I am looking to implement FreeBSD as a router/natd platform for five private
10.x.x.x/24 subnets to connect to the public world via a sixth NIC. Our
immeadiate public address space is a protected network, so I am not
concerned with any firewalling features.
The one problem standing in the way of my being able to implement this
solution is a very specific problem with mounting NFS exports from
multi-homed servers on our network. We have this problem both from the
FreeBSD box itself and from the "NAT'ed" clients on the 10.x.x.x networks it
serves.
The FreeBSD box is question has the hostname "snowspeeder" and its primary
IP address is 128.222.25.177/24. It's 'uname -a' output is:
FreeBSD snowspeeder.rtp.dg.com 3.4-RELEASE FreeBSD 3.4-RELEASE #3: Tue May
30 15:59:31 EDT 2000
[EMAIL PROTECTED]:/usr/src/sys/compile/router i386
There are several servers that exploit this problem, but I will provide one
practical example. The server's primary hostname is "commtg3" and it runs
DG/UX R4.20MU05. It's specific hostname and address info is as follows:
commtg3 128.222.8.29/24
commtg3-thiin 128.222.25.1/24
Note that the "commtg3-thiin" interface is on the same segment as the
FreeBSD box (snowspeeder).
This server is known to users as "commtg3." When they issue any command to
access it, they use its common name. Say I try to mount an NFS export on
commtg3 that I do not have rights to:
root@snowspeeder-/root$ mount commtg3:/usr/opt/sdk test
nfs: can't access /usr/opt/sdk: Permission denied
Just as we should expect. Now let's say we try to mount an export that does
not exist:
root@snowspeeder-/root$ mount commtg3:/usr/ack/bleh test1
nfs: can't access /usr/ack/bleh: No such file or directory
Again, just like we should expect. Now with an export that both exists and
that we have rights to:
root@snowspeeder-/root$ mount commtg3:/usr/local test2
(roughly three minute pause)
nfs server commtg3:/usr/local: not responding
Now let's try the same NFS export, only specify the hostname for the
interface on the same segment:
root@snowspeeder-/root$ mount commtg3-thiin:/usr/local test3
root@snowspeeder-/root$ mount
/dev/wd0s3a on / (ufs, local, writes: sync 95 async 3300)
/dev/wd0s3f on /usr (ufs, local, writes: sync 41 async 8214)
/dev/wd0s3e on /var (ufs, local, writes: sync 540 async 5797)
procfs on /proc (procfs, local)
commtg3-thiin:/usr/local on /root/test3 (nfs)
And as you can see, that works just fine.
Now we've put a sniffer on the 128.222.25.0/24 segment and what it looks
like is happening is that the requests destined to the 128.222.8.29 address
go out fine on the router and are received by commtg3 just fine on that
segment, but that when commtg3 answers it looks at the source IP
(128.222.25.177) then it replies back on its 128.222.25.1 interface (For
which I can't blame it), but then snowspeeder rejects the response packets
because they do not come back with the same source address as the origional
destination address of the request.
What I really don't undestand is how or why we get errors for such things as
"permission denied" or "no such file dor directory," yet we can't complete a
proper mount request.
What I believe I need to do is figure out to make FreeBSD not be so picky
about where the response to mount requests are coming from.
I am running the bare minumum ipfw configuration that "man natd" says is
neccessary for NAT:
gneff@snowspeeder-/usr/home/gneff$ cat /etc/rc.firewall
/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via sf0
/sbin/ipfw add pass all from any to any
My rc.network file is unchanged from the v3.4-release distribution.
Thank you in advance for any assistance you can offer. In the hopes that it
may be helpful, I will paste my kernel configuration and my rc.conf files
below.
Regards,
Glen
-----
machine "i386"
cpu "I686_CPU"
ident GENERIC
maxusers 32
options NMBCLUSTERS=2048
options IPFIREWALL
options IPDIVERT
options INET #InterNETworking
options FFS #Berkeley Fast Filesystem
options FFS_ROOT #FFS usable as root device [keep
this!]
options MFS #Memory Filesystem
options NFS #Network Filesystem
options "CD9660" #ISO 9660 Filesystem
options PROCFS #Process filesystem
options "COMPAT_43" #Compatible with BSD 4.3 [KEEP
THIS!]
options SCSI_DELAY=15000 #Be pessimistic about Joe SCSI
device
options UCONSOLE #Allow users to grab the console
options FAILSAFE #Be conservative
options USERCONFIG #boot -c editor
options VISUAL_USERCONFIG #visual boot -c editor
options KTRACE #ktrace(1) syscall trace support
options SYSVSHM #SYSV-style shared memory
options SYSVMSG #SYSV-style message queues
options SYSVSEM #SYSV-style semaphores
config kernel root on wd0
controller isa0
controller pci0
controller fdc0 at isa? port "IO_FD1" bio irq 6 drq 2
disk fd0 at fdc0 drive 0
controller wdc0 at isa? port "IO_WD1" bio irq 14
disk wd0 at wdc0 drive 0
controller wdc1 at isa? port "IO_WD2" bio irq 15
disk wd2 at wdc1 drive 0
options ATAPI #Enable ATAPI support for IDE bus
options ATAPI_STATIC #Don't do it as an LKM
device acd0 #IDE CD-ROM
controller scbus0 # SCSI bus (required)
controller atkbdc0 at isa? port IO_KBD tty
device atkbd0 at isa? tty irq 1
device vga0 at isa? port ? conflicts
pseudo-device splash
device sc0 at isa? tty
device npx0 at isa? port IO_NPX irq 13
device sio0 at isa? port "IO_COM1" flags 0x10 tty irq 4
device sio1 at isa? port "IO_COM2" tty irq 3
device ppc0 at isa? port? flags 0x40 net irq 7
controller ppbus0 # Parallel port bus (required)
device lpt0 at ppbus? # Printer
device ppi0 at ppbus? # Parallel port interface device
device sf0 # Adaptec AIC-6915 DuraLAN (``Starfire'')
pseudo-device loop # Network loopback
pseudo-device ether # Ethernet support
pseudo-device tun 1 # Packet tunnel
pseudo-device pty 16 # Pseudo-ttys (telnet etc)
pseudo-device gzip # Exec gzipped a.out's
pseudo-device bpfilter 8 #Berkeley packet filter
-----
saver="daemon"
blanktime="180"
keyrate="fast"
network_interfaces="sf5 sf4 sf3 sf2 sf1 sf0 lo0"
ifconfig_sf5="inet 10.5.200.1 netmask 255.255.255.0"
ifconfig_sf4="inet 10.4.200.1 netmask 255.255.255.0"
ifconfig_sf3="inet 10.3.200.1 netmask 255.255.255.0"
ifconfig_sf2="inet 10.2.200.1 netmask 255.255.255.0"
ifconfig_sf1="inet 10.1.200.1 netmask 255.255.255.0"
ifconfig_sf0="inet 128.222.25.177 netmask 255.255.255.0"
defaultrouter="128.222.25.253"
gateway_enable="YES"
firewall_enable="YES"
natd_enable="YES"
natd_flags="-s -m"
natd_interface="128.222.25.177"
defaultrouter="128.222.25.253"
hostname="snowspeeder.rtp.dg.com"
/*
Glen R. J. Neff
[EMAIL PROTECTED]
919-248-6145
Dirty deeds done for a meager 20% markup. . .
*/
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
