From owner-freebsd-current Mon Feb 26 13:19:36 1996 Return-Path: owner-current Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id NAA17268 for current-outgoing; Mon, 26 Feb 1996 13:19:36 -0800 (PST) Received: from brasil.moneng.mei.com (brasil.moneng.mei.com [151.186.109.160]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id NAA17260 Mon, 26 Feb 1996 13:19:26 -0800 (PST) Received: (from jgreco@localhost) by brasil.moneng.mei.com (8.7.Beta.1/8.7.Beta.1) id PAA15987; Mon, 26 Feb 1996 15:17:53 -0600 From: Joe Greco Message-Id: <199602262117.PAA15987@brasil.moneng.mei.com> Subject: Re: -stable hangs at boot (fwd) To: phk@critter.tfs.com (Poul-Henning Kamp) Date: Mon, 26 Feb 1996 15:17:53 -0600 (CST) Cc: imb@scgt.oz.au, stable@freebsd.org, current@freebsd.org In-Reply-To: <12319.825367454@critter.tfs.com> from "Poul-Henning Kamp" at Feb 26, 96 09:44:14 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-current@freebsd.org Precedence: bulk > > for byte count rollover, I don't know if it's a 32-bit or 64-bit quantity. > > I would like to be able to leave a "cumulative" counter running... > yes, I would really love to make them 64 instead of 32, but right now > the structure is 64bytes, and I'd hate to increase it to 128 :-( Ummm. :-/ Some of us wouldn't mind :-) (but some would, I know). > > > 2. are you going to miss "bidir" much ? > > > > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > > > > Owwwww. See below. I use it a lot :-( > > I thought so, it's just that we need a lot of special code to do it, > and I think it is kind of messy anyway... It is. But on the other hand, tracking two separate filters isn't always optimum. > > The problem is, I handle multiple CIDR blocks. If I had a single CIDR > > block, I could do > CIDR ? Uhm, Canned Indian Doughnut Rolls ? no, hmm, I guess, > Contiguous Internet something ? Classless Inter-Domain Routing. Basically classed routing is obsolete, has been for a while. You get assigned BLOCKS of address space and rather than having to route 8 class-C addresses separately, you route an entire group of addresses with a single routing table entry. For example, I "own" 206.55.64.0/20, which is composed of the sixteen "Class C" networks 206.55.64.0-206.55.79.255. However I also route some other blocks, too. This makes it a real pain to do conceptually simple filters like "How much traffic is going over my T1?" See http://www.rain.net/faq/cidr.faq.html. > Check out the strawman I just emailed, and actually you can do that in > the present code: > > ipfw add count from any to any in via 204.95.219.1 > ipfw add count from any to any out via 204.95.219.1 > > :-) !!!!! :-) I am very thrilled! > > Is it possible to fill in the byte/packets dropped by a particular filter? > > (the fields in ipfw -s -a -n l are always 0) > It is :-) I can see that I'm about two days ahead of you still :-) I'm impressed :-) > > Last time I checked (2.0.5R), the "reject" keyword didn't produce a > > ICMP HOST_UNREACHABLE. > It only does in some cases, I'll have to check it out a bit. It's a mine- > field, so I'm very careful. Yes, I can imagine :-) I just want my firewalls to do something mildly more social - like return a HOST_UNREACHABLE :-) It's not necessary, but it is cooler. > Sounds like you should take a peek on the ipfw.8 manpage of -stable or > -current, you may just like it :-) Q: Are there any differences that would prevent me from taking it and dropping it into a 2.0.5R or 2.1.0R based box (preferably with as little effort as humanly possible)?? > > Obviously I know you can't possibly address all of the above, but these are > try me :-) Please forgive me for underestimating you :-) ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/546-7968