[LARTC] Activate ingress policies on suse enterprise server 9

[LARTC] Activate ingress policies on suse enterprise server 9

[Grames Gernot]

[-- Attachment #1.1: Type: text/plain, Size: 2578 bytes --]

Hi,
 
what is needed to activate ingress policies for enterprise server 9!
 
My current loaded modules:
in the attachments
 
my kernel:
Linux linux 2.6.5-7.97-smp #1 SMP Fri Jul 2 14:21:59 UTC 2004 i686 i686 i386
GNU/Linux

So you can see the module sch_ingress is loaded and also the package iprout2
is installed.
 
I have set also a filter for ingress policies but i don`t think it is
working, because i have never dropped packages:
tc qdisc add dev eth0 ingress
tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8099
0xffff police rate 1kbit burst 1kbit mtu 1 drop flowid :1
 
 
# tc -s qdisc ls dev eth0
qdisc ingress ffff:
 Sent 83463 bytes 1002 pkts (dropped 0, overlimits 0)
qdisc pfifo_fast 0: [Unknown qdisc, optlen=20]
 Sent 316975056 bytes 1093222 pkts (dropped 0, overlimits 0)
 
a example tcpdump:
# tcpdump -v port 8099
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96
bytes
13:19:25.340470 IP (tos 0x0, ttl  63, id 31421, offset 0, flags [DF],
length: 48) 158.226.150.44.4870 > iacapp3.local.8099: S [tcp sum ok]
2049470510:2049470510(0) win 64240 <mss 1460,nop,nop,sackOK>
13:19:25.341584 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], length:
48) iacapp3.local.8099 > 158.226.150.44.4870: S [tcp sum ok]
1753072926:1753072926(0) ack 2049470511 win 5840 <mss 1460,nop,nop,sackOK>
13:19:25.341042 IP (tos 0x0, ttl  63, id 31422, offset 0, flags [DF],
length: 40) 158.226.150.44.4870 > iacapp3.local.8099: . [tcp sum ok] ack 1
win 64240
13:19:25.342163 IP (tos 0x0, ttl  63, id 31423, offset 0, flags [DF],
length: 704) 158.226.150.44.4870 > iacapp3.local.8099: P 1:665(664) ack 1
win 64240
13:19:25.342188 IP (tos 0x0, ttl  64, id 52551, offset 0, flags [DF],
length: 40) iacapp3.local.8099 > 158.226.150.44.4870: . [tcp sum ok] ack 665
win 6640
13:19:25.357938 IP (tos 0x0, ttl  64, id 52552, offset 0, flags [DF],
length: 297) iacapp3.local.8099 > 158.226.150.44.4870: P 1:258(257) ack 665
win 6640
13:19:25.490836 IP (tos 0x0, ttl  63, id 31429, offset 0, flags [DF],
length: 399) 158.226.150.44.4870 > iacapp3.local.8099: P 665:1024(359) ack
258 win 63983
13:19:25.491986 IP (tos 0x0, ttl  64, id 52553, offset 0, flags [DF],
length: 1288) iacapp3.local.8099 > 158.226.150.44.4870: P 258:1506(1248) ack
1024 win 7968
13:19:25.691613 IP (tos 0x0, ttl  63, id 31436, offset 0, flags [DF],
length: 40) 158.226.150.44.4870 > iacapp3.local.8099: . [tcp sum ok] ack
1506 win 64240
9 packets captured
9 packets received by filter
0 packets dropped by kernel
 
 
what is missing!?
Or is my filter false!
 
Thanks,
 
Gernot

[-- Attachment #1.2: Type: text/html, Size: 5602 bytes --]

[-- Attachment #2: lsmod --]
[-- Type: application/octet-stream, Size: 1473 bytes --]

Module                  Size  Used by
cls_u32                12292  1 
sch_ingress             8324  1 
iptable_filter          7040  0 
af_packet              26376  0 
iptable_nat            27684  1 
ip_conntrack           37420  1 iptable_nat
ip_tables              22400  2 iptable_filter,iptable_nat
nfsd                  106184  5 
exportfs               10368  1 nfsd
edd                    13720  0 
joydev                 14528  0 
sg                     41632  0 
st                     44828  0 
sr_mod                 21028  0 
nvram                  13448  0 
e100                   38400  0 
mii                     9344  1 e100
ohci_hcd               24324  0 
sworks_agp             13472  0 
agpgart                36140  1 sworks_agp
evdev                  13952  0 
ipv6                  276348  67 
thermal                16648  0 
processor              21312  1 thermal
fan                     8196  0 
button                 10384  0 
battery                12804  0 
ac                      8964  0 
usbcore               116700  3 ohci_hcd
e1000                  88964  0 
subfs                  12160  2 
dm_mod                 57472  0 
ide_cd                 42628  0 
cdrom                  42652  2 sr_mod,ide_cd
megaide               125160  0 
raid1                  19712  2 
ext3                  121384  3 
jbd                    75172  1 ext3
sd_mod                 25088  0 
scsi_mod              118340  5 sg,st,sr_mod,megaide,sd_mod

