From owner-freebsd-isp@FreeBSD.ORG Mon Feb 5 22:13:57 2007 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id ADFC116A401 for ; Mon, 5 Feb 2007 22:13:56 +0000 (UTC) (envelope-from justin@sk1llz.net) Received: from sed.awknet.com (sed.awknet.com [66.152.175.11]) by mx1.freebsd.org (Postfix) with ESMTP id 8D5B413C442 for ; Mon, 5 Feb 2007 22:13:56 +0000 (UTC) (envelope-from justin@sk1llz.net) Received: by sed.awknet.com (Postfix, from userid 58) id 37D6E10BBEB1; Mon, 5 Feb 2007 13:52:28 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on sed.awknet.com X-Spam-Level: X-Spam-Status: No, score=0.4 required=5.0 tests=AWL,BAYES_50 autolearn=disabled version=3.1.3 Received: from [192.168.1.101] (cpe-76-167-105-254.socal.res.rr.com [76.167.105.254]) by sed.awknet.com (Postfix) with ESMTP id 130FC10BBD8D for ; Mon, 5 Feb 2007 13:52:26 -0800 (PST) Message-ID: <45C7A713.2020201@sk1llz.net> Date: Mon, 05 Feb 2007 13:52:19 -0800 From: Justin Robertson User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: freebsd-isp@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: 6.x, 4.x ipfw/dummynet pf/altq - network performance issues X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Feb 2007 22:13:57 -0000 So, this may be the wrong list to post to, but it seemed the most appropriate. If someone could suggest a better location to move/cross post to let me know. I've been running some tests with using FreeBSD to filter and rate limit traffic. My first thoughts were to goto the latest stable release, which was 6.1 at the time. I've since done the same test under 6.2 and haven't seen any difference. I later migrated to running 4.11 to get away from these issues, but have discovered others. I've tested on an AMD 3200+ system with dual Intel 1000 series NICs, an AMD Opteron 165 with the same, and a Xeon 2.8 with the same. I've used both stock and intel drivers. 6.x; Normal traffic isn't a problem. The second you get into the realm of abusive traffic, such a DoS/DDoS (over 100mbps) UDP floods the machine falls over. Little packets with ip lengths of 28-29 bytes seem to do the most damage. I've tried playing with various sysctl values and have seen no difference at all. By "falls over" I mean "stops sending all traffic in any direction". TCP syn packets have the same effect, tho not quite as rapidly (200~230mbps). I then tried moving filtering off to a transparent bridge. This improved the situation somewhat, but an extra 30-40mbps of UDP data and it would ultimately crumble. Overall the machine would be able to move between 300k-600k PPS before becoming a cripple, depending on packet length, protocol, and any flags. Without a specific pf or ipfw rule to deal with a packet the box would fall over, with specific block rules it would manage an extra 30-40mbps and then fall over. 4.11; Again, normal traffic isn't a problem. When routing & filtering on the same system some of the problems found in 6.x are still apparent, but to a lesser degree. Splitting the task into a transparent filtering bridge with a separate routing box appears to clear it up entirely. UDP floods are much better handled - an ipfw block rule for the packet type and the machine responds as if there were no flood at all (until total bandwidth saturation or PPS limits of the hardware, which in this case was around 950Mbps). TCP syn attacks are also better handled, again a block rule makes it seem as if there were no attack at all. The system also appears to be able to move 800-900k PPS of any one protocol at a time. However, the second you try and queue abusive traffic the machine will fall over. Inbound floods appear to cause ALL inbound traffic to lag horrifically (while rate limiting/piping), which inherently causes a lot of outbound loss due to broken TCP. Now, I'm not sure if this is something to do with dummynet being horribly inefficient, or if there's some sysctl value to deal with inbound that I'm missing. I suppose my concerns are two-fold. Why is 6.x collapsing under traffic that 4.11 could easily block and run merrily along with, and is there a queueing mechanism in place that doesn't tie up the box so much on