ) hostB ( [[ACK], ack1, -- , nseq1) hostB ( [PSH,ACK], ack1, nseq2, nseq1, "221 Bye") hostA ( [RST], nseq1, -- , -- ) hostB ( [FIN,ACK], nseq2, -- , nseq1) hostB ( [ACK], nseq2+1, -- , nseq1+1) hostB ( [FIN,PSH,ACK], ack1, nseq2, nseq1+1) ... I'm wondering, why FreeBSD sends RST so early and hostB tries to send something back (and that didn't match dynamic rule, which is destroyed upon RST (I suspect))? Is it possible to change this? (so that conversation between hostA and hostB ended normally) TIA Paulius To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Apr 10 6: 7:57 2002 Delivered-To: freebsd-net@freebsd.org Received: from mta03bw.bigpond.com (mta03bw.bigpond.com [139.134.6.86]) by hub.freebsd.org (Postfix) with ESMTP id A8BBA37B41A for ; Wed, 10 Apr 2002 06:07:47 -0700 (PDT) Received: from home ([144.135.24.87]) by mta03bw.bigpond.com (Netscape Messaging Server 4.15 mta03bw Feb 26 2002 03:44:21) with SMTP id GUCSGX00.ESP for ; Wed, 10 Apr 2002 23:07:45 +1000 Received: from CPE-144-137-1-211.vic.bigpond.net.au ([144.137.1.211]) by bwmam07.mailsvc.email.bigpond.com(MailRouter V3.0j 56/754359); 10 Apr 2002 23:07:45 Reply-To: From: "Arkadi Kosmynin" To: Subject: Need help. A system stops responding to network requests periodically. Date: Wed, 10 Apr 2002 23:06:09 +1000 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello people, I really can not explain this. We are stress testing a server. We use the following configuration: the server runs on a FreeBSD box (or Linux, with a similar effect). A multithreaded tester program runs on a Win2K box and emulates random multiuser activity. The FreeBSD box stops responding to network requests every 20-30 minutes. I can't even connect to its FTP server. If I don't touch it, it does not "unstuck" for quite a while. But, if I do something with it, like start a Web browser on it and access the server, or just do netstat, it became active again shortly. Can anyone explain this? Is it some form of protection from denial of service attack? The tester program generates a lot of requests, and does it very fast, so, it does look like an attack. We do use SO_REUSEADDR option on the server sockets, so, this is covered. Any ideas? Any recommendations? I would really appreciate some help. We don't have any other problems with this server so far, but this one. Thanks in advance, Arkadi. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Apr 10 6:18:40 2002 Delivered-To: freebsd-net@freebsd.org Received: from bilver.wjv.com (spdsl-033.wanlogistics.net [63.209.115.33]) by hub.freebsd.org (Postfix) with ESMTP id 46FFB37B405 for ; Wed, 10 Apr 2002 06:18:30 -0700 (PDT) Received: (from bv@localhost) by bilver.wjv.com (8.11.6/8.11.6) id g3ADITU40250 for freebsd-net@freebsd.org; Wed, 10 Apr 2002 09:18:29 -0400 (EDT) (envelope-from bv) Date: Wed, 10 Apr 2002 09:18:29 -0400 From: Bill Vermillion To: freebsd-net@freebsd.org Subject: Re: Need help. A system stops responding to network requests periodically. Message-ID: <20020410131829.GA40130@wjv.com> Reply-To: bv@wjv.com References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.25i Organization: W.J.Vermillion / Orlando - Winter Park Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Apr 10, 2002 at 11:06:09PM +1000, Arkadi Kosmynin spewed forth: > I really can not explain this. We are stress testing a server. We > use the following configuration: the server runs on a FreeBSD box > (or Linux, with a similar effect). A multithreaded tester program > runs on a Win2K box and emulates random multiuser activity. The > FreeBSD box stops responding to network requests every 20-30 > minutes. I can't even connect to its FTP server. If I don't > touch it, it does not "unstuck" for quite a while. But, if I do > something with it, like start a Web browser on it and access the > server, or just do netstat, it became active again shortly. > Can anyone explain this? Is it some form of protection from denial > of service attack? The tester program generates a lot of requests, > and does it very fast, so, it does look like an attack. You didn't say a thing about your network. Sometimes the plain stopping can be a result of automatic-sensing and automatic-negotiation if you do not have everything fixed. Take a look at this and understand the failure modes http://www.cisco.com/warp/public/473/46.html While it is targeted to the Cicso switches the same advice applies to most things. I'm not saying this IS the problem you are having but since it is on the same HW with two OSes this needs to be verfied. Bill -- Bill Vermillion - bv @ wjv . com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Apr 10 6:52:33 2002 Delivered-To: freebsd-net@freebsd.org Received: from tl.kom.tuwien.ac.at (tl.kom.tuwien.ac.at [128.130.34.35]) by hub.freebsd.org (Postfix) with ESMTP id 6A08F37B416 for ; Wed, 10 Apr 2002 06:52:26 -0700 (PDT) Received: from tl.kom.tuwien.ac.at (localhost [127.0.0.1]) by tl.kom.tuwien.ac.at (8.12.2/8.12.2) with ESMTP id g3ADvBDe031215; Wed, 10 Apr 2002 15:57:11 +0200 (CEST) (envelope-from tilman@arved.de) Received: (from tilman@localhost) by tl.kom.tuwien.ac.at (8.12.2/8.12.2/Submit) id g3ADv9Aa031214; Wed, 10 Apr 2002 15:57:09 +0200 (CEST) X-Authentication-Warning: tl.kom.tuwien.ac.at: tilman set sender to tilman@arved.de using -f Subject: Re: Cisco VPN servers. From: Tilman Linneweh To: "Nelson, Trent ." Cc: "'freebsd-net@freebsd.org'" In-Reply-To: <8F329FEDF58BD411BE5200508B10DA76056ED2FC@exchptc1.switch.com> References: <8F329FEDF58BD411BE5200508B10DA76056ED2FC@exchptc1.switch.com> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-87g8XI1k9Om2RBfj2PL0" X-Mailer: Ximian Evolution 1.0.3 Date: 10 Apr 2002 16:57:09 +0300 Message-Id: <1018447029.61777.65.camel@tl.kom.tuwien.ac.at> Mime-Version: 1.0 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=-87g8XI1k9Om2RBfj2PL0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi, Am Di, 2002-04-09 um 20.35 schrieb Nelson, Trent .: >=20 > Few quick questions. >=20 > 1. Has anyone been able to establish a successful VPN connection > between FreeBSD and a Cisco VPN server? =20 Me not, but I would like to know too, if anyone got this running. > 2. If not, is it possible? I dunno. AFAIK, this requires L2TP to be available under FreeBSD. > 3. Has anyone attempted to port the Linux Cisco VPN client to > FreeBSD? I think this would be difficult, as AFAI looked into it, it uses an own (Linux-)Kernelmodule. regards arved --=-87g8XI1k9Om2RBfj2PL0 Content-Type: application/pgp-signature; name=signature.asc Content-Description: Dies ist ein digital signierter Nachrichtenteil -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: Weitere Infos: siehe http://www.gnupg.org iD8DBQA8tES1EH3do0kMxDoRAij9AJ9AwWSlRkJgA68xIfZrCcSVVFYoBACcCAVE XKeSWFk+OuBwNmDHf9+pFHE= =8X6C -----END PGP SIGNATURE----- --=-87g8XI1k9Om2RBfj2PL0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Apr 10 7:46:40 2002 Delivered-To: freebsd-net@freebsd.org Received: from bulwark.switch.com (bulwark.switch.com [206.181.77.34]) by hub.freebsd.org (Postfix) with SMTP id 4376B37B416 for ; Wed, 10 Apr 2002 07:46:36 -0700 (PDT) Received: by bulwark.switch.com; id KAA05052; Wed, 10 Apr 2002 10:46:35 -0400 Received: from isunix2.switch.com(199.234.168.6) by bulwark.switch.com via smap (V5.5) id xma005015; Wed, 10 Apr 02 10:46:01 -0400 Received: from exchptc1.switch.com ([199.234.168.10]) by isunix2.switch.com (PMDF V5.2-32 #37720) with ESMTP id <0GUC00MLEX0PG1@isunix2.switch.com> for freebsd-net@FreeBSD.ORG; Wed, 10 Apr 2002 10:46:01 -0400 (EDT) Received: by exchptc1.switch.com with Internet Mail Service (5.5.2653.19) id <2414P4Q4>; Wed, 10 Apr 2002 10:46:01 -0400 Content-return: allowed Date: Wed, 10 Apr 2002 10:46:00 -0400 From: "Nelson, Trent ." Subject: RE: Cisco VPN servers. To: "'Tilman Linneweh'" Cc: "'freebsd-net@freebsd.org'" Message-id: <8F329FEDF58BD411BE5200508B10DA76056ED2FD@exchptc1.switch.