[-- Attachment #3: packages --]
[-- Type: application/octet-stream, Size: 10949 bytes --]

sles-release-9-82.11
aaa_skel-2004.6.8-0.2
terminfo-5.4-61.4
core-release-9-6.3
howtoenh-2004.4.4-0.4
man-pages-1.67-1.6
libattr-2.4.12-56.1
gle-3.0.6-646.1
iptables-1.2.9-95.6
libpcap-0.8.1-39.1
cabextract-1.0-17.1
libgcc-3.3.3-43.24
unixODBC-2.2.8-58.4
schedutils-1.3.5-0.1
pcre-4.4-109.1
lsof-4.70-30.1
file-4.07-48.5
joe-2.9.8-378.1
readline-4.3-306.5
liby2util-2.9.24-0.2
htdig-3.1.6-402.1
glib2-2.2.3-117.1
screen-4.0.2-41.1
libgimpprint-4.2.6-46.7
expect-5.40-27.1
libogg-1.1-56.1
pciutils-2.1.11-192.8
glib-1.2.10-586.1
cracklib-2.7-1006.1
ntfsprogs-1.9.0-21.1
db-utils-4.2.52-86.3
libidn-0.3.7-64.1
xfsprogs-2.6.3-29.1
module-init-tools-3.0_pre10-37.16
libgcrypt-1.1.91-39.1
gzip-1.3.5-136.1
microcode_ctl-1.06-366.1
star-1.5a38-26.1
gdb-6.1-1.7
make-3.80-184.1
tar-1.13.25-325.3
ed-0.2-864.1
pam-0.77-221.1
liblcms-1.12-55.1
XFree86-libs-4.3.99.902-43.22
sudo-1.6.7p5-117.1
raidtools-1.00.3-222.4
SuSEfirewall2-3.1-310.4
gtk-1.2.10-881.1
mtools-3.9.9-196.1
pdksh-5.2.14-780.1
udev-021-36.32
tk-8.4.6-41.1
alsa-1.0.3-41.3
device-mapper-1.00.09-17.5
pango-1.2.5-174.3
imwheel-0.9.5-1031.1
aalib-1.4.0-279.1
libgsf-1.8.2-164.1
gtk2-2.2.4-125.1
bootsplash-3.1-37.3
aaa_base-9-29.8
SPident-0.9-42.7
freeglut-2.2.0-81.1
xf86tools-0.1-955.5
perl-MailTools-1.60-29.1
cdrdao-1.1.8-43.1
xinetd-2.3.13-39.3
perl-IO-stringy-2.109-27.1
setserial-2.17-577.1
perl-TermReadKey-2.21-292.1
hotplugctl-0.08-264.1
heimdal-lib-0.6.1rc3-55.3
xmms-1.2.10-44.3
perl-Digest-HMAC-1.01-492.1
desktop-data-SLES-9-1.6
vsftpd-1.2.1-69.3
openct-0.1-197.1
curl-7.11.0-39.1
linc-1.0.3-177.1
XFree86-4.3.99.902-43.22
gconf2-2.4.0.1-148.2
kdebase3-ksysguardd-3.2.1-68.16
portmap-5beta-728.1
perl-OPENSSL-1.0.5-0.2
xbanner-1.31-858.1
xdg-menu-0.2-45.1
wvdial-1.54-61.4
i4lfirm-2004.5.27-1.2
gail-1.4.1-130.1
nfs-utils-1.0.6-103.7
libbonoboui-2.4.0-158.1
kdebase3-3.2.1-68.16
sax2-4.8-103.7
opensc-0.8.0-194.1
libgnomeui-2.4.0.1-173.1
postfix-2.1.1-1.4
suse-build-key-1.0-662.4
thinkeramik-3.0.6-59.1
mailx-10.6-65.1
kdebase3-SLES-9.1-18.17
yast2-transfer-2.9.3-0.2
yast2-ldap-2.9.15-1.2
yast2-control-center-2.9.11-7.1
yast2-nfs-client-2.9.11-23.1
yast2-heartbeat-2.9.3-0.2
yast2-ldap-server-2.9.11-0.2
yast2-cd-creator-2.9.10-1.2
yast2-support-2.9.4-0.2
kpowersave-0.1-75.5
autoyast2-installation-2.9.45-0.2
yast2-repair-2.9.15-0.2
yast2-uml-2.9.20-0.2
yast2-nfs-server-2.9.9-23.1
yast2-mail-2.9.16-0.2
yast2-ntp-client-2.9.14-0.3
yast2-dns-server-2.9.24-0.2
db-devel-4.2.52-86.3
libaio-devel-0.3.98-18.3
zlib-devel-1.2.1-70.1
rcs-5.7-864.1
libstdc++-devel-3.3.3-43.24
bison-1.875-51.1
heartbeat-stonith-1.2.2-0.6
perl-libwww-perl-5.76-30.1
gcc-g77-3.3.3-43.24
gpg-pubkey-3d25d3d9-36e12d04
sles-admin_en-9.1.0.5-0.16
filesystem-9-29.4
Crystalcursors-0.5-24.1
XFree86-fonts-75dpi-4.3.99.902-43.22
xntp-doc-4.2.0a-23.1
yast2-trans-en_US-2.9.7-1.2
XFree86-man-4.3.99.902-43.22
saxident-1.1-1136.7
susehelp_en-2004.04.05-3.1
sash-3.7-28.1
XFree86-fonts-scalable-4.3.99.902-43.22
glibc-2.3.3-98.28
hfsutils-3.2.6-1038.1
net-tools-1.60-543.3
zip-2.3-732.1
opie-2.4-544.1
libaio-0.3.98-18.3
libcap-1.92-479.1
expat-1.95.7-37.1
mktemp-1.5-729.1
usbutils-0.11-211.1
gpart-0.1h-475.1
gdbm-1.8.3-228.1
popt-1.7-176.7
utempter-0.5.2-385.4
ash-0.4.18-56.1
zlib-1.2.1-70.1
netcat-1.10-864.1
pax-3.2-77.1
eject-2.0.13-185.1
mingetty-0.9.6s-73.1
patch-2.5.9-141.1
prctl-1.3-353.1
attr-2.4.12-56.1
tcpdump-3.8.1-49.1
dialog-0.9b-188.1
lukemftp-1.5-578.1
zisofs-tools-1.0.4-121.1
unrar-3.3.6-28.1
bash-2.05b-305.6
db-4.2.52-86.3
libelf-0.8.5-32.1
iproute2-2.4.7-866.5
less-382-34.8
libart_lgpl-2.3.16-84.1
busybox-1.00.pre8-26.4