inbound flows that it ignores all other relevant traffic? (as a note, all tests were done with device polling enabled. Without it systems fall over pretty quickly. I also tried tests using 3com cards and had the same results) From owner-freebsd-isp@FreeBSD.ORG Wed Feb 7 13:26:38 2007 Return-Path: X-Original-To: freebsd-isp@FreeBSD.org Delivered-To: freebsd-isp@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1762316A402 for ; Wed, 7 Feb 2007 13:26:38 +0000 (UTC) (envelope-from anders@fupp.net) Received: from fupp.net (totem.fix.no [80.91.36.20]) by mx1.freebsd.org (Postfix) with ESMTP id D13F313C471 for ; Wed, 7 Feb 2007 13:26:37 +0000 (UTC) (envelope-from anders@fupp.net) Received: from localhost (totem.fix.no [80.91.36.20]) by fupp.net (Postfix) with ESMTP id A48F38D9861 for ; Wed, 7 Feb 2007 14:06:14 +0100 (CET) Received: from fupp.net ([80.91.36.20]) by localhost (totem.fix.no [80.91.36.20]) (amavisd-new, port 10024) with LMTP id 08618-01-7 for ; Wed, 7 Feb 2007 14:06:14 +0100 (CET) Received: by fupp.net (Postfix, from userid 1000) id 3A2FF8D9860; Wed, 7 Feb 2007 14:06:14 +0100 (CET) Date: Wed, 7 Feb 2007 14:06:14 +0100 From: Anders Nordby To: freebsd-isp@FreeBSD.org Message-ID: <20070207130614.GA15328@fupp.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-PGP-Key: http://anders.fix.no/pgp/ X-PGP-Key-FingerPrint: 1E0F C53C D8DF 6A8F EAAD 19C5 D12A BC9F 0083 5956 User-Agent: Mutt/1.5.11 Cc: Subject: Per virtualhost bandwidth/hitrate statistics for Apache X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Feb 2007 13:26:38 -0000 Hello, I just wonder if anyone has any good hints about software to use (Apache module?) for fetching per-virtualhost statistics about bandwidth usage and hitrates (hits per second) from Apache. I've been using mod_watch for a while, to graph this with MRTG, but it's discontinued it seems. What do people use to measure statistics per virtualhost? Cheers, -- Anders. From owner-freebsd-isp@FreeBSD.ORG Wed Feb 7 15:17:55 2007 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6E04E16A403 for ; Wed, 7 Feb 2007 15:17:55 +0000 (UTC) (envelope-from lists@jnielsen.net) Received: from ns1.jnielsen.net (ns1.jnielsen.net [69.55.238.237]) by mx1.freebsd.org (Postfix) with ESMTP id 35A1913C481 for ; Wed, 7 Feb 2007 15:17:54 +0000 (UTC) (envelope-from lists@jnielsen.net) Received: from localhost (jn@ns1 [69.55.238.237]) (authenticated bits=0) by ns1.jnielsen.net (8.12.9p2/8.12.9) with ESMTP id l17EcIAE048661; Wed, 7 Feb 2007 09:38:19 -0500 (EST) (envelope-from lists@jnielsen.net) From: John Nielsen To: freebsd-isp@freebsd.org Date: Wed, 7 Feb 2007 09:34:33 -0500 User-Agent: KMail/1.9.5 References: <20070207130614.GA15328@fupp.net> In-Reply-To: <20070207130614.GA15328@fupp.net> X-Face: #X5#Y*q>F:]zT!DegL3z5Xo'^MN[$8k\[4^3rN~wm=s=Uw(sW}R?3b^*f1Wu*.<=?utf-8?q?of=5F4NrS=0A=09P*M/9CpxDo!D6?=)IY1w<9B1jB; tBQf[RU-R<,I)e"$q7N7 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200702070934.34074.lists@jnielsen.net> X-Virus-Scanned: ClamAV version 0.88.4, clamav-milter version 0.88.4 on ns1.jnielsen.net X-Virus-Status: Clean Cc: Anders Nordby Subject: Re: Per virtualhost bandwidth/hitrate statistics for Apache X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Feb 2007 15:17:55 -0000 On Wednesday 07 February 2007 08:06, Anders Nordby wrote: > I just wonder if anyone has any good hints about software to use (Apache > module?) for fetching per-virtualhost statistics about bandwidth usage > and hitrates (hits per second) from Apache. I've been using mod_watch > for a while, to graph this with MRTG, but it's discontinued it seems. > > What do people use to measure statistics per virtualhost? I use Apache's logrotate and a separate log directory for each virtualhost. I have a script that runs from cron every day that runs the logs through webalizer and then cleans up logs older than a specified number of days. In fact (since I'm feeling like sharing), here it is: #!