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > -----Original Message----- > From: Tilman Linneweh [mailto:tilman@arved.de] > Sent: Wednesday, April 10, 2002 2:57 PM > To: Nelson, Trent . > Cc: 'freebsd-net@freebsd.org' > Subject: Re: Cisco VPN servers. > > Hi, > > Am Di, 2002-04-09 um 20.35 schrieb Nelson, Trent .: > > > > 3. Has anyone attempted to port the Linux Cisco VPN client to > > FreeBSD? > > I think this would be difficult, as AFAI looked into it, it uses an own > (Linux-)Kernelmodule. Yeah, I realised this. I can't see why an equivalent FreeBSD kernel module can't be written that provides the same functionality. All of the Linux kernel module sources are provided so you'd assume this would be achievable. I'm more worried about the functionality of the binaries provided being kept in tact. Regards, Trent. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Apr 10 10:23:16 2002 Delivered-To: freebsd-net@freebsd.org Received: from tl.kom.tuwien.ac.at (tl.kom.tuwien.ac.at [128.130.34.35]) by hub.freebsd.org (Postfix) with ESMTP id 48F3237B417 for ; Wed, 10 Apr 2002 10:23:10 -0700 (PDT) Received: from tl.kom.tuwien.ac.at (localhost [127.0.0.1]) by tl.kom.tuwien.ac.at (8.12.2/8.12.2) with ESMTP id g3AHRtDe035066; Wed, 10 Apr 2002 19:27:55 +0200 (CEST) (envelope-from tilman@arved.de) Received: (from tilman@localhost) by tl.kom.tuwien.ac.at (8.12.2/8.12.2/Submit) id g3AHRpjS035065; Wed, 10 Apr 2002 19:27:51 +0200 (CEST) X-Authentication-Warning: tl.kom.tuwien.ac.at: tilman set sender to tilman@arved.de using -f Subject: RE: Cisco VPN servers. From: Tilman Linneweh To: "Bromirski, Lukasz" Cc: "'freebsd-net@freebsd.org'" In-Reply-To: References: Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-qjCsB7ypW9DuIzdmK3vX" X-Mailer: Ximian Evolution 1.0.3 Date: 10 Apr 2002 20:27:51 +0300 Message-Id: <1018459671.61777.86.camel@tl.kom.tuwien.ac.at> Mime-Version: 1.0 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=-qjCsB7ypW9DuIzdmK3vX Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Am Mi, 2002-04-10 um 17.33 schrieb Bromirski, Lukasz: > > > 2. If not, is it possible? > > I dunno. AFAIK, this requires L2TP to be available under FreeBSD. >=20 > Why L2TP? Okay, i misunderstood this. Our VPN Server seems to be configured to connect only with L2TP/IPsec, but cisco websites says, it could run with normal IPsec. > > > 3. Has anyone attempted to port the Linux Cisco VPN client to > > > FreeBSD? > > I think this would be difficult, as AFAI looked into it, it=20 > > uses an own (Linux-)Kernelmodule. >=20 > Yes it is. But I'll check it out. Cool! I am waiting for your Howto :). I have looked into the Headerfile, and also found=20 if defined(CNI_DARWIN_INTERFACE). So perhaps the MacOS Version is easier to port? But we don't use MacOSX so we have no Apple version of vpnclient around here. regards arved --=-qjCsB7ypW9DuIzdmK3vX Content-Type: application/pgp-signature; name=signature.asc Content-Description: Dies ist ein digital signierter Nachrichtenteil -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: Weitere Infos: siehe http://www.gnupg.org iD8DBQA8tHYXEH3do0kMxDoRAmr7AKCIotWzrlsrSJ7cgMWdAyap8N0ZfQCeLbZg 4jBfkwLG54VNCRq0A6GYlgQ= =TlxR -----END PGP SIGNATURE----- --=-qjCsB7ypW9DuIzdmK3vX-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Apr 10 11:10:30 2002 Delivered-To: freebsd-net@freebsd.org Received: from hairball.treehouse.napa.ca.us (dsl-64-128-194-169.telocity.com [64.128.194.169]) by hub.freebsd.org (Postfix) with ESMTP id 000BF37B400 for ; Wed, 10 Apr 2002 11:10:27 -0700 (PDT) Received: (from mailnull@localhost) by hairball.treehouse.napa.ca.us (8.11.6/8.11.6) id g3AIARO48271 for freebsd-net@freebsd.org; Wed, 10 Apr 2002 11:10:27 -0700 (PDT) (envelope-from mailnull) Received: (from news@localhost) by hairball.treehouse.napa.ca.us (8.11.6/8.11.6) id g3AIAM248257 for treehouse-mail-freebsd-net@hairball.treehouse.napa.ca.us; Wed, 10 Apr 2002 11:10:22 -0700 (PDT) (envelope-from news) From: "G. Paul Ziemba" To: treehouse-mail-freebsd-net@treehouse.napa.ca.us Subject: Re: TCP Timestamp option? Date: Wed, 10 Apr 2002 18:10:22 +0000 (UTC) Message-id: Reply-To: paul+usenet@w6yx.stanford.edu Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ipver4@hotmail.com ("ipver four") writes: >Is there a reason for including the timestamp option on most of the TCP >packets? The TCP timestamp option is used to obtain better round-trip time estimates than can be obtained without, and these estimates turn out to be important in networks with large bandwidth*delay products. Timestamps in the timestamp option also cycle much more slowly than sequence numbers on an active high-speed connection and can thus be used to detect and discard old duplicate packets with apparently valid sequence numbers. RFC 1323 explains the details. -- G. Paul Ziemba paul@w6yx.stanford.edu FreeBSD unix: 11:06AM up 16 days, 14 mins, 7 users, load averages: 0.03, 0.03, 0.00 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Apr 10 15:26:33 2002 Delivered-To: freebsd-net@freebsd.org Received: from mail1.kth.se (mail1.kth.se [130.237.32.62]) by hub.freebsd.org (Postfix) with ESMTP id EF3E937B417 for ; Wed, 10 Apr 2002 15:26:26 -0700 (PDT) Received: from kth.se (yorick.admin.kth.se [130.237.32.55]) by mail1.kth.se (8.11.5/8.11.5) with SMTP id g3AMQN621892 for ; Thu, 11 Apr 2002 00:26:25 +0200 (MEST) Message-ID: <410-220024310222625267@kth.se> X-EM-Version: 6, 0, 1, 0 X-EM-Registration: #0000630010A41E00EC40 X-Originating-IP: 192.16.126.102 From: "Yidan Zhou" To: freebsd-net@freebsd.org Subject: =?iso-8859-1?Q?How can I use ng_bpf?= Date: Thu, 11 Apr 2002 00:26:25 +0200 MIME-Version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, I want to set up a bridge with filtering function on Freebsd. I checked some webpages which mention that I can ng_bpf to implement filtering. But the freebsd man page of ng_bpf is not clear(especially, how to use ngctl to configure step by step). Has anybody a sample configuration or a example? Thanks in Advance! Edward Zhou To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Apr 10 17:13:51 2002 Delivered-To: freebsd-net@freebsd.org Received: from hotmail.com (oe29.law14.hotmail.com [64.4.20.86]) by hub.freebsd.org (Postfix) with ESMTP id 789F337B405 for ; Wed, 10 Apr 2002 17:13:47 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 10 Apr 2002 17:13:47 -0700 X-Originating-IP: [138.89.21.26] From: "ipver4" To: Cc: References: Subject: Re: TCP Timestamp option? Date: Wed, 10 Apr 2002 20:13:38 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-ID: X-OriginalArrivalTime: 11 Apr 2002 00:13:47.0313 (UTC) FILETIME=[BFD17210:01C1E0ED] Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks for the explanation. It seems since version 4.4 that kernel net.inet.tcp.rfc1323 is set to 1 by default, thus causing all the TCP connections to use the RFC1323 extension. The effects are: 1. bigger TCP header. 2. more processing time at sending and receiving hosts. 