i4l-isdnlog-2004.5.27-1.2
slang-1.4.9-121.1
libgpg-error-0.6-35.1
libpng-1.2.5-182.4
initviocons-0.4-298.1
iputils-ss021109-147.1
libjpeg-6.2.0-731.1
libksba-0.4.7-138.1
bzip2-1.0.2-346.1
info-4.6-61.1
tcpd-7.6-710.1
cpp-3.3.3-43.24
makedev-2.6-403.1
cdk-4.9.10-406.1
yp-tools-2.8-188.1
procmail-3.22-39.1
dhcpcd-1.3.22pl4-193.1
libsamplerate-0.0.15-140.1
libraw1394-0.10.1-20.1
dosbootdisk-1.1-35.1
fribidi-0.10.4-485.1
mad-0.15.1b-28.1
sed-4.0.9-31.1
grep-2.5.1-427.1
fam-2.6.10-119.1
acl-2.2.21-54.1
findutils-4.1.7-860.1
libjasper-1.701.0-1.2
libtool-1.5.2-56.1
XFree86-Xvnc-4.3.99.902-43.22
flac-1.1.0-387.1
cpio-2.5-324.1
diffutils-2.8.4-75.1
recode-3.6-488.1
libidl-0.8.3-48.1
libvorbis-1.0.1-56.1
XFree86-server-4.3.99.902-43.22
e2fsprogs-1.34-115.1
gawk-3.1.3-210.1
fontconfig-2.2.92.20040221-28.13
wol-0.7.0-48.2
jfsutils-1.1.6-1.2
ksymoops-2.4.9-135.1
coreutils-5.2.1-23.5
reiserfs-3.6.13-24.8
ppp-2.4.2-39.4
openmotif-libs-2.2.2-519.1
bootsplash-theme-SuSE-SLES-3.1-22.14
xdmbgrd-0.5-30.1
libmng-1.0.6-54.1
libstroke-0.4-737.1
scpm-0.9.6-37.3
logrotate-3.7-31.1
pcsc-lite-1.1.1-245.1
sysvinit-2.85-21.3
xlockmore-5.11.1-85.1
fltk-1.1.4-82.1
mdadm-1.5.0-40.1
tcsh-6.12.00-452.1
grub-0.94-45.3
perl-5.8.3-32.1
resmgr-0.9.8-47.3
yast2-theme-SuSELinux-2.9.13-0.4
devs-9-16.8
libungif-4.1.0b1-585.1
smartmontools-5.30-20.3
unclutter-8-834.1
qt3-3.3.1-36.13
perl-URI-1.30-29.1
perl-Compress-Zlib-1.33-30.1
perl-Config-Crontab-1.03-46.1
groff-1.17.2-881.1
perl-NetxAP-0.02-554.1
esound-0.2.33-32.1
tightvnc-1.2.9-181.1
util-linux-2.12-72.20
perl-XML-Parser-2.34-28.1
yast2-mail-aliases-2.9.16-0.2
lvm2-2.00.15-0.3
enscript-1.6.2-814.1
vim-6.2-235.1
syslogd-1.4.1-519.3
libbonobo-2.4.3-68.1
libusb-0.1.8-31.1
hwinfo-8.61-0.3
IBMJava2-JRE-1.4.2-0.51
sitar-0.8.11-17.1
procinfo-18-35.1
perl-Digest-MD4-1.3-27.1
cdparanoia-IIIalpha9.8-543.1
lilo-22.3.4-508.1
awesfx-0.5.0b-38.1
release-notes-9.1-8.35
pmtools-20010730-172.3
perl-gettext-1.01-576.1
fbset-2.1-778.1
sysconfig-0.31.0-15.29
submount-0.9-33.3
imlib-1.9.14-180.1
permissions-2004.5.26-1.2
intlfnts-1.2.1-191.1
SDL-1.2.7-38.1
bitstream-vera-1.10-163.1
perl-X500-DN-0.28-117.1
efont-unicode-0.4.0-630.1
libglade2-2.0.1-501.1
evms-gui-2.3.3-0.15
bind-utils-9.2.3-76.9
hotplug-0.44-32.21
ifnteuro-1.2.1-191.1
pinentry-0.6.9-259.1
netcfg-9-17.1
cups-libs-1.1.20-108.3
openslp-server-1.1.5-73.9
3ddiag-0.716-116.1
wvstreams-3.74-61.1
wireless-tools-27pre12-39.26
librsvg-2.4.0-154.1
ghostscript-fonts-std-7.07.1rc1-195.8
saxtools-2.2-1431.7
finger-1.2-39.1
susehelp-2004.04.05-3.1
xscreensaver-4.16-2.6
arts-1.2.1-35.1
i4l-base-2004.5.27-1.2
gnokii-0.6.0-44.2
telnet-1.1-38.3
ghostscript-x11-7.07.1rc1-195.8
libgnomecanvas-2.4.0-140.1
cdrecord-2.01a27-21.1
cups-client-1.1.20-108.3
kernel-smp-2.6.5-7.97
libgnome-2.4.0-156.1
kdelibs3-3.2.1-44.17
openldap2-client-2.2.6-37.19
ypbind-1.17.3-1.2
ghostscript-library-7.07.1rc1-195.8
capi4linux-2004.5.27-1.2
libgtkhtml-2.4.1-144.1
kio_slp-0.4-33.1
k3b-0.11.7-23.1
pwdutils-2.6.4-2.16
dirmngr-0.4.5-225.1
ldapcpplib-0.0.3-21.3
kdepim3-3.2.1-39.3
libsmbclient-3.0.4-1.22
autofs-3.1.7-900.1
kdeutils3-3.2.1-66.5
kdebase3-samba-3.2.1-68.16
xntp-4.2.0a-23.1
powersave-0.7.8-0.2
openssh-3.8p1-37.9
at-3.1.8-898.1
openssh-askpass-3.8p1-37.9
rpm-4.1.1-177.6
cron-3.0.1-920.1
mutt-1.5.6i-64.3
yast2-packagemanager-2.9.51-1.3
yast2-core-2.9.94-1.2
yast2-perl-bindings-2.9.34-1.2
yast2-slp-2.9.11-0.2
yast2-ncurses-2.9.26-0.2
yast2-phone-services-2.9.5-21.1
yast2-pam-2.9.13-0.3
yast2-storage-2.9.58-0.3
yast2-country-2.9.24-0.2
yast2-x11-2.9.11-0.2
yast2-power-management-2.9.10-1.2
yast2-ca-management-2.9.18-0.2
yast2-online-update-2.9.12-0.3
yast2-sound-2.9.22-1.2
yast2-tftp-server-2.9.4-23.1