/bin/sh for path in `cat /usr/local/scripts/logpaths.txt` ; do for log in `find ${path} -name access\* | sort -n` ; do if [ -r ${path}/hostname.txt ]; then host=`cat ${path}/hostname.txt` /usr/local/bin/webalizer -Q -p -n ${host} \ -o ${path} ${log} else /usr/local/bin/webalizer -Q -p -o ${path} ${log} fi done find ${path} -name \*.log\* ! -newermt '1 month ago' -delete done The script depends on the existence of a "logpaths.txt" file, which contains a list of directories to scan, one per line. It also supports an optional "hostname.txt" for each directory so webalizer can use the right one in the title of its reports. Webalizer output is stored in the log directory but that could easily be changed. The output is plain HTML, so you can publish it on a (presumably private) webserver somewhere. Since I give certain clients access to their reports I use webmin for this. However I just point webmin to a dummy file within each log directory and don't let it actually run webalizer (since my script already takes care of that). So just the "View report" button works, but it gets the job done. JN From owner-freebsd-isp@FreeBSD.ORG Wed Feb 7 16:01:14 2007 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F3D9D16A401 for ; Wed, 7 Feb 2007 16:01:13 +0000 (UTC) (envelope-from netsecuredata@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.230]) by mx1.freebsd.org (Postfix) with ESMTP id B7D7013C4B3 for ; Wed, 7 Feb 2007 16:01:13 +0000 (UTC) (envelope-from netsecuredata@gmail.com) Received: by nz-out-0506.google.com with SMTP id i11so253630nzh for ; Wed, 07 Feb 2007 08:01:13 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=aheuFeTsG+Q4XJmCLMBiGWPLHBvZkbkNRi3qax2G8Ud2VG8+G23y9n4fnH7wrszI6voDFdEJVKvI3K0iGxjTK8MciJdh0wkWPMXjH0W0lr/4mI6VbimfU0uLeyYIrA3hzZzD2j/Ld+H1SpGM2PttPGIcC4xV5Zry3j90sucPmNY= Received: by 10.114.194.1 with SMTP id r1mr865122waf.1170862387045; Wed, 07 Feb 2007 07:33:07 -0800 (PST) Received: by 10.114.106.19 with HTTP; Wed, 7 Feb 2007 07:33:06 -0800 (PST) Message-ID: Date: Wed, 7 Feb 2007 10:33:06 -0500 From: "Jorge Evangelista" To: freebsd-isp@freebsd.org In-Reply-To: <200702070934.34074.lists@jnielsen.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20070207130614.GA15328@fupp.net> <200702070934.34074.lists@jnielsen.net> Subject: Re: Per virtualhost bandwidth/hitrate statistics for Apache X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Feb 2007 16:01:14 -0000 Hi Anders, A days ago I have configured a web server with bandwidth manager (module bwmod) compile with apache web server. It works fine. You could try install this module http://bwmod.sourceforge.net/index.html and test with your virtualhosts. Here, my small guide install, it made in spanish. Instalando el bwmod, primero comentar las lineas mencionadas abajo vi mod_bw.c /* Compatibility for APR < 1 */ #if (APR_MAJOR_VERSION >=3D 1) #define apr_atomic_inc32 apr_atomic_inc #define apr_atomic_dec32 apr_atomic_dec #define apr_atomic_add32 apr_atomic_add #define apr_atomic_cas32 apr_atomic_cas #define apr_atomic_set32 apr_atomic_set #endif Compilar con el siguiente comando /usr/local/apache2/bin/apxs -i -a -c mod_bw.c Habilitar en apache httpd.conf BandWidthModule On Para bandwitdh ilimitado a una IP BandWidth 200.168.190.6 0 Para colocar el bandwidth a los virtual hosts Limit al internal users to 1000 kb/s with a minimum of 50kb/s BandwidthModule On ForceBandWidthModule On Bandwidth all 1024000 MinBandwidth all 50000 LargeFileLimit * 500 50000 Servername www.example.com Limit every user to a max of 10Kb/s on a vhost : BandwidthModule On ForceBandWidthModule On Bandwidth all 10240 MinBandwidth all -1 Servername www.example.com Examples : BandWidth all 102400 MinBandWidth all 50000 The example above, will have a top speed of 100kb for the 1=C2= =BA client. If more clients come, it will be splitted accordingly b= ut everyone will have at least 50kb (even if you have 50 clients) BandWidth all 50000 MinBandWidth all -1 This example, makes everyone have 50kb as top speed. On 2/7/07, John Nielsen wrote: > On Wednesday 07 February 2007 08:06, Anders Nordby wrote: > > I just wonder if anyone has any good hints about software to use (Apach= e > > module?) for fetching per-virtualhost statistics about bandwidth usage > > and hitrates (hits per second) from Apache. I've been using mod_watch > > for a while, to graph this with MRTG, but it's discontinued it seems. > > > > What do people use to measure statistics per virtualhost? > > I use Apache's logrotate and a separate log directory for each virtualhos= t. I > have a script that runs from cron every day that runs the logs through > webalizer and then cleans up logs older than a specified number of days. = In > fact (since I'm feeling like sharing), here it is: > > #!