3. VJ TCP/IP header compression algorithm does not compress most of the time. I am not sure turning on the RFC1323 support on by default is such a good idea. > The TCP timestamp option is used to obtain better round-trip time > estimates than can be obtained without, and these estimates turn out > to be important in networks with large bandwidth*delay products. > > Timestamps in the timestamp option also cycle much more slowly than > sequence numbers on an active high-speed connection and can thus be used > to detect and discard old duplicate packets with apparently valid sequence > numbers. > > RFC 1323 explains the details. > -- > G. Paul Ziemba paul@w6yx.stanford.edu > FreeBSD unix: > 11:06AM up 16 days, 14 mins, 7 users, load averages: 0.03, 0.03, 0.00 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Apr 10 17:57:45 2002 Delivered-To: freebsd-net@freebsd.org Received: from patrocles.silby.com (d29.as20.nwbl0.wi.voyager.net [169.207.138.29]) by hub.freebsd.org (Postfix) with ESMTP id 7717137B416 for ; Wed, 10 Apr 2002 17:57:39 -0700 (PDT) Received: from patrocles.silby.com (localhost [127.0.0.1]) by patrocles.silby.com (8.12.2/8.12.2) with ESMTP id g3B6v7A1000858; Thu, 11 Apr 2002 01:57:07 -0500 (CDT) (envelope-from silby@silby.com) Received: from localhost (silby@localhost) by patrocles.silby.com (8.12.2/8.12.2/Submit) with ESMTP id g3B6v2Ue000855; Thu, 11 Apr 2002 01:57:03 -0500 (CDT) X-Authentication-Warning: patrocles.silby.com: silby owned process doing -bs Date: Thu, 11 Apr 2002 01:57:02 -0500 (CDT) From: Mike Silbersack To: ipver4 Cc: paul+usenet@w6yx.stanford.edu, Subject: Re: TCP Timestamp option? In-Reply-To: Message-ID: <20020411015240.B296-100000@patrocles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 10 Apr 2002, ipver4 wrote: > Thanks for the explanation. > > It seems since version 4.4 that kernel net.inet.tcp.rfc1323 is set to 1 by > default, thus causing all the TCP connections to use the RFC1323 extension. > > The effects are: > > 1. bigger TCP header. > 2. more processing time at sending and receiving hosts. > 3. VJ TCP/IP header compression algorithm does not compress most of the > time. > > I am not sure turning on the RFC1323 support on by default is such a good > idea. The added amount of time and data is insignificant with today's computers on today's networks. At the same time, the reality of 32 bit sequence numbers being relatively small and timestamps being needed to track wraparound is setting in. Although we don't use the various rfc 1323 options to their full extent yet, keeping them enabled is a good idea in the long run. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Apr 10 20:52:55 2002 Delivered-To: freebsd-net@freebsd.org Received: from mta02bw.bigpond.com (mta02bw.bigpond.com [139.134.6.34]) by hub.freebsd.org (Postfix) with ESMTP id 6555537B404 for ; Wed, 10 Apr 2002 20:52:49 -0700 (PDT) Received: from home ([144.135.24.84]) by mta02bw.bigpond.com (Netscape Messaging Server 4.15 mta02bw Feb 26 2002 03:44:21) with SMTP id GUDXFX00.234; Thu, 11 Apr 2002 13:52:45 +1000 Received: from CPE-144-137-1-211.vic.bigpond.net.au ([144.137.1.211]) by bwmam06.mailsvc.email.bigpond.com(MailRouter V3.0j 47/216097); 11 Apr 2002 13:52:42 Reply-To: From: "Arkadi Kosmynin" To: , Subject: RE: Need help. A system stops responding to network requests periodically. Date: Thu, 11 Apr 2002 13:51:10 +1000 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <20020410131829.GA40130@wjv.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Bill, Thanks for a hint. My network consists of three computers connected via a 10 Mbps hub. I don't think that this is a hardware problem. I never experienced any networking problems except in this situation. Besides, netstat shows very low number of bad segments and segment retransmissions. That, I believe, indicates a healthy network. Any other ideas? Thank you, Arkadi. > -----Original Message----- > From: owner-freebsd-net@FreeBSD.ORG > [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Bill Vermillion > Sent: Wednesday, April 10, 2002 11:18 PM > To: freebsd-net@freebsd.org > Subject: Re: Need help. A system stops responding to network requests > periodically. > > > On Wed, Apr 10, 2002 at 11:06:09PM +1000, Arkadi Kosmynin spewed forth: > > > I really can not explain this. We are stress testing a server. We > > use the following configuration: the server runs on a FreeBSD box > > (or Linux, with a similar effect). A multithreaded tester program > > runs on a Win2K box and emulates random multiuser activity. The > > FreeBSD box stops responding to network requests every 20-30 > > minutes. I can't even connect to its FTP server. If I don't > > touch it, it does not "unstuck" for quite a while. But, if I do > > something with it, like start a Web browser on it and access the > > server, or just do netstat, it became active again shortly. > > > Can anyone explain this? Is it some form of protection from denial > > of service attack? The tester program generates a lot of requests, > > and does it very fast, so, it does look like an attack. > > You didn't say a thing about your network. Sometimes the plain > stopping can be a result of automatic-sensing and > automatic-negotiation if you do not have everything fixed. > > Take a look at this and understand the failure modes > > http://www.cisco.com/warp/public/473/46.html > > While it is targeted to the Cicso switches the same advice applies > to most things. > > I'm not saying this IS the problem you are having but since it is > on the same HW with two OSes this needs to be verfied. > > Bill > > -- > Bill Vermillion - bv @ wjv . com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Apr 10 23:19: 8 2002 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by hub.freebsd.org (Postfix) with ESMTP id CEFA037B41C for ; Wed, 10 Apr 2002 23:18:55 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020411061855.RWKY21252.rwcrmhc53.attbi.com@blossom.cjclark.org>; Thu, 11 Apr 2002 06:18:55 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g3B6IpR37534; Wed, 10 Apr 2002 23:18:51 -0700 (PDT) (envelope-from cjc) Date: Wed, 10 Apr 2002 23:18:51 -0700 From: "Crist J. Clark" To: Paulius Bulotas Cc: freebsd-net@FreeBSD.ORG Subject: Re: strange network conversation Message-ID: <20020410231851.B37066@blossom.cjclark.org> References: <20020410090644.GB8914@kaktusas.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020410090644.GB8914@kaktusas.org>; from paulius@kaktusas.org on Wed, Apr 10, 2002 at 11:06:44AM +0200 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Apr 10, 2002 at 11:06:44AM +0200, Paulius Bulotas wrote: > Hello list, > > I'm seeing strange? networking behaviour with my FreeBSD server, and it > seems that this list is tne right to ask ;) > Suppose, there is outgoing connection for whom dynamic rule is created > (that's how I noticed it - ipfw logs denied packets). My 4.4-Release > FreeBSD is hostA, something on the next end is hostB - smtp server. > That's how the end of smtp session looks: > > _Host tcpflags seq nseq ack data_ > hostA ( [PSH,ACK], seq1, nseq1, ack1, "QUIT" ) > hostA ( [FIN,ACK], nseq1, -- , ack1 ) > hostB ( [[ACK], ack1, -- , nseq1) > hostB ( [PSH,ACK], ack1, nseq2, nseq1, "221 Bye") > hostA ( [RST], nseq1, -- , -- ) > hostB ( [FIN,ACK], nseq2, -- , nseq1) > hostB ( [ACK], nseq2+1, -- , nseq1+1) > hostB ( [FIN,PSH,ACK], ack1, nseq2, nseq1+1) > ... > > I'm wondering, why FreeBSD sends RST so early and hostB tries to send > something back (and that didn't match dynamic rule, which is destroyed > upon RST (I suspect))? Is that _really_ what happens because, > hostA ( [PSH,ACK], seq1, nseq1, ack1, "QUIT" ) > hostA ( [FIN,ACK], nseq1, -- , ack1 ) > hostB ( [[ACK], ack1, -- , nseq1) ^^^^^ Should be, nseq1 + 1. But I think that would explain the RST. > Is it possible to change this? (so that conversation between hostA and > hostB ended normally) If hostB's stack is really broken, not sure what to do to fix it. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Apr 11 13:36:23 2002 Delivered-To: freebsd-net@freebsd.org Received: from blackhelicopters.org (geburah.blackhelicopters.org [209.69.178.18]) by hub.freebsd.org (Postfix) with ESMTP id 5744537B422 for ; Thu, 11 Apr 2002 13:36:02 -0700 (PDT) Received: (from mwlucas@localhost) by blackhelicopters.org (8.11.6/8.11.6) id g3BKZwe94763 for net@freebsd.org; Thu, 11 Apr 2002 16:35:58 -0400 (EDT) (envelope-from mwlucas) Date: Thu, 11 Apr 2002 16:35:57 -0400 From: Michael Lucas To: net@freebsd.org Subject: networking fact checking for book Message-ID: <20020411163557.A94744@blackhelicopters.