yast2-mouse-2.9.11-4.1
yast2-tune-2.9.22-0.2
yast2-ldap-client-2.9.23-0.2
yast2-profile-manager-2.9.9-0.2
yast2-samba-client-2.9.17-1.2
yast2-security-2.9.14-18.1
yast2-users-2.9.39-0.3
autoyast2-2.9.45-0.2
yast2-restore-2.9.12-0.2
yast2-sysconfig-2.9.15-0.2
yast2-inetd-2.9.12-21.1
yast2-kerberos-client-2.9.9-0.2
yast2-network-2.9.57-0.2
yast2-backup-2.9.19-0.2
yast2-nis-client-2.9.18-0.2
yast2-dhcp-server-2.9.23-0.2
yast2-http-server-2.9.26-1.2
lsb-1.3-191.5
ltrace-0.3.31-31.3
gdbm-devel-1.8.3-228.1
cvs-1.11.14-24.7
libgcj-devel-3.3.3-43.24
perl-HTML-Tagset-3.03-550.1
perl-Net_SSLeay-1.25-25.1
ncurses-devel-5.4-61.4
automake-1.8.3-23.1
autoconf-2.59-75.1
flex-2.5.4a-293.1
bin86-0.16.0-183.1
gcc-info-3.3.3-43.24
freetype2-devel-2.1.7-53.5
fontconfig-devel-2.2.92.20040221-28.13
perl-HTML-Parser-3.35-31.1
heartbeat-1.2.2-0.6
XFree86-devel-4.3.99.902-43.22
gcc-c++-3.3.3-43.24
heartbeat-ldirectord-1.2.2-0.6
gpg-pubkey-9c800aca-40d8063e
glibc-i18ndata-2.3.3-98.28
providers-2004.4.2-4.1
words-words.2-547.1
latex2html-pngicons-2002.2.1-363.1
ghostscript-fonts-other-7.07.1rc1-195.8
tcl-8.4.6-26.3
xtermset-0.5.2-118.1
ethtool-1.8-123.3
glibc-locale-2.3.3-98.28
hdparm-5.5-41.3
libexif-0.5.12-118.4
ncurses-5.4-61.4
libxcrypt-2.1.90-61.3
dos2unix-3.1-300.1
dosfstools-2.10-90.1
vlan-1.8-23.1
gnome-filesystem-0.1-172.4
libstdc++-3.3.3-43.24
gnome-mime-data-2.4.1-66.2
dvd+rw-tools-5.17.4.8.6-17.1
linux-atm-lib-2.4.0-412.1
libmikmod-3.1.10-662.1
unzip-5.50-345.1
insserv-1.00.2-85.1
gnome-icon-theme-1.1.0-83.1
libacl-2.2.21-54.1
libgcj-3.3.3-43.24
vacation-1.2.6.1-128.4
audiofile-0.2.5-37.1
timezone-2.3.3-98.28
XFree86-server-glx-4.3.99.902-43.22
libselinux-1.8-16.1
freetype2-2.1.7-53.5
id3lib-3.8.3-86.1
fillup-1.42-98.1
bc-1.06-744.1
m4-1.4o-622.1
libtiff-3.6.1-38.3
nscd-2.3.3-98.28
zsh-4.2.0-31.1
atk-1.4.1-128.1
binutils-2.15.90.0.1.1-32.5
gettext-0.14.1-30.1
orbit2-2.8.3-55.1
parted-1.6.6-138.3
XFree86-Mesa-4.3.99.902-43.22
gpm-1.20.1-301.1
isapnp-1.26-489.1
kbd-1.12-26.1
procps-3.2.1-5.3
guile-1.6.4-124.1
libxml2-2.6.7-28.1
psmisc-21.4-39.1
compat-2004.7.1-1.2
acroread-5.08-204.1
xaw3d-1.5E-216.3
pptp-1.4.0-39.1
openssl-0.9.7d-15.10
strace-4.5.3-1.4
mkisofs-2.01a27-21.1
pam-modules-9-18.5
rrdtool-1.0.46-32.1
perl-Archive-Zip-1.09-27.1
evms-2.3.3-0.15
scsi-1.7_2.34_1.06_0.11-9.9
perl-Bit-Vector-6.3-198.1
libxslt-1.1.2-58.1
perl-Parse-RecDescent-1.80-243.3
bootcycle-0.3-95.1
info2html-1.1-174.1
mc-4.6.0-324.4
perl-Digest-SHA1-2.07-30.1
perl-Date-Calc-5.3-185.1
openslp-1.1.5-73.9
wget-1.9.1-45.3
sensors-2.8.6-0.3
w3m-0.4.1_m17n_20030308-201.1
perl-Crypt-SmbHash-0.02-1.2
mkinitrd-1.0-199.50
CheckHardware-0.1-955.1
man-2.4.1-214.1
perl-MIME-tools-5.411a-368.1
rsync-2.6.2-8.3
xpp-1.1-566.1
flac-xmms-1.1.0-387.1
gnome-vfs2-2.4.2-68.3
rsh-0.17-548.1
cyrus-sasl-2.1.18-33.1
siga-9.100-29.1
fvwm2-2.5.9-42.1
smpppd-1.16-5.1
kdebase3-kdm-3.2.1-68.16
kinternet-0.63-20.1
kdenetwork3-vnc-3.2.1-50.7
gpg-1.2.4-68.1
samba-client-3.0.4-1.22
gpgme-0.3.16-51.1
kdebase3-nsplugin-3.2.1-68.16
newpg-0.9.4-257.1
fetchmail-6.2.5-49.3
cryptplug-0.3.16-233.1
net-snmp-5.1-80.3
yast2-qt-2.9.24-0.3
yast2-2.9.75-0.2
yast2-instserver-2.9.15-0.2
yast2-ipsec-2.9.13-1.2
yast2-runlevel-2.9.15-0.2
yast2-boot-server-2.9.0-8.1
yast2-xml-2.9.8-19.1
yast2-bootloader-2.9.34-0.3
yast2-you-server-2.9.12-0.2
yast2-update-2.9.27-0.2
yast2-installation-2.9.86-0.2
yast2-packager-2.9.51-0.2
yast2-powertweak-2.9.15-0.2
yast2-firewall-2.9.12-0.2
yast2-nis-server-2.9.9-0.3
libobjc-3.3.3-43.24
heartbeat-pils-1.2.2-0.6
ipvsadm-1.24-107.1
glibc-info-2.3.3-98.28
libnet-1.1.1-42.1
glibc-devel-2.3.3-98.28
texinfo-4.6-61.1
gcc-3.3.3-43.24
gcc-objc-3.3.3-43.24
gcc-java-3.3.3-43.24