/bin/sh > for path in `cat /usr/local/scripts/logpaths.txt` ; do > for log in `find ${path} -name access\* | sort -n` ; do > if [ -r ${path}/hostname.txt ]; then > host=3D`cat ${path}/hostname.txt` > /usr/local/bin/webalizer -Q -p -n ${host} \ > -o ${path} ${log} > else > /usr/local/bin/webalizer -Q -p -o ${path} ${log} > fi > done > find ${path} -name \*.log\* ! -newermt '1 month ago' -delete > done > > The script depends on the existence of a "logpaths.txt" file, which conta= ins a > list of directories to scan, one per line. It also supports an > optional "hostname.txt" for each directory so webalizer can use the right= one > in the title of its reports. Webalizer output is stored in the log direct= ory > but that could easily be changed. > > The output is plain HTML, so you can publish it on a (presumably private) > webserver somewhere. Since I give certain clients access to their reports= I > use webmin for this. However I just point webmin to a dummy file within e= ach > log directory and don't let it actually run webalizer (since my script > already takes care of that). So just the "View report" button works, but = it > gets the job done. > > JN > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > --=20 "The network is the computer" From owner-freebsd-isp@FreeBSD.ORG Sat Feb 10 09:10:11 2007 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A2E9B16A40B for ; Sat, 10 Feb 2007 09:10:11 +0000 (UTC) (envelope-from gedge-lists@yadn.org) Received: from stretcher.cymru.serf.org (cpc2-cdif5-0-0-cust781.cdif.cable.ntl.com [81.109.159.14]) by mx1.freebsd.org (Postfix) with ESMTP id 56A4513C494 for ; Sat, 10 Feb 2007 09:10:11 +0000 (UTC) (envelope-from gedge-lists@yadn.org) Received: from gedge by stretcher.cymru.serf.org with local (Exim 4.66 (FreeBSD)) (envelope-from ) id 1HFnnC-000Box-0p; Sat, 10 Feb 2007 08:41:10 +0000 Date: Sat, 10 Feb 2007 08:41:10 +0000 From: Geraint Edwards To: Justin Robertson Message-ID: <20070210084110.GN30460@cymru.serf.org> References: <45C7A713.2020201@sk1llz.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <45C7A713.2020201@sk1llz.net> User-Agent: Mutt/1.4.2.2i Organisation: Caerdydd, Cymru / Cardiff, Wales X-MotD: Tempus fugit. Cc: freebsd-isp@freebsd.org Subject: Re: 6.x, 4.x ipfw/dummynet pf/altq - network performance issues X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Feb 2007 09:10:11 -0000 Justin Robertson said (on Mon, Feb 05, 2007 at 01:52:19PM -0800): > 6.x; > Normal traffic isn't a problem. The second you get into the realm of > abusive traffic, such a DoS/DDoS (over 100mbps) UDP floods the machine > falls over. Little packets with ip lengths of 28-29 bytes seem to do the > most damage. I've tried playing with various sysctl values and have seen > no difference at all. By "falls over" I mean "stops sending all traffic > in any direction". Just a thought (may not be related) but did you see 'known problems' at http://www.uk.freebsd.org/releases/6.2R/errata.html ? -- Geraint A. Edwards (aka "Gedge") From owner-freebsd-isp@FreeBSD.ORG Sat Feb 10 18:00:13 2007 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A6D6316A405 for ; Sat, 10 Feb 2007 18:00:13 +0000 (UTC) (envelope-from ea@sellinet.net) Received: from sellinet.net (galileo.sellinet.net [82.199.192.2]) by mx1.freebsd.org (Postfix) with SMTP id DC1F413C494 for ; Sat, 10 Feb 2007 18:00:12 +0000 (UTC) (envelope-from ea@sellinet.net) Received: (qmail 31029 invoked by uid 1009); 10 Feb 2007 19:33:30 +0200 Received: from ea@sellinet.net by galileo by uid 1002 with qmail-scanner-1.22 (spamassassin: 3.0.3. Clear:RC:1(127.0.0.1):. Processed in 0.027085 secs); 10 Feb 2007 17:33:30 -0000 Received: from unknown (HELO z.sellinet.net) (127.0.0.1) by localhost with SMTP; 10 Feb 