# eth-tool issue



## Cahit (Aug 7, 2017)

Hello ,

We need to install eth-tool on freebsd. As far as i searched on the net it is not possible but i am very suprised to see this on free bsd man's page 

https://www.freebsd.org/cgi/man.cgi...on=0&manpath=Red+Hat+Linux/i386+9&format=html


I try to install from the given link below but i am facing with an issue .
Does any body know how to over come this issue ?




```
root@fw:~/Driver/rng-tools-5 # ./config
./config: Command not found.
root@fw:~/Driver/rng-tools-5 # ./configure 
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... ./install-sh -c -d
checking for gawk... no
checking for mawk... no
checking for nawk... nawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking whether to enable maintainer-specific portions of Makefiles... no
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
checking for ranlib... ranlib
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking whether gcc needs -traditional... no
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking gcrypt.h usability... no
checking gcrypt.h presence... no
checking for gcrypt.h... no
configure: libgcrypt support disabled
checking dependency style of gcc... gcc3
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating contrib/Makefile
config.status: creating rngd.8
config.status: creating rngtest.1
config.status: creating rng-tools-config.h
config.status: rng-tools-config.h is unchanged
config.status: executing depfiles commands
root@fw:~/Driver/rng-tools-5 # make
make  all-recursive
Making all in contrib
gcc -DHAVE_CONFIG_H -I.      -g -O2 -MT fips.o -MD -MP -MF .deps/fips.Tpo -c -o fips.o fips.c
mv -f .deps/fips.Tpo .deps/fips.Po
rm -f librngd.a
ar cru librngd.a fips.o 
ranlib librngd.a
gcc -DHAVE_CONFIG_H -I.      -g -O2 -MT stats.o -MD -MP -MF .deps/stats.Tpo -c -o stats.o stats.c
mv -f .deps/stats.Tpo .deps/stats.Po
gcc -DHAVE_CONFIG_H -I.      -g -O2 -MT rngtest.o -MD -MP -MF .deps/rngtest.Tpo -c -o rngtest.o rngtest.c
rngtest.c:39:18: fatal error: argp.h: No such file or directory
compilation terminated.
*** Error code 1

Stop.
make[2]: stopped in /root/Driver/rng-tools-5
*** Error code 1

Stop.
make[1]: stopped in /root/Driver/rng-tools-5
*** Error code 1

Stop.
make: stopped in /root/Driver/rng-tools-5
```


----------



## SirDice (Aug 7, 2017)

Cahit said:


> We need to install eth-tool on freebsd.


Why? We don't need it. All it's functionality is in ifconfig(8).



> As far as i searched on the net it is not possible but i am very suprised to see this on free bsd man's page
> 
> https://www.freebsd.org/cgi/man.cgi...on=0&manpath=Red+Hat+Linux/i386+9&format=html


If you look a little closer you'll see you're looking at the Red Hat man pages.


----------



## Cahit (Aug 7, 2017)

SirDice said:


> Why? We don't need it. All it's functionality is in ifconfig(8).
> 
> 
> If you look a little closer you'll see you're looking at the Red Hat man pages.




because i need to use ntuple filters. We are getting floods from same ip address  . Freebsd putting all traffic to single core and if that was an attack from a single ip it is locking the cpu core and the system. IPFW or pfsense does not stop happening this. but ntuple filters is a block system on nic chip.
Should you do this with ifconfig ?


----------



## SirDice (Aug 7, 2017)

Whatever you do it will never stop the traffic from arriving at your system. So even if you manage to block the traffic your upstream connection will still be filled up with connection attempts.


----------



## Cahit (Aug 7, 2017)

SirDice said:


> Whatever you do it will never stop the traffic from arriving at your system. So even if you manage to block the traffic your upstream connection will still be filled up with connection attempts.



Our server has 10Gbps dual X550 Fiber direc connection to MX240 Junier router.
It has dual E5 2670 CPU 

I have tested both on cent os 7 with ntuple filter & freebsd 11 with ipfw  

on free bsd  check out the cpu 6 core with 400 mbps / 700k pps. it will be stucked if the attack goes to  ~ 600 mbps 
on cent os without ntuple the position is same but with ntuple we test it with 5Gbps 4M pps !!! nothing happened,


https://github.com/pavel-odintsov/f...NIC-capabilities-on-wire-speed-(10GE,-14Mpps)


I need to apply some rules on nic chipset. How should i do it on freebsd without ethtool.


----------



## Cahit (Aug 7, 2017)

I have 40 Gbps of connectivity and RTBH systems . If it required i should black hole the ip address after the limits. But I should black hole my ip addresses not an other isp's flooder ip address on upstreams. So I do not want to black hole my ip address , i just want to drop attacker ip address. 
I could not do this on the router because MX has not a capability on PPS rate limiting.And it should not be healty because traffic should be real too. We have some attack detection softwares that we developed on freebsd depending on our needs. 
So i exactly need* ntuple filters or let the balance* *single source floods to cores not hit the one core*


----------



## ondra_knezour (Aug 7, 2017)

There was two attempts to implement this functionality I am aware of. I would ask their author if it got somewhere and than try lists, probably freebsd-net@.


----------



## tonve (Aug 14, 2017)

"I could not do this on the router because MX has not a capability on PPS rate limiting."
You are wrong - MXes has this capability, you can find it at "firewall policer _policer-name_ if-exceeding-pps".
Anyway, attacker's IPs should be detected (f.e. with fastnetmon) and blocked via flowspec/openflow (MX has support for both proto). That's more accurate that any pps-like limiting service.


----------



## Pavel Odintsov (Aug 15, 2017)

Thanks for suggesting FastNetMon! We even have it in FreeBSD's ports 

BGP Flow Spec on Juniper MX series works really well. To filter attack's traffic you could apply rate-limit by bandwidth or just use discard taget to drop traffic completely.


----------