[-- Attachment #4: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Activate ingress policies on suse enterprise server 9

[Andy Furniss]

Grames Gernot wrote:
> Hi,
>  
> what is needed to activate ingress policies for enterprise server 9!

> tc qdisc add dev eth0 ingress
> tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8099
> 0xffff police rate 1kbit burst 1kbit mtu 1 drop flowid :1

I get a memory allocation error if I try to add that.

Playing around it seems policer doesn't like small burst and mtu 
together. Burst is a value and will act like MTU so the rule below 
should work and do what you want - drop everything with dport 8099.

tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8099 
0xffff police rate 1kbit burst 1 drop flowid :1

Andy.

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

AW: [LARTC] Activate ingress policies on suse enterprise server 9

[Grames Gernot]

[-- Attachment #1.1: Type: text/plain, Size: 2726 bytes --]

Hi,

Thanks for the fast response,

.)Okay I tried your suggestion for my port 8099 and nothing happened:
The tcp ip information goes from a firewall to my port 8099 and this port is
than routed to the original 8080, I do that because I don`t want to dirturb
my port 8080.
But it seams the ingress filter doesn`t work on it!!

iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             iacapp3.local       tcp dpt:8099
to:192.168.0.10:8080

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

.)I tried then for the port 8080 and something happened but no drop of the
packages:
#tcpdump port 8080
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:07:21.522898 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S
3628241160:3628241160(0) win 64240 <mss 1460,nop,nop,sackOK>
15:07:24.440701 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S
3628241160:3628241160(0) win 64240 <mss 1460,nop,nop,sackOK>
15:07:30.456696 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S
3628241160:3628241160(0) win 64240 <mss 1460,nop,nop,sackOK>

3 packets captured
3 packets received by filter
0 packets dropped by kernel

Thanks,

Gernot


> GRAMES Gernot
> __________________________________
> 	SIEMENS AG Austria
> 	PSE SMC AI 21    
> 	*	Tel.: +43 (0) 5 1707 24356
> 	* 	FAX: +43 (0) 5 1707 54600
> 	*	E-Mail: mailto:Gernot.Grames@Siemens.com
> 	Siemensstrasse 88 - 92
> 	A-1210 VIENNA
> __________________________________
> 

-----Ursprüngliche Nachricht-----
Von: Andy Furniss [mailto:andy.furniss@dsl.pipex.com] 
Gesendet: Montag, 18. April 2005 15:01
An: Grames Gernot
Cc: 'lartc@mailman.ds9a.nl'
Betreff: Re: [LARTC] Activate ingress policies on suse enterprise server 9

Grames Gernot wrote:
> Hi,
>  
> what is needed to activate ingress policies for enterprise server 9!