2007 19:33:30 +0200 Received: from 82.199.223.6 (SquirrelMail authenticated user ea@sellinet.net); by z.sellinet.net with HTTP; Sat, 10 Feb 2007 19:33:30 +0200 (EET) Message-ID: <2947.82.199.223.6.1171128810.squirrel@82.199.223.6> Date: Sat, 10 Feb 2007 19:33:30 +0200 (EET) From: ea@sellinet.net To: freebsd-isp@freebsd.org User-Agent: SquirrelMail/1.4.2 X-Mailer: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=windows-1251 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: [Strange behavior with arp permanent entries] X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Feb 2007 18:00:13 -0000 Hello, Guys! I'm trying to restrict some LAN access by arp permanent entries. But it didn't work or it didn't work as I realize it. For example I have the following perm entries: user1: (82.199.215.195) at 00:0f:ea:a4:60:c5 on vlan804 permanent [vlan] user2: (82.199.215.196) at 00:13:8f:b1:68:4b on vlan804 permanent [vlan] And from what I realize if the user1 attempts to use user2's IP address. The Router should block all packets which coming from wrong physical address. But actually that didn't happen and user1 can use user2's IP address without any problems. Maybe someone of you will advice me to use ipfw arp rules but when I turn net.link.ether.ipfw ON I'm getting very low performance from the router. We talking about 800mbps and 600k packets per second, and many users which means many ipfw arp rules. System1 info: FreeBSD 6.2-RELEASE Intel(R) Xeon(R) CPU 5130 @ 2.00GHz 1G ram System2 info: FreeBSD 6.1-RELEASE ntel(R) Xeon(R) CPU 5130 @ 2.00GHz 1G ram Also I have a few other systems and it seems that it works on them (Working)System3 info: 6.0-RELEASE Dual Core AMD Opteron(tm) Processor 275 @ 2193.76-MHz 1G ram (Working)System4 info: 6.2-PRERELEASE Intel(R) Xeon(R) CPU 5130 @ 2.00GHz 1G ram Thank you guys. Any suggestions will be appreciated. Regards, E.A. -------------------------------------------------------------- SELLINET Internet Services Provider - http://www.sellinet.net/ From owner-freebsd-isp@FreeBSD.ORG Sat Feb 10 18:58:04 2007 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 97ED216A402 for ; Sat, 10 Feb 2007 18:58:04 +0000 (UTC) (envelope-from isp@museum.rain.com) Received: from ns.umpquanet.com (ns.umpquanet.com [63.105.30.37]) by mx1.freebsd.org (Postfix) with ESMTP id 77CF313C461 for ; Sat, 10 Feb 2007 18:58:02 +0000 (UTC) (envelope-from isp@museum.rain.com) Received: from ns.umpquanet.com (localhost [127.0.0.1]) by ns.umpquanet.com (8.13.8/8.13.8) with ESMTP id l1AIKF0I011099; Sat, 10 Feb 2007 10:20:16 -0800 (PST) (envelope-from isp@museum.rain.com) Received: (from james@localhost) by ns.umpquanet.com (8.13.8/8.13.8/Submit) id l1AIKF7R011098; Sat, 10 Feb 2007 10:20:15 -0800 (PST) (envelope-from isp@museum.rain.com) Date: Sat, 10 Feb 2007 10:20:15 -0800 From: Jim Long To: ea@sellinet.net Message-ID: <20070210182015.GA9234@ns.umpquanet.com> References: <2947.82.199.223.6.1171128810.squirrel@82.199.223.6> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2947.82.199.223.6.1171128810.squirrel@82.199.223.6> User-Agent: Mutt/1.5.13 (2006-08-11) Cc: freebsd-isp@freebsd.org Subject: Re: [Strange behavior with arp permanent entries] X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Feb 2007 18:58:04 -0000 On Sat, Feb 10, 2007 at 07:33:30PM +0200, ea@sellinet.net wrote: > > I'm trying to restrict some LAN access by arp permanent entries. But it > didn't work or it didn't work as I realize it. For example I have the > following perm entries: > > user1: (82.199.215.195) at 00:0f:ea:a4:60:c5 on vlan804 permanent [vlan] > user2: (82.199.215.196) at 00:13:8f:b1:68:4b on vlan804 permanent [vlan] > > And from what I realize if the user1 attempts to use user2's IP address. > The Router should block all packets which coming from wrong physical > address. But actually that didn't happen and user1 can use user2's IP > address without any problems. Have you tried using 'staticarp' in this interface's ifconfig(8) settings? If you turn on staticarp, you'll probably need to specify arp entries for ALL hosts on that interface -- or at least, all the ones you care about. HTH, Jim