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Folks, OK, damn fool question here, but our docs are not entirely consistent on this and I need to be sure before I send this book to the printer. Rather than trawl through the source code for hours and get it wrong, I'm asking here. net.inet.tcp.sendspace= bits or bytes? While I think I know the answer, I contradicted myself at one point and now I'm confused. Thanks, Michael -- Michael Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org http://www.oreillynet.com/pub/q/Big_Scary_Daemons Absolute BSD: http://www.nostarch.com/abs_bsd.htm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Apr 11 13:56:55 2002 Delivered-To: freebsd-net@freebsd.org Received: from mailtest.btconnex.net (mailtest.btconnex.net [209.47.192.8]) by hub.freebsd.org (Postfix) with SMTP id 5882B37B417 for ; Thu, 11 Apr 2002 13:56:50 -0700 (PDT) Received: (qmail 77231 invoked from network); 11 Apr 2002 20:53:36 -0000 Received: from unknown (HELO ?192.168.66.55?) (192.168.66.55) by mailtest.btconnex.net with SMTP; 11 Apr 2002 20:53:36 -0000 Date: Thu, 11 Apr 2002 16:55:19 -0400 (EDT) From: Elliott Perrin X-X-Sender: To: Subject: mpd PPTP and NAT Message-ID: <20020411164940.T7271-100000@decalpha.beanfield.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, I am not on the -net list so please include me in any responses. I was wondering if it is possible to have multiple systems behind a NAT connect to an mpd PPTP system. If there is a config trick to do so, or someone has figured out a way. The clients are not sitting behind a BSD box, or i would just create a PPTP tunnel between the two boxes. They are behind a GVC IP0006 which has little documentation but according to someone there supports PPTP Passthrough. (??) The PPTP server is running FreeBSD 4.5 and mpd 3.4 Thanks Elliott Perrin eperrin@beanfield.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Apr 11 14:15:24 2002 Delivered-To: freebsd-net@freebsd.org Received: from InterJet.dellroad.org (adsl-63-194-81-26.dsl.snfc21.pacbell.net [63.194.81.26]) by hub.freebsd.org (Postfix) with ESMTP id 1C13437B421 for ; Thu, 11 Apr 2002 14:15:04 -0700 (PDT) Received: from arch20m.dellroad.org (arch20m.dellroad.org [10.1.1.20]) by InterJet.dellroad.org (8.9.1a/8.9.1) with ESMTP id OAA14746; Thu, 11 Apr 2002 14:04:14 -0700 (PDT) Received: (from archie@localhost) by arch20m.dellroad.org (8.11.6/8.11.6) id g3BL3Kj07669; Thu, 11 Apr 2002 14:03:20 -0700 (PDT) (envelope-from archie) From: Archie Cobbs Message-Id: <200204112103.g3BL3Kj07669@arch20m.dellroad.org> Subject: Re: mpd PPTP and NAT In-Reply-To: <20020411164940.T7271-100000@decalpha.beanfield.net> "from Elliott Perrin at Apr 11, 2002 04:55:19 pm" To: Elliott Perrin Date: Thu, 11 Apr 2002 14:03:20 -0700 (PDT) Cc: freebsd-net@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL88 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Elliott Perrin writes: > I was wondering if it is possible to have multiple systems behind a NAT > connect to an mpd PPTP system. If there is a config trick to do so, or > someone has figured out a way. > > The clients are not sitting behind a BSD box, or i would just create a > PPTP tunnel between the two boxes. They are behind a GVC IP0006 which has > little documentation but according to someone there supports PPTP > Passthrough. (??) I doubt that your NAT supports multiple clients behind it connecting to the same external PPTP server at the same time.. the problem is the PPTP server (mpd) will see two TCP connections coming from the same IP address and nuke one of them. -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Apr 11 14:21: 8 2002 Delivered-To: freebsd-net@freebsd.org Received: from mailtest.btconnex.net (mailtest.btconnex.net [209.47.192.8]) by hub.freebsd.org (Postfix) with SMTP id 7413337B400 for ; Thu, 11 Apr 2002 14:21:01 -0700 (PDT) Received: (qmail 85395 invoked from network); 11 Apr 2002 21:17:47 -0000 Received: from unknown (HELO ?192.168.66.55?) (192.168.66.55) by mailtest.btconnex.net with SMTP; 11 Apr 2002 21:17:47 -0000 Date: Thu, 11 Apr 2002 17:19:30 -0400 (EDT) From: Elliott Perrin X-X-Sender: To: Archie Cobbs Cc: "freebsd-net@FreeBSD.ORG" Subject: Re: mpd PPTP and NAT In-Reply-To: <200204112103.g3BL3Kj07669@arch20m.dellroad.org> Message-ID: <20020411171544.N7271-100000@decalpha.beanfield.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org that is exactly what I am seeing, the clients are behind this stupid little GVC IP0008 machine, and I am using your mpd software for the pptp server. I know about the "BUG" in libalias. Is this part of the PPTP spec, that only one TCP control connection can be open to an IP, or is it a purely libalias thing. Thanks for the repsonse (and kickass software to boot) Elliott eperrin@beanfield.com On Apr 11, 2002: Archie Cobbs eloquently stated the following: > Elliott Perrin writes: > > I was wondering if it is possible to have multiple systems behind a NAT > > connect to an mpd PPTP system. If there is a config trick to do so, or > > someone has figured out a way. > > > > The clients are not sitting behind a BSD box, or i would just create a > > PPTP tunnel between the two boxes. They are behind a GVC IP0006 which has > > little documentation but according to someone there supports PPTP > > Passthrough. (??) > > I doubt that your NAT supports multiple clients behind it connecting > to the same external PPTP server at the same time.. the problem is > the PPTP server (mpd) will see two TCP connections coming from the > same IP address and nuke one of them. > > -Archie > > __________________________________________________________________________ > Archie Cobbs * Packet Design * http://www.packetdesign.com > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Apr 11 14:43:47 2002 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by hub.freebsd.org (Postfix) with ESMTP id 543D037B405 for ; Thu, 11 Apr 2002 14:43:45 -0700 (PDT) Received: from bmah.dyndns.org ([12.233.149.189]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020411214345.CYBY1143.rwcrmhc51.attbi.com@bmah.dyndns.org>; Thu, 11 Apr 2002 21:43:45 +0000 Received: from intruder.bmah.org (localhost [IPv6:::1]) by bmah.dyndns.org (8.12.2/8.12.2) with ESMTP id g3BLhiNk088621; Thu, 11 Apr 2002 14:43:44 -0700 (PDT) (envelope-from bmah@intruder.bmah.org) Received: (from bmah@localhost) by intruder.bmah.org (8.12.2/8.12.2/Submit) id g3BLhil0088620; Thu, 11 Apr 2002 14:43:44 -0700 (PDT) Message-Id: <200204112143.g3BLhil0088620@intruder.bmah.org> X-Mailer: exmh version 2.5+ 20020411 with nmh-1.0.4 To: Michael Lucas Cc: net@FreeBSD.ORG Subject: Re: networking fact checking for book In-reply-to: <20020411163557.A94744@blackhelicopters.org> References: <20020411163557.A94744@blackhelicopters.org> Comments: In-reply-to Michael Lucas message dated "Thu, 11 Apr 2002 16:35:57 -0400." From: "Bruce A. Mah" Reply-To: bmah@FreeBSD.ORG X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Image-Url: http://www.employees.org/~bmah/Images/bmah-cisco-small.gif X-Url: http://www.employees.org/~bmah/ Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 11 Apr 2002 14:43:44 -0700 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If memory serves me right, Michael Lucas wrote: > OK, damn fool question here, but our docs are not entirely consistent > on this and I need to be sure before I send this book to the printer. > Rather than trawl through the source code for hours and get it wrong, > I'm asking here. > > net.inet.tcp.sendspace= bits or bytes? Bytes...memory allocations take place using this variable. I couldn't find anywhere in sys/netinet/* that actually, explicitly documents the units for this. Bruce. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Apr 11 14:47:59 2002 Delivered-To: freebsd-net@freebsd.org Received: from blackhelicopters.org (geburah.blackhelicopters.org [209.69.178.18]) by hub.freebsd.org (Postfix) with ESMTP id 2623737B404; Thu, 11 Apr 2002 14:47:54 -0700 (PDT) Received: (from mwlucas@localhost) by blackhelicopters.org (8.11.6/8.11.6) id g3BLlqN95277; Thu, 11 Apr 2002 17:47:52 -0400 (EDT) (envelope-from mwlucas) Date: Thu, 11 Apr 2002 17:47:52 -0400 From: Michael Lucas To: "Bruce A. Mah" Cc: net@FreeBSD.ORG Subject: Re: networking fact checking for book Message-ID: <20020411174752.A95261@blackhelicopters.org> References: <20020411163557.A94744@blackhelicopters.org> <200204112143.g3BLhil0088620@intruder.bmah.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200204112143.g3BLhil0088620@intruder.bmah.org>; from bmah@FreeBSD.ORG on Thu, Apr 11, 2002 at 02:43:44PM -0700 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Apr 11, 2002 at 02:43:44PM -0700, Bruce A. Mah wrote: > If memory serves me right, Michael Lucas wrote: > > > OK, damn fool question here, but our docs are not entirely consistent > > on this and I need to be sure before I send this book to the printer. > > Rather than trawl through the source code for hours and get it wrong, > > I'm asking here. > > > > net.inet.tcp.sendspace= bits or bytes? > > Bytes...memory allocations take place using this variable. > > I couldn't find anywhere in sys/netinet/* that actually, explicitly > documents the units for this. Thank you, sir! tuning(7) says K. After the recent funfest on -doc about K, Kb, KB, &etc, I was no longer sure. Plus, I had written "bits" in one part of the sentence, and "bytes" later on... ==ml -- Michael Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org http://www.oreillynet.com/pub/q/Big_Scary_Daemons Absolute BSD: http://www.nostarch.com/abs_bsd.htm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Apr 11 15:49:42 2002 Delivered-To: freebsd-net@freebsd.org Received: from owa1.digisle.com (ex-owa-sj.digisle.com [165.193.27.217]) by hub.freebsd.org (Postfix) with ESMTP id 7392A37B404; Thu, 11 Apr 2002 15:49:36 -0700 (PDT) Received: from digisle.net ([206.220.227.145] RDNS failed) by owa1.digisle.com over TLS secured channel with Microsoft SMTPSVC(5.0.2195.2966); Thu, 11 Apr 2002 15:49:35 -0700 Message-ID: <3CB612FF.2B05330F@digisle.net> Date: Thu, 11 Apr 2002 15:49:35 -0700 From: Maksim Yevmenkin Organization: Digital Island X-Mailer: Mozilla 4.78 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: Jeffrey Hsu Cc: current@FreeBSD.org, net@FreeBSD.org Subject: Re: Bug in m_split() ? References: <0GUF00L9TDCRFW@mta7.pltn13.pbi.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 11 Apr 2002 22:49:35.0881 (UTC) FILETIME=[2757D790:01C1E1AB] Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Jeffrey, > Please try out this patch instead. > > Index: uipc_mbuf.c > =================================================================== > RCS file: /home/cvs/src/sys/kern/uipc_mbuf.c,v > retrieving revision 1.90 > diff -u -6 -r1.90 uipc_mbuf.c > --- uipc_mbuf.c 5 Feb 2002 02:00:53 -0000 1.90 > +++ uipc_mbuf.c 11 Apr 2002 22:31:32 -0000 > @@ -585,14 +585,16 @@ > /* m can't be the lead packet */ > MH_ALIGN(n, 0); > n->m_next = m_split(m, len, wait); > if (n->m_next == NULL) { > (void) m_free(n); > return (NULL); > - } else > + } else { > + n->m_len = 0; > return (n); > + } > } else > MH_ALIGN(n, remain); > } else if (remain == 0) { > n = m->m_next; > m->m_next = NULL; > return (n); it does _exactly_ the same thing as patch i sent. the idea is to set "n->m_len" to zero. in this particular part of the code "n" is not modified. only "n->m_next". so i do not see any difference except your patch is 4 lines :) --- uipc_mbuf.c.orig Mon Apr 8 14:40:23 2002 +++ uipc_mbuf.c Mon Apr 8 14:40:43 2002 @@ -584,6 +584,7 @@ if (remain > MHLEN) { /* m can't be the lead packet */ MH_ALIGN(n, 0); + n->m_len = 0; n->m_next = m_split(m, len, wait); if (n->m_next == NULL) { (void) m_free(n); thanks, max To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Apr 11 16:30:24 2002 Delivered-To: freebsd-net@freebsd.org Received: from InterJet.dellroad.org (adsl-63-194-81-26.dsl.snfc21.pacbell.net [63.194.81.26]) by hub.freebsd.org (Postfix) with ESMTP id 3E3B137B423 for ; Thu, 11 Apr 2002 16:30:03 -0700 (PDT) Received: from arch20m.dellroad.org (arch20m.dellroad.org [10.1.1.20]) by InterJet.dellroad.org (8.9.1a/8.9.1) with ESMTP id QAA15547; Thu, 11 Apr 2002 16:21:40 -0700 (PDT) Received: (from archie@localhost) by arch20m.dellroad.org (8.11.6/8.11.6) id g3BNKjg08185; Thu, 11 Apr 2002 16:20:45 -0700 (PDT) (envelope-from archie) From: Archie Cobbs Message-Id: <200204112320.g3BNKjg08185@arch20m.dellroad.org> Subject: Re: mpd PPTP and NAT In-Reply-To: <20020411171544.N7271-100000@decalpha.beanfield.net> "from Elliott Perrin at Apr 11, 2002 05:19:30 pm" To: Elliott Perrin Date: Thu, 11 Apr 2002 16:20:45 -0700 (PDT) Cc: freebsd-net@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL88 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Elliott Perrin writes: > that is exactly what I am seeing, the clients are behind this stupid > little GVC IP0008 machine, and I am using your mpd software for the pptp > server. I know about the "BUG" in libalias. > > Is this part of the PPTP spec, that only one TCP control connection can be > open to an IP, or is it a purely libalias thing. Yes it is part of the PPTP spec.. however, I've seen servers that ignore the spec and accept multiple connections from a single remote source. Mpd should probably do the same thing when configured for 'server only' mode.. hmm, maybe I'll look into that (will send you a patch if/when). By the way, in L2TP they fixed this problem -- multiple connections are allowed if you want. Cheers, -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Apr 11 17:52:23 2002 Delivered-To: freebsd-net@freebsd.org Received: from web11603.mail.yahoo.com (web11603.mail.yahoo.com [216.136.172.55]) by hub.freebsd.org (Postfix) with SMTP id 662C737B405 for ; Thu, 11 Apr 2002 17:52:16 -0700 (PDT) Message-ID: <20020412005216.30538.qmail@web11603.mail.yahoo.com> Received: from [202.94.0.18] by web11603.mail.yahoo.com via HTTP; Thu, 11 Apr 2002 17:52:16 PDT Date: Thu, 11 Apr 2002 17:52:16 -0700 (PDT) From: tang hongbin Subject: Re: mpd PPTP and NAT To: freebsd-net@FreeBSD.ORG In-Reply-To: <200204112103.g3BL3Kj07669@arch20m.dellroad.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It it true that MPD server think that all clients behind a NAT server have the same IP address(external address). It doesn't allow more than one client behind a NAT server to connect with it at one time. One solution is that NAT server supports RSIP protocol. for further info, please refer RFC RSIP. if there is a RSIP daemon in NAT, that is ok. --- Archie Cobbs wrote: > Elliott Perrin writes: > > I was wondering if it is possible to have multiple > systems behind a NAT > > connect to an mpd PPTP system. If there is a > config trick to do so, or > > someone has figured out a way. > > > > The clients are not sitting behind a BSD box, or i > would just create a > > PPTP tunnel between the two boxes. They are behind > a GVC IP0006 which has > > little documentation but according to someone > there supports PPTP > > Passthrough. (??) > > I doubt that your NAT supports multiple clients > behind it connecting > to the same external PPTP server at the same time.. > the problem is > the PPTP server (mpd) will see two TCP connections > coming from the > same IP address and nuke one of them. > > -Archie > > __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Apr 11 18:23:26 2002 Delivered-To: freebsd-net@freebsd.org Received: from scaup.prod.itd.earthlink.net (scaup.mail.pas.earthlink.net [207.217.120.49]) by hub.freebsd.org (Postfix) with ESMTP id C0EB837B419; Thu, 11 Apr 2002 18:23:20 -0700 (PDT) Received: from pool0186.cvx22-bradley.dialup.earthlink.net ([209.179.198.186] helo=mindspring.com) by scaup.