> tc qdisc add dev eth0 ingress
> tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8099
> 0xffff police rate 1kbit burst 1kbit mtu 1 drop flowid :1

I get a memory allocation error if I try to add that.

Playing around it seems policer doesn't like small burst and mtu 
together. Burst is a value and will act like MTU so the rule below 
should work and do what you want - drop everything with dport 8099.

tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8099 
0xffff police rate 1kbit burst 1 drop flowid :1

Andy.

[-- Attachment #1.2: Type: text/html, Size: 5409 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: AW: [LARTC] Activate ingress policies on suse enterprise server 9

[Andy Furniss]

Grames Gernot wrote:
> Hi,
> 
> Thanks for the fast response,
> 
> .)Okay I tried your suggestion for my port 8099 and nothing happened:
> The tcp ip information goes from a firewall to my port 8099 and this port is
> than routed to the original 8080, I do that because I don`t want to dirturb
> my port 8080.
> But it seams the ingress filter doesn`t work on it!!
> 
> iptables -L -t nat
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> DNAT       tcp  --  anywhere             iacapp3.local       tcp dpt:8099
> to:192.168.0.10:8080
> 
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> .)I tried then for the port 8080 and something happened but no drop of the
> packages:
> #tcpdump port 8080
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 15:07:21.522898 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S
> 3628241160:3628241160(0) win 64240 <mss 1460,nop,nop,sackOK>
> 15:07:24.440701 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S
> 3628241160:3628241160(0) win 64240 <mss 1460,nop,nop,sackOK>
> 15:07:30.456696 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S
> 3628241160:3628241160(0) win 64240 <mss 1460,nop,nop,sackOK>
> 
> 3 packets captured
> 3 packets received by filter
> 0 packets dropped by kernel

tcpdump will see packets before policer - so they could still be 
dropped. Just to confuse matters though, depending on kernel options the 
ingress policer may see packets before or after prerouting.

use tc -s qdisc ls dev eth0 to see drops.

Andy.


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

AW: AW: [LARTC] Activate ingress policies on suse enterprise serv er 9

[Grames Gernot]

[-- Attachment #1.1: Type: text/plain, Size: 2600 bytes --]

 
Good Morning,

Thanks for your hint, now I can see the dropped packages!
But it is only working for port 8080 why not for port 8099??

(If you need some indices please let me know)

Thanks
Gernot

> GRAMES Gernot
> __________________________________
> 	SIEMENS AG Austria
> 	PSE SMC AI 21    
> 	*	Tel.: +43 (0) 5 1707 24356
> 	* 	FAX: +43 (0) 5 1707 54600
> 	*	E-Mail: mailto:Gernot.Grames@Siemens.com
> 	Siemensstrasse 88 - 92
> 	A-1210 VIENNA
> __________________________________
> 

-----Ursprüngliche Nachricht-----
Von: Andy Furniss [mailto:andy.furniss@dsl.pipex.com] 
Gesendet: Montag, 18. April 2005 16:05
An: Grames Gernot
Cc: 'lartc@mailman.ds9a.nl'
Betreff: Re: AW: [LARTC] Activate ingress policies on suse enterprise server
9

Grames Gernot wrote:
> Hi,
> 
> Thanks for the fast response,
> 
> .)Okay I tried your suggestion for my port 8099 and nothing happened:
> The tcp ip information goes from a firewall to my port 8099 and this port
is
> than routed to the original 8080, I do that because I don`t want to
dirturb
> my port 8080.
> But it seams the ingress filter doesn`t work on it!!
> 
> iptables -L -t nat
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> DNAT       tcp  --  anywhere             iacapp3.local       tcp dpt:8099
> to:192.168.0.10:8080
> 
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> .)I tried then for the port 8080 and something happened but no drop of the
> packages:
> #tcpdump port 8080
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 15:07:21.522898 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S
> 3628241160:3628241160(0) win 64240 <mss 1460,nop,nop,sackOK>
> 15:07:24.440701 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S
> 3628241160:3628241160(0) win 64240 <mss 1460,nop,nop,sackOK>
> 15:07:30.456696 IP 158.226.150.44.musiconline > iacapp3.local.http-alt: S
> 3628241160:3628241160(0) win 64240 <mss 1460,nop,nop,sackOK>
> 
> 3 packets captured
> 3 packets received by filter
> 0 packets dropped by kernel

tcpdump will see packets before policer - so they could still be 
dropped. Just to confuse matters though, depending on kernel options the 
ingress policer may see packets before or after prerouting.

use tc -s qdisc ls dev eth0 to see drops.

Andy.


[-- Attachment #1.2: Type: text/html, Size: 5589 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: AW: AW: [LARTC] Activate ingress policies on suse enterprise

[Andy Furniss]

Grames Gernot wrote:
>  
> Good Morning,
> 
> Thanks for your hint, now I can see the dropped packages!
> But it is only working for port 8080 why not for port 8099??
> 
> (If you need some indices please let me know)

I don't know why it should work for 8080 and not 8099 - I don't think I 
quite understand your setup amd aims.

Andy.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

AW: AW: AW: [LARTC] Activate ingress policies on suse enterprise

[Grames Gernot]

[-- Attachment #1.1: Type: text/plain, Size: 1827 bytes --]

 
Hi,

My problem is following now:

I would like to set the filters for port 8099.
I have tried it, but nothing happened.

When I try the same filter for the port 8080 it is working very well.

.) working filter (here I can see the dropped packages):
tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8080
0xffff police rate 1kbit burst 1 drop flowid :1
.) not working filter (here I can`t see the dropped packages):
tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8099
0xffff police rate 1kbit burst 1 drop flowid :1

Maybe it is a problem of the port forwarding, because I have set the
forwarding of the incoming traffic on 8099 to port 8080. 

iptables -L -t nat 
Chain PREROUTING (policy ACCEPT) 
target     prot opt source               destination 
DNAT       tcp  --  anywhere             iacapp3.local       tcp dpt:8099
to:192.168.0.10:8080 

Chain POSTROUTING (policy ACCEPT) 
target     prot opt source               destination 

Chain OUTPUT (policy ACCEPT) 
target     prot opt source               destination 

So my goal is to restrict incoming access only to port 8099 an not 8080
(where the filters work)!

Gernot

-----Ursprüngliche Nachricht-----
Von: Andy Furniss [mailto:andy.furniss@dsl.pipex.com] 
Gesendet: Dienstag, 19. April 2005 23:50
An: Grames Gernot
Cc: 'lartc@mailman.ds9a.nl'
Betreff: Re: AW: AW: [LARTC] Activate ingress policies on suse enterprise
serv er 9

Grames Gernot wrote:
>  
> Good Morning,
> 
> Thanks for your hint, now I can see the dropped packages!
> But it is only working for port 8080 why not for port 8099??
> 
> (If you need some indices please let me know)

I don't know why it should work for 8080 and not 8099 - I don't think I 
quite understand your setup amd aims.

Andy.

[-- Attachment #1.2: Type: text/html, Size: 3628 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: AW: AW: AW: [LARTC] Activate ingress policies on suse enterprise

[Andy Furniss]

Grames Gernot wrote:
>  
> Hi,
> 
> My problem is following now:
> 
> I would like to set the filters for port 8099.
> I have tried it, but nothing happened.
> 
> When I try the same filter for the port 8080 it is working very well.
> 
> .) working filter (here I can see the dropped packages):
> tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8080
> 0xffff police rate 1kbit burst 1 drop flowid :1
> .) not working filter (here I can`t see the dropped packages):
> tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8099
> 0xffff police rate 1kbit burst 1 drop flowid :1
> 
> Maybe it is a problem of the port forwarding, because I have set the
> forwarding of the incoming traffic on 8099 to port 8080. 
> 
> iptables -L -t nat 
> Chain PREROUTING (policy ACCEPT) 
> target     prot opt source               destination 
> DNAT       tcp  --  anywhere             iacapp3.local       tcp dpt:8099
> to:192.168.0.10:8080 

It looks like you are using the old policer that is after PREROUTING then -
I guess you don't see any drops on 8099 because you already DNATed it to 
8080.

> 
> So my goal is to restrict incoming access only to port 8099 an not 8080
> (where the filters work)!

If you drop 8099 then your DNAT rule won't ever match - or are you 
thinking of multiple interfaces?

To get policer before PREROUTING you need to recompile with different 
kernel options - You should be able to do the same with just IPTABLES 
rules specifying interface etc.

Andy.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

AW: AW: AW: AW: [LARTC] Activate ingress policies on suse enterpr

[Grames Gernot]

[-- Attachment #1.1: Type: text/plain, Size: 2353 bytes --]


Hi,

So far, if have understand correctly: I route the incoming tcpip message of
port 8099 directly to 8080 and then the ingress filter on port 8099 has
nothing to do!?

Yes I think on different interface on one machine (different Ports for
different Request, with different restriction).

What has exactly to be done to set the policier before Prerouting!
Which kernel options, or also extra modules!?

Or how it can be done on iptable level??

Thanks for helping me out in such problematic things.

Gernot

-----Ursprüngliche Nachricht-----
Von: Andy Furniss [mailto:andy.furniss@dsl.pipex.com] 
Gesendet: Donnerstag, 21. April 2005 22:46
An: Grames Gernot
Cc: 'lartc@mailman.ds9a.nl'
Betreff: Re: AW: AW: AW: [LARTC] Activate ingress policies on suse
enterprise serv er 9

Grames Gernot wrote:
>  
> Hi,
> 
> My problem is following now:
> 
> I would like to set the filters for port 8099.
> I have tried it, but nothing happened.
> 
> When I try the same filter for the port 8080 it is working very well.
> 
> .) working filter (here I can see the dropped packages):
> tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8080
> 0xffff police rate 1kbit burst 1 drop flowid :1
> .) not working filter (here I can`t see the dropped packages):
> tc filter add dev eth0 parent ffff: protocol ip u32 match ip dport 8099
> 0xffff police rate 1kbit burst 1 drop flowid :1
> 
> Maybe it is a problem of the port forwarding, because I have set the
> forwarding of the incoming traffic on 8099 to port 8080. 
> 
> iptables -L -t nat 
> Chain PREROUTING (policy ACCEPT) 
> target     prot opt source               destination 
> DNAT       tcp  --  anywhere             iacapp3.local       tcp dpt:8099
> to:192.168.0.10:8080 

It looks like you are using the old policer that is after PREROUTING then -
I guess you don't see any drops on 8099 because you already DNATed it to 
8080.

> 
> So my goal is to restrict incoming access only to port 8099 an not 8080
> (where the filters work)!

If you drop 8099 then your DNAT rule won't ever match - or are you 
thinking of multiple interfaces?

To get policer before PREROUTING you need to recompile with different 
kernel options - You should be able to do the same with just IPTABLES 
rules specifying interface etc.

Andy.