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16vpmU-0001J1-00; Thu, 11 Apr 2002 18:23:14 -0700 Message-ID: <3CB636E7.FB2D8B93@mindspring.com> Date: Thu, 11 Apr 2002 18:22:47 -0700 From: Terry Lambert X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony} (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Maksim Yevmenkin Cc: Jeffrey Hsu , current@FreeBSD.org, net@FreeBSD.org Subject: Re: Bug in m_split() ? References: <0GUF00L9TDCRFW@mta7.pltn13.pbi.net> <3CB612FF.2B05330F@digisle.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Maksim Yevmenkin wrote: > it does _exactly_ the same thing as patch i sent. the idea is > to set "n->m_len" to zero. in this particular part of the code > "n" is not modified. only "n->m_next". so i do not see any > difference except your patch is 4 lines :) Yours is less efficient. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Apr 11 23: 7:36 2002 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc54.attbi.com (rwcrmhc54.attbi.com [216.148.227.87]) by hub.freebsd.org (Postfix) with ESMTP id 455A437B41A for ; Thu, 11 Apr 2002 23:07:33 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc54.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020412060733.INTK15826.rwcrmhc54.attbi.com@blossom.cjclark.org>; Fri, 12 Apr 2002 06:07:33 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g3C67WJ40388; Thu, 11 Apr 2002 23:07:32 -0700 (PDT) (envelope-from cjc) Date: Thu, 11 Apr 2002 23:07:32 -0700 From: "Crist J. Clark" To: Yidan Zhou Cc: freebsd-net@FreeBSD.ORG Subject: Re: How can I use ng bpf Message-ID: <20020411230732.F39738@blossom.cjclark.org> References: <410-220024310222625267@kth.se> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <410-220024310222625267@kth.se>; from zyd@kth.se on Thu, Apr 11, 2002 at 12:26:25AM +0200 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Apr 11, 2002 at 12:26:25AM +0200, Yidan Zhou wrote: > Hi all, > I want to set up a bridge with filtering function on Freebsd. I checked > some webpages which mention that I can ng_bpf to implement filtering. But > the freebsd man page of ng_bpf is not clear(especially, how to use ngctl to > configure step by step). Has anybody a sample configuration or a example? ipfw(8) will filter with bridge(4) just fine. I have a simple patch on the website below to get ipf(8) to filter with bridge(4) too. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Apr 12 5:23: 3 2002 Delivered-To: freebsd-net@freebsd.org Received: from mail1.kth.se (mail1.kth.se [130.237.32.62]) by hub.freebsd.org (Postfix) with ESMTP id 22A3737B400; Fri, 12 Apr 2002 05:22:59 -0700 (PDT) Received: from kth.se (yorick.admin.kth.se [130.237.32.55]) by mail1.kth.se (8.11.5/8.11.5) with SMTP id g3CCMu618868; Fri, 12 Apr 2002 14:22:57 +0200 (MEST) Message-ID: <55080-220024512122257348@kth.se> X-EM-Version: 6, 0, 1, 0 X-EM-Registration: #0000630010A41E00EC40 X-Originating-IP: 130.237.50.53 From: "Yidan Zhou" To: cjc@FreeBSD.ORG, zyd@kth.se Cc: freebsd-net@FreeBSD.ORG Subject: =?iso-8859-1?Q?Re: Re: How can I use ng bpf?= Date: Fri, 12 Apr 2002 14:22:57 +0200 MIME-Version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Crist, But the bridge(4) can control bridge group very well. On my Freebsd box there are 2 physical ethernet interfaces and 1 virtual ethernet interface(created by TAP). I just want to put 1 physical interface and the virtual interface into 1 bridge group.But everytime after I start the bridge(4), the other physical one is always in the bridge group. That's why I switch to netgraph bridge. Anyway thank you very much! //Edward Zhou ------- Original message ------- From: cjc@FreeBSD.ORG Date: Thu, 11 Apr 2002 23:07:32 -0700 On Thu, Apr 11, 2002 at 12:26:25AM +0200, Yidan Zhou wrote: > Hi all, > I want to set up a bridge with filtering function on Freebsd. I checked > some webpages which mention that I can ng_bpf to implement filtering. But > the freebsd man page of ng_bpf is not clear(especially, how to use ngctl to > configure step by step). Has anybody a sample configuration or a example? ipfw(8) will filter with bridge(4) just fine. I have a simple patch on the website below to get ipf(8) to filter with bridge(4) too. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Apr 12 9:35: 2 2002 Delivered-To: freebsd-net@freebsd.org Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by hub.freebsd.org (Postfix) with SMTP id D51F137B420 for ; Fri, 12 Apr 2002 09:34:51 -0700 (PDT) Received: (qmail 41271 invoked from network); 12 Apr 2002 16:34:50 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (66.92.188.241) by 0 with SMTP; 12 Apr 2002 16:34:50 -0000 Message-ID: <3CB70CAA.1020504@tenebras.com> Date: Fri, 12 Apr 2002 09:34:50 -0700 From: Michael Sierchio Reply-To: kudzu@tenebras.com User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.9) Gecko/20020404 X-Accept-Language: en-us, en MIME-Version: 1.0 Cc: freebsd-net@FreeBSD.ORG Subject: Re: How can I use ng bpf References: <410-220024310222625267@kth.se> <20020411230732.F39738@blossom.cjclark.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Crist J. Clark wrote: > ipfw(8) will filter with bridge(4) just fine. I have a simple patch on > the website below to get ipf(8) to filter with bridge(4) too. Just for the sake of clarity, it won't filter anything but IP packets, right? In case someone is interested in filtering 802.X frames... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Apr 12 15:32:24 2002 Delivered-To: freebsd-net@freebsd.org Received: from InterJet.dellroad.org (adsl-63-194-81-26.dsl.snfc21.pacbell.net [63.194.81.26]) by hub.freebsd.org (Postfix) with ESMTP id 77F7A37B485 for ; Fri, 12 Apr 2002 15:30:03 -0700 (PDT) Received: from arch20m.dellroad.org (arch20m.dellroad.org [10.1.1.20]) by InterJet.dellroad.org (8.9.1a/8.9.1) with ESMTP id PAA23175; Fri, 12 Apr 2002 15:12:44 -0700 (PDT) Received: (from archie@localhost) by arch20m.dellroad.org (8.11.6/8.11.6) id g3CMBko12496; Fri, 12 Apr 2002 15:11:46 -0700 (PDT) (envelope-from archie) From: Archie Cobbs Message-Id: <200204122211.g3CMBko12496@arch20m.dellroad.org> Subject: Re: mpd PPTP and NAT In-Reply-To: <200204112320.g3BNKjg08185@arch20m.dellroad.org> "from Archie Cobbs at Apr 11, 2002 04:20:45 pm" To: Archie Cobbs Date: Fri, 12 Apr 2002 15:11:46 -0700 (PDT) Cc: Elliott Perrin , freebsd-net@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL88 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Archie Cobbs writes: > > that is exactly what I am seeing, the clients are behind this stupid > > little GVC IP0008 machine, and I am using your mpd software for the pptp > > server. I know about the "BUG" in libalias. > > > > Is this part of the PPTP spec, that only one TCP control connection can be > > open to an IP, or is it a purely libalias thing. > > Yes it is part of the PPTP spec.. however, I've seen servers > that ignore the spec and accept multiple connections from a > single remote source. Mpd should probably do the same thing > when configured for 'server only' mode.. hmm, maybe I'll look > into that (will send you a patch if/when). Please try the patch below and see if it works. I haven't tested it at all myself.. Thanks, -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com Index: pptp.c =================================================================== RCS file: /home/cvs/archie/mpd/src/pptp.c,v retrieving revision 1.4 diff -u -r1.4 pptp.c --- pptp.c 2002/03/01 02:42:24 1.4 +++ pptp.c 2002/04/12 22:12:25 @@ -680,22 +680,32 @@ static void PptpListenUpdate(void) { + int allow_incoming = 0; + int allow_multiple = 1; int k; + /* Examine all PPTP links */ for (k = 0; k < gNumLinks; k++) { if (gLinks[k] && gLinks[k]->phys->type == &gPptpPhysType) { PptpInfo const p = (PptpInfo)gLinks[k]->phys->info; if (Enabled(&p->options, PPTP_CONF_INCOMING)) - break; + allow_incoming = 1; + if (Enabled(&p->options, PPTP_CONF_ORIGINATE) + && p->peer_addr_req.ipaddr.s_addr != 0) + allow_multiple = 0; } } + + /* Initialize first time */ if (!gInitialized) { - if (k == gNumLinks) + if (!allow_incoming) return; /* wait till later; we may not have an IP address yet */ PptpInitCtrl(); } - PptpCtrlListen(k < gNumLinks, gLocalPort); + + /* Set up listening for incoming connections */ + PptpCtrlListen(allow_incoming, gLocalPort, allow_multiple); } /* @@ -727,6 +737,7 @@ pptp->peer_addr_req = rng; pptp->peer_port_req = port; } + PptpListenUpdate(); break; case SET_PHONENUM: if (ac != 1) Index: pptp_ctrl.c =================================================================== RCS file: /home/cvs/archie/mpd/src/pptp_ctrl.c,v retrieving revision 1.4 diff -u -r1.4 pptp_ctrl.c --- pptp_ctrl.c 2002/03/16 18:29:37 1.4 +++ pptp_ctrl.c 2002/04/12 22:12:27 @@ -228,6 +228,7 @@ static u_char gInitialized; static u_long gStartTime; static u_int16_t gLastCallId; + static int gAllowMultiple; static int gListenSock = -1; static struct in_addr gListenIp; static EventRef gListenRetry; @@ -518,11 +519,12 @@ */ int -PptpCtrlListen(int enable, int port) +PptpCtrlListen(int enable, int port, int allow_multiple) { assert(gInitialized); port = port ? port : PPTP_PORT; if (enable) { + gAllowMultiple = allow_multiple; if (gListenSock >= 0 || EventIsRegistered(gListenRetry)) return(0); if ((gListenSock = TcpGetListenPort(gListenIp, &port)) < 0) { @@ -536,6 +538,7 @@ EventRegister(&gListenEvent, EVENT_READ, gListenSock, DEV_PRIO, PptpCtrlListenEvent, NULL); } else { + gAllowMultiple = 0; if (gListenSock < 0) return(0); close(gListenSock); @@ -557,7 +560,7 @@ { const u_short port = (u_short) (int) cookie; - PptpCtrlListen(TRUE, port); + PptpCtrlListen(TRUE, port, gAllowMultiple); } /* @@ -1826,6 +1829,10 @@ struct pptpStartCtrlConnReply reply; int k; + /* Are we allowing multiple connections from the same IP address? */ + if (gAllowMultiple) + goto reply; + /* Check for a collision */ for (k = 0; k < gNumPptpCtrl; k++) { PptpCtrl const c2 = gPptpCtrl[k]; @@ -1845,6 +1852,7 @@ PptpCtrlKillCtrl(c2); /* Kill the connection that I initiated */ } +reply: /* Initialize reply */ memset(&reply, 0, sizeof(reply)); reply.vers = PPTP_PROTO_VERS; Index: pptp_ctrl.h =================================================================== RCS file: /home/cvs/archie/mpd/src/pptp_ctrl.h,v retrieving revision 1.3 diff -u -r1.3 pptp_ctrl.h --- pptp_ctrl.h 2001/12/15 20:59:51 1.3 +++ pptp_ctrl.h 2002/04/12 22:12:27 @@ -406,7 +406,8 @@ PptpGetOutLink_t getOutLink, struct in_addr myip); - extern int PptpCtrlListen(int enable, int port); + extern int PptpCtrlListen(int enable, int port, + int allow_multiple); extern struct pptpctrlinfo PptpCtrlInCall(struct pptplinkinfo linfo, struct in_addr ip, int port, int bearType, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Apr 12 15:42:18 2002 Delivered-To: freebsd-net@freebsd.org Received: from fubar.damon.com (damon.com [199.98.84.2]) by hub.freebsd.org (Postfix) with ESMTP id 9B27537B400; Fri, 12 Apr 2002 15:42:10 -0700 (PDT) Received: from fubar.damon.com (localhost [127.0.0.1]) by fubar.damon.com (8.12.2/8.12.2) with ESMTP id g3CMg9To005426; Fri, 12 Apr 2002 17:42:10 -0500 (CDT) (envelope-from dap@fubar.damon.com) Received: (from dap@localhost) by fubar.damon.com (8.12.2/8.12.2/Submit) id g3CMg9SZ005425; Fri, 12 Apr 2002 17:42:09 -0500 (CDT) Date: Fri, 12 Apr 2002 17:42:09 -0500 From: Damon Permezel To: jlemon@FreeBSD.org Cc: freebsd-net@FreeBSD.org Subject: gx problems with IP frags. Message-ID: <20020412224209.GI895@fubar.damon.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.27i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi. I recently upgraded to 4.5-stable. FreeBSD fubar.damon.com 4.5-STABLE FreeBSD 4.5-STABLE #0: Thu Apr 11 00:09:20 CDT 2002 dap@fubar.damon.com:/usr/obj/usr/src/sys/XYLYL i386 I have an intel gige adapter. Prior to the 4.5-stable, I was using the non-gx driver. wx? Even since the upgrade, my loonix boxes (don't ask) cannot NFS mount my freebsd stuff unless I use TCP. I have been poking at this some more, and have basically isolated it with a "echo" programme which sends a datagramme to the echo service and checks the returned result. Whenever I echo from loonix (2.4.18 or 2.4.16) to loonix via gige, size selected to get frags, it works. loonix to Freebsd --- the pkts are sent, there is a checksum error. If I initiate the echo from FreeBSD to loonix, with tcpdump running, I see that the frags are sent, but no reply is sent. In all cases, this indicates that the IP frags are being sent out with incorrect checksum. If this is fixed, please let me know ASAP. If not, I can dig into the driver and provide a fix, if necessary. -- -- Damon Permezel dap@damon.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Apr 12 23:59:41 2002 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by hub.freebsd.org (Postfix) with ESMTP id 3DB7437B49A for ; Fri, 12 Apr 2002 23:57:53 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020413065741.FFNE1083.rwcrmhc53.attbi.com@blossom.cjclark.org>; Sat, 13 Apr 2002 06:57:41 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g3D6veR44340; Fri, 12 Apr 2002 23:57:40 -0700 (PDT) (envelope-from cjc) Date: Fri, 12 Apr 2002 23:57:40 -0700 From: "Crist J. Clark" To: Michael Sierchio Cc: freebsd-net@FreeBSD.org Subject: Re: How can I use ng bpf Message-ID: <20020412235740.C43915@blossom.cjclark.org> References: <410-220024310222625267@kth.se> <20020411230732.F39738@blossom.cjclark.org> <3CB70CAA.1020504@tenebras.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3CB70CAA.1020504@tenebras.com>; from kudzu@tenebras.com on Fri, Apr 12, 2002 at 09:34:50AM -0700 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Apr 12, 2002 at 09:34:50AM -0700, Michael Sierchio wrote: > Crist J. Clark wrote: > > > ipfw(8) will filter with bridge(4) just fine. I have a simple patch on > > the website below to get ipf(8) to filter with bridge(4) too. > > Just for the sake of clarity, it won't filter anything but IP packets, > right? In case someone is interested in filtering 802.X frames... Yes, ipfw(8) and ipf(8) only filter IP. ^^ ^^ -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sat Apr 13 7:32: 6 2002 Delivered-To: freebsd-net@freebsd.org Received: from scout.adamant.net (scout.adamant.net [212.26.128.10]) by hub.freebsd.org (Postfix) with ESMTP id F36A037B405 for ; Sat, 13 Apr 2002 07:31:58 -0700 (PDT) Received: from proxy.fc.kiev.ua (indust.fc.kiev.ua [212.26.129.65]) by scout.adamant.net (8.12.1/8.12.1) with ESMTP id g3DEVmFg029409 for ; Sat, 13 Apr 2002 17:31:53 +0300 Received: by proxy.fc.kiev.ua (Postfix, from userid 1015) id 775013664B; Sat, 13 Apr 2002 17:31:43 +0300 (EEST) Received: from blend.fc.kiev.ua (blend [192.168.5.17]) by proxy.fc.kiev.ua (Postfix) with ESMTP id 02C5636644; Sat, 13 Apr 2002 17:31:41 +0300 (EEST) Received: from fc.kiev.ua (localhost.fc.kiev.ua [127.0.0.1]) by blend.fc.kiev.ua (8.11.6/8.11.6) with SMTP id g3DEVfD34146; Sat, 13 Apr 2002 17:31:41 +0300 (EEST) (envelope-from gnut@fc.kiev.ua) Received: from 192.168.34.102 (proxying for 10.0.0.2) (SquirrelMail authenticated user gnut) by blend.fc.kiev.ua with HTTP; Sat, 13 Apr 2002 17:31:42 +0300 (EEST) Message-ID: <2621.192.168.34.102.1018708302.squirrel@blend.fc.kiev.ua> Date: Sat, 13 Apr 2002 17:31:42 +0300 (EEST) Subject: multicast on freebsd From: "Oles Hnatkevych" To: X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal Cc: Reply-To: gnut@fc.kiev.ua X-Mailer: SquirrelMail (version 1.2.5) MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hello! OSPF with Zebra again....... Messing up with latest zebra snapshot on latest FreeBSD-4 stable I've found that freebsd box running zebra+ospfd does not work the same way as cisco's and other routers on the network. The test was: "ping 224.0.0.5" from freebsd box and cisco-s and it shows that freebsd does not respond to this. May be it's the way it was designed in mind, but analyzing cisco and zebra's log I see that suddenly freebsd box is out of group and does not receive OSPF hello's after 2-3 minutes of running. May be the kernel code that processes incoming multicast packets somehow "forgets" about being in group? I don't believe it's the cisco's fault (both IOS's 11 and 12) ;) And the worth part of it that running ospfd successfuly depends on the box I use. On some segments it works, on some - does not. Where am I wrong and being lame? Thanks for any helpful ideas in advance. -- --- --- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sat Apr 13 9:47:41 2002 Delivered-To: freebsd-net@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id A7A2137B41C for ; Sat, 13 Apr 2002 09:47:14 -0700 (PDT) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g3DGkit08325; Sat, 13 Apr 2002 09:46:44 -0700 (PDT) (envelope-from rizzo) Date: Sat, 13 Apr 2002 09:46:44 -0700 From: Luigi Rizzo To: Oles Hnatkevych Cc: zebra@zebra.org, freebsd-net@FreeBSD.ORG Subject: Re: multicast on freebsd Message-ID: <20020413094643.A5798@iguana.icir.org> References: <2621.192.168.34.102.1018708302.squirrel@blend.fc.kiev.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2621.192.168.34.102.1018708302.squirrel@blend.fc.kiev.ua> User-Agent: Mutt/1.3.23i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org seems to work fine for me... aren't you sure that the problem is not in the ethernet card ? I have heard that some cards have problems in the programming of the multicast filter. Second thing, you can try to set sysctl -w net.inet.icmp.bmcastecho=1 to see if the box responds to the multicast address. For sure this influences how the box responds to pings to tue subnet broadcast address. cheers luigi On Sat, Apr 13, 2002 at 05:31:42PM +0300, Oles Hnatkevych wrote: > hello! > > OSPF with Zebra again....... > > Messing up with latest zebra snapshot on latest FreeBSD-4 stable > I've found that freebsd box running zebra+ospfd > does not work the same way as > cisco's and other routers on the network. > > The test was: "ping 224.0.0.5" from freebsd box and cisco-s > and it shows that freebsd does not respond to this. > May be it's the way it was designed in mind, but analyzing > cisco and zebra's log I see that suddenly freebsd box is > out of group and does not receive OSPF hello's after 2-3 minutes > of running. May be the kernel code that processes incoming > multicast packets > somehow "forgets" about being in group? I don't believe it's the > cisco's fault (both IOS's 11 and 12) ;) And the worth part of it > that running ospfd successfuly depends on the box I use. On some > segments it works, on some - does not. > > Where am I wrong and being lame? > > Thanks for any helpful ideas in advance. > > -- > --- > --- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sat Apr 13 18: 5:39 2002 Delivered-To: freebsd-net@freebsd.org Received: from portrait.com (mail.portrait.com [64.171.32.68]) by hub.freebsd.org (Postfix) with ESMTP id BA12837B416 for ; Sat, 13 Apr 2002 18:05:36 -0700 (PDT) Received: from webvolution.net (teko.portrait.com [64.171.32.36]) by portrait.com (8.9.3/8.9.3) with ESMTP id SAA01492 for ; Sat, 13 Apr 2002 18:06:16 -0700 Message-ID: <3CB8D5C1.6050207@webvolution.net> Date: Sat, 13 Apr 2002 18:05:05 -0700 From: Joao Pedras User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.9) Gecko/20020406 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: netgraph+mpd panic Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Greetings all The system is a 4.5-STABLE from a week ago. I've configured mpd to act as a vpn server. Everything went well until I tested the pipe with a ftp download from one of the clients. After downloading about 25Mb at an impressive speed the system crashes thanks to a kernel panic due to "timeout table full". In freebsd-net I could find recent references to panics with netgraph and mpd but my system has all these patches since they were included in the tree back in January. The system is SMP but I have tried with a non-SMP kernel too and I get the same results. Any ideas ? Please cc: your replies to me since I don't subscribe this list. Thanks Joao To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sat Apr 13 18:47:24 2002 Delivered-To: freebsd-net@freebsd.org Received: from InterJet.dellroad.org (adsl-63-194-81-26.dsl.snfc21.pacbell.net [63.194.81.26]) by hub.freebsd.org (Postfix) with ESMTP id 9340637B792 for ; Sat, 13 Apr 2002 18:45:02 -0700 (PDT) Received: from arch20m.dellroad.org (arch20m.dellroad.org [10.1.1.20]) by InterJet.dellroad.org (8.9.1a/8.9.1) with ESMTP id SAA31524; Sat, 13 Apr 2002 18:33:14 -0700 (PDT) Received: (from archie@localhost) by arch20m.dellroad.org (8.11.6/8.11.6) id g3E1WDo18710; Sat, 13 Apr 2002 18:32:13 -0700 (PDT) (envelope-from archie) From: Archie Cobbs Message-Id: <200204140132.g3E1WDo18710@arch20m.dellroad.org> Subject: Re: netgraph+mpd panic In-Reply-To: <3CB8D5C1.6050207@webvolution.net> "from Joao Pedras at Apr 13, 2002 06:05:05 pm" To: Joao Pedras Date: Sat, 13 Apr 2002 18:32:13 -0700 (PDT) Cc: freebsd-net@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL88 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Joao Pedras writes: > I've configured mpd to act as a vpn server. Everything went well until I > tested the pipe with a ftp download from one of the clients. After > downloading about 25Mb at an impressive speed the system crashes thanks > to a kernel panic due to "timeout table full". Oops, I found and fixed this bug a while ago but forgot to check it into FreeBSD. Try the patch below (fyi, it contains some other unrelated tweaks too). -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com begin 644 ng_pptpgre.patch.gz M'XL(`"W;N#P"`^U9;6_;.!+^3/^*:1;;E2TYL6S'>?$FJ*]->\&FV2!QMSD< M#H)JT[906=*2=-)TF_]^,R1ER_)+TL,>#H>[?(@BJT`\48B5+1E`>J6X$*[-6@ M-_B7]^&5SW M^XPY^K5__OXLN'G=NSB#/?`;59+A-QHPC>(XDGR0)L,UII(0XOSU0W^=G/V& M$=1<$>-^CYC#EC%G54S)I=[M0HS?@!J49%FOH"A!Y^SCA"=PST'P0<3O.(28 MKL%GKCQ:O`\QC"I%+@[1"-2$"_X391$PK^,T2L:6VA1-N^4=8M'H!Q4-PUII M-:E6F%"JJ[,CTAG6@!)1INL#N,1'J+BVJ,`PY'>&`?^(0JJ7$JFN1+]#Q)3M MCU'2)7(9?>60CLH54&=2B=E`P2",8S0^F&`IQIQ)-+^/=@C#S-$V7-&FB6U\ M8HD/@W>WS.>6^-B3FE8YGM(!+$F'/,@P6K6Y]"NU5D&&R5*K;*+,5M*RQ*8C M;M*#@<7#;A(D^>]P3U5DTX!1CV,8"Q-X71B=?:^#A8&/`U,8!5'$=<-_U]KC M4"HM[P>J/DD@4M9,!FK5R^091RO1[I^&*QRD8`T'*IC3NX8>(Z+=EL:Q9#;] MA%*QF#(,)A6[V34:;+9HZ2Z,,;\J%(IBJ17IVJ8XXQF2,!`8X28]J=Y,8BO:_(N8NC89LV4.A`JK)`(,>Z#@NRT7%8(L1BQ]% MN1M%I=D624\:02YM9-VJ="OG)J5+3.B90P10"\5XFZ5%]Y[+)+CDJF0554SS MR"=8;AZUNGF8CN"%%/@/[2?9SJ[SR)5!3&!*6DC!LD7(9`/#!8 M8B^)KWZ*MF:[*G0+65&:=>)-FMA6(;B:B02;EJ< M)0D.-OE2G7WZRD7JD%6>[D/IR*G16U7OOKT^.[.;[X/+L_Z[Z][57_6.4;[( MQ>6'BPOT%OVE7(PPF3GR"#X-H\2#D<".G#-$R2@%1)E[CKBKT0Q[M6."8_E. M3J!1A3]P:Z,9N+7!#O:8V[((J?9>\-$B'L4@PZ..\[[?)JS:;S9SW&=8J/73 M22@1D%&!WYVO#4,5_CW?Q7[P#]R>J#2)K2-TCG!9JV)FR0*[+=XY"464A?73 M8DO,G='HND.G>:?8>9^#+UKS8UY<5X)34X!WUV$0)>&<-)^*1C3QYNVO MTSF@,'0.YNW/RB%!-ZANSQ&\JM&)^B^/<`SKO?[%&HB)37!1RE`\F'-(SHDU MSJUS9`UFF1`N2L1V5'B1Q]%VY"J1/0L_;6BTKT<=#\=,]Z#1]O!F8;QE.))_ MI%'R!!RR72DX/86F/:K,5OF0Q^$#-DER/9(PC&3X">\2GAEED#O)1SEC_0MC M+$.T;(P&=T42`/]^^0:[\Y\7$C2J"-V<7O;]5*69/2M/#,PU%U@*R M>6VS]70BS&]]LAGCL>3P!V/SF0R':"TK#M6\_!94+%>UM*TM?-J/8J!7:;K& M[J*HT\7MH2`*UHHJTG170K"QP7MY_"WV'NQC8;2P0#HMKY47B(F]'H!VIWR: MBH>W813/L*.YKM9EP*5KPG-[>XN#J<+I$'L48'\9`UU,3&8>,>JUU0-"INC! M+$HDR=5I&*0"JWEQ4<7[CYDXW:TB^'-$Y"T%,5([X;(B(&NWT%*4]A<2DD@N M$'3QY!_GHIPJW@02L+`ZRPA??-S$VN"AB!^,G5L$:/9)F"%.;6`'1N^2CJ7C MF-:"-\?)URJXY?LCU,&OXH6T?*U$2I\*O1@NE)?[L&40\I"+3F@IT)ZV42YU M>S/9O"Q26C(/J4C(-CUE#21:=[2]6L4%@\!SW)U??79I;V]I(*RXWS$15ESJ MMI08I6$5U^EAZVC>9;N+>U]!.(TT4#/,(;(4)ATS%]`ASJ-#EBP'IUIL]2OQ M+7?]8EW6ZWD76>KN>@38V';@T7Q+,.?[X(B:W6&C0\=<'V^LT?X$$7V03K,X M&NB;D%2ST8A@/N%\B.]8G:$>TL):S M'"_0V7"*$^3+P@!9)>DT?.D.,)FI87J?E-RT.+]M;-LVMVTBKMR.NN6;9`%U MY;-15SZ-NBMZRAK6HN[R1ZIG0>Z6F_]_`'+E)LB5?QKDRBZ1OT\?(XX.FO:#'AE]36=/?WNQZ3"?%EX6H'C^B:&P5JW.`6[G9G') B-?^^V%A,]2T72GM#+