[-- Attachment #1.2: Type: text/html, Size: 4373 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: AW: AW: AW: AW: [LARTC] Activate ingress policies on suse enterpr

[Andy Furniss]

Grames Gernot wrote:
> Hi,
> 
> So far, if have understand correctly: I route the incoming tcpip message of
> port 8099 directly to 8080 and then the ingress filter on port 8099 has
> nothing to do!?
> 
> Yes I think on different interface on one machine (different Ports for
> different Request, with different restriction).
> 
> What has exactly to be done to set the policier before Prerouting!
> Which kernel options, or also extra modules!?

On recent kernels if you select packet action in Qos and/or fair queuing 
of config the policer will be before PREROUTING.

> 
> Or how it can be done on iptable level??

You could have your DNAT rule only for packets from the interface you 
want eg .... -i eth1 DNAT ...... would only do packets inbound from eth1.

Andy.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[LARTC] Activate ingress policies on suse ent erpr ise serv er 9

[Grames Gernot]

[-- Attachment #1.1: Type: text/plain, Size: 1508 bytes --]

 
Hi,

The problem is this is my goal to use the policier and not the iptables.
Because with the policier i think you can give more rules and restrictions
to the incoming tcpip traffic.

So I would prefer to use the policier and not the iptables.

Thanks
Gernot

> GRAMES Gernot
> __________________________________
> 	SIEMENS AG Austria
> 	PSE SMC AI 21    
> 	*	Tel.: +43 (0) 5 1707 24356
> 	* 	FAX: +43 (0) 5 1707 54600
> 	*	E-Mail: mailto:Gernot.Grames@Siemens.com
> 	Siemensstrasse 88 - 92
> 	A-1210 VIENNA
> __________________________________
> 

-----Ursprüngliche Nachricht-----
Von: Andy Furniss [mailto:andy.furniss@dsl.pipex.com] 
Gesendet: Montag, 25. April 2005 21:49
An: Grames Gernot
Betreff: Re: AW: AW: AW: AW: AW: [LARTC] Activate ingress policies on suse
ent erpr ise serv er 9

Grames Gernot wrote:
> Hello,
> 
> Maybe you can explain me the kernel selections a little bit more detailed!
> Where can I find this? How to activate? Kernel Compilation necessary? How
> compile?
> 
> Sorry I am a beginner in this section.

I think the easiest way for you to do it is not bother using policers to 
drop packets, but use iptables instead.

If you use distros I can not tell you exactly what to do about compiling 
a new kernel as I use LFS and there are probably differences.

If you really need to use policer say and I'll tell you how I do them - 
but I really think what you want to do is best done with just iptables 
rules.

Andy.




[-- Attachment #1.2: Type: text/html, Size: 3317 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Activate ingress policies on suse ent erpr ise serv er 9

[Andy Furniss]

Grames Gernot wrote:
>  
> Hi,
> 
> The problem is this is my goal to use the policier and not the iptables.
> Because with the policier i think you can give more rules and restrictions
> to the incoming tcpip traffic.

You can limit with iptables aswell as drop.

> 
> So I would prefer to use the policier and not the iptables.

I just looked and AFAICT you will need a newer kernel than the 2.6.5 
that your suse is using maybe suse do a more recent one - I don't know 
about doing kernels on suse - you'll have to see suse docs or ask on a 
suse group about doing kernels as you haven't done it before.

The option that you need selected after doing a make menuconfig is 
packet actions in Qos and/or fair queuing under networking options under 
networking support under Device drivers.

When you select that you can then select policing actions and it will be 
the new policer.

I don't know where your current config is - but try and find it and use 
it as a base when doing a new kernel - you can load it from the make 
menuconfig menus.

Andy.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

AW: [LARTC] Activate ingress policies on suse ent erpr ise serv e r 9

[Grames Gernot]

[-- Attachment #1.1: Type: text/plain, Size: 1458 bytes --]

Hi, 

Only for my info:
How can it be do via IPTables?
Do you have an example or a howto?

Thanks
Gernot

-----Ursprüngliche Nachricht-----
Von: Andy Furniss [mailto:andy.furniss@dsl.pipex.com] 
Gesendet: Mittwoch, 27. April 2005 00:30
An: Grames Gernot
Cc: lartc@mailman.ds9a.nl
Betreff: Re: [LARTC] Activate ingress policies on suse ent erpr ise serv er
9

Grames Gernot wrote:
>  
> Hi,
> 
> The problem is this is my goal to use the policier and not the iptables.
> Because with the policier i think you can give more rules and restrictions
> to the incoming tcpip traffic.

You can limit with iptables aswell as drop.

> 
> So I would prefer to use the policier and not the iptables.

I just looked and AFAICT you will need a newer kernel than the 2.6.5 
that your suse is using maybe suse do a more recent one - I don't know 
about doing kernels on suse - you'll have to see suse docs or ask on a 
suse group about doing kernels as you haven't done it before.

The option that you need selected after doing a make menuconfig is 
packet actions in Qos and/or fair queuing under networking options under 
networking support under Device drivers.

When you select that you can then select policing actions and it will be 
the new policer.

I don't know where your current config is - but try and find it and use 
it as a base when doing a new kernel - you can load it from the make 
menuconfig menus.

Andy.

[-- Attachment #1.2: Type: text/html, Size: 2771 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: AW: [LARTC] Activate ingress policies on suse ent erpr ise serv

[Andy Furniss]

Grames Gernot wrote:
> Hi, 
> 
> Only for my info:
> How can it be do via IPTables?
> Do you have an example or a howto?

There are plenty of docs on www.netfilter.org which also contains a link 
to this tutorial which explains limit.

http://iptables-tutorial.frozentux.net/

Andy.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc