Re: freebsd-ipfw Digest, Vol 173, Issue 2

Fri, 01 Sep 2006 05:19:48 -0700 

Hi every body,
If I undertand your linux gateway as all is nics on the same network. It's supposed to do packet filtering and bind services at the same time. and your question were on one hand how? and on the over one's how to make a freebsd twin of the linux one? ok! I'am just a student trying to learn more about network and unix, so I won't pretend to have the best solution I will just say what I think about it. What I have seen so far allow me to the guest that making a freebsd bridge its a good compromise you can bridge your gateway and then alias your internal nic with the same address that the linux on got. Pcs into your network will believe they are connected to a switch providing the internet et bind services. 

                          Your LAN
                /                                     \
            /                                             \
bge1 (with no address)                  bge1.0 (192.168.1.122)
       \                                                         /
         \                                                      /
--------------------------------------------------    freeBSD Bridge
                                 |
                                 |
                    bge0(192.168.1.121)
                                |
                          Internet

this how it should look schematically and you'll be able to do filtering on 
interfaces and not addresses.


A piece of my kernel conf file for example
#------------------------------------------------------------------------------#


#                             PARE-FEU 
#


#------------------------------------------------------------------------------#

options IPFIREWALL                                               #|

options IPFIREWALL_VERBOSE                           #|--->IPV4

options IPFIREWALL_VERBOSE_LIMIT=200        #|

options IPFIREWALL_FORWARD                        #|

#options IPFIREWALL_FORWARD_EXTENDED  #|--->proxy



options IPV6FIREWALL                                           #|

options IPV6FIREWALL_VERBOSE                        #|--->IPV6

options IPV6FIREWALL_VERBOSE_LIMIT=200     #|



options DUMMYNET  #Management de la bande passante.

options IPDIVERT  #Divert Sockets

options IPSTEALTH #Ne touche pas au ttl, pare-feu transparent au traceroute


options TCPDEBUG  #Active le code qui garde les traces de l'etat TCP de la 
machine


# la commande est trpt.



options TCP_DROP_SYNFIN #rejete les paquets TCP avec SYN+FIN.


options SOFTUPDATES # ameliore la rapidite du filesysteme et rend les 
redemarrage brutaux moins risque


options QUOTA

options SC_DISABLE_REBOOT



# BRIGE/PONT RESEAU pare-feu transparent.

options BRIDGE

#------------------------------------------------------------------------------#


#                             fin PARE-FEU 
#


#------------------------------------------------------------------------------#


----- Original Message ----- 
From: <[EMAIL PROTECTED]>

To: <[email protected]>
Sent: Thursday, July 27, 2006 2:00 PM
Subject: freebsd-ipfw Digest, Vol 173, Issue 2



Send freebsd-ipfw mailing list submissions to
[email protected]

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]

You can reach the person managing the list at
[EMAIL PROTECTED]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of freebsd-ipfw digest..."


Today's Topics:

  1. FreeBSD Gateway to replace old Linux gateway
     (elaconta.com Webmaster)
  2. Re: FreeBSD Gateway to replace old Linux gateway
     (Tony Abou-Assaleh)
  3. Re: FreeBSD Gateway to replace old Linux gateway
     (elaconta.com Webmaster)
  4. RE: FreeBSD Gateway to replace old Linux gateway
     ([EMAIL PROTECTED])
  5. Re: FreeBSD Gateway to replace old Linux gateway
     (Tony Abou-Assaleh)


----------------------------------------------------------------------

Message: 1
Date: Wed, 26 Jul 2006 20:41:18 +0100
From: "elaconta.com Webmaster" <[EMAIL PROTECTED]>
Subject: FreeBSD Gateway to replace old Linux gateway
To: [email protected]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1

Howdy

We have here an old (Mandrake Linux 8 - yeah i know...) PC with two NICs
which serves as a firewall for our LAN and runs a Bind caching nameserver.
Although the machine is getting old, it still works well. Thing is, i'm
having a hard time trying to reproduce it, that is, getting another PC
to do exactly the same thing this PC is doing. It was configured by a
guy that left the company, so i can't simply ask him how he configured
it configured.
It's a precautionary measure, if the machine breaks down we need another
one to go in its place.
So while am at it i would love to replace the crusty old thing with a
new one running FreeBSD.
The networking scheme is:

Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122)
<-> (192.168.1.0/24) LAN

Now, thing is, the Linux firewall has two NICs:

NIC 1: 192.168.1.121
NIC 2: 192.168.1.122

The two NICs on the Linux box are configured with 192.168.1.121 and
192.168.1.122, both interfaces on the same subnet. 192.168.1.121 acesses
the company router (192.168.1.120) and 192.168.1.122 acesses the company
LAN (192.168.1.0/24)

From what i've googled, this shouldn't even be possible, everything is

on the same subnet. Regardless, it works great, and if i went and got an
FreeBSD rig to replace the old Linux rig, it would have to retain this
networking scheme, we can't afford to reconfigure the entire network
just for switching our firewall.

I known we could use a network bridge, but we need the caching
nameserver functionality.

I'm an all round Unix guy, but i'm a bit green on the routing departament.

Can an FreeBSD box be configured the same way the Linux box is so it can
be a drop-in replacement for the Linux box? I can of course depict in
further detail the configuration of the Linux box (netstat -r to show
the routes, ifconfig or whatever).


I've already prepped a FreeBSD 6.1 box which already works if the NICs in 
the gateway
are in different subnets (dc0 is 192.168.1.125 and dc1 is 192.168.0.5, for 
instance),
i've changed a PC in the network to the 192.168.0.20 IP (instead of 
192.168.1.20) and
if connected without a problem to the Internet, but we have lots of 
appliances which
depend on the 192.168.1.0 style network. We would need the two NICs in the 
box to be in the same subnet...


-----------------------------
Elaconta.com Webmaster
-----------------------------



------------------------------

Message: 2
Date: Wed, 26 Jul 2006 19:16:23 -0300 (ADT)
From: Tony Abou-Assaleh <[EMAIL PROTECTED]>
Subject: Re: FreeBSD Gateway to replace old Linux gateway
To: "elaconta.com Webmaster" <[EMAIL PROTECTED]>
Cc: [email protected]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: TEXT/PLAIN; charset=US-ASCII

I would like to see a reference that shows that it is not possible to have
two networks with the same subnet IP ranges. In fact, your working linux
PC is a good example that it can be done.

You need to be careful not to use the same full IP address on both sides
of the network, that's about it. The rest can be handled with a proper
configuration of the routing table.

take a look at your routing table (using route) and see if you can
reproduce it on FreeBSD. If you run into problems on the freebsd, report
them, and someone might recognize something.

Cheers,

TAA

-----------------------------------------------------
Tony Abou-Assaleh
Email:    [EMAIL PROTECTED]
Web site: http://taa.eits.ca
----------------------[THE END]----------------------

On Wed, 26 Jul 2006, elaconta.com Webmaster wrote:


Howdy

We have here an old (Mandrake Linux 8 - yeah i know...) PC with two NICs

which serves as a firewall for our LAN and runs a Bind caching 
nameserver.

Although the machine is getting old, it still works well. Thing is, i'm
having a hard time trying to reproduce it, that is, getting another PC
to do exactly the same thing this PC is doing. It was configured by a
guy that left the company, so i can't simply ask him how he configured
it configured.
It's a precautionary measure, if the machine breaks down we need another
one to go in its place.
So while am at it i would love to replace the crusty old thing with a
new one running FreeBSD.
The networking scheme is:

Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122)
<-> (192.168.1.0/24) LAN

Now, thing is, the Linux firewall has two NICs:

NIC 1: 192.168.1.121
NIC 2: 192.168.1.122

The two NICs on the Linux box are configured with 192.168.1.121 and
192.168.1.122, both interfaces on the same subnet. 192.168.1.121 acesses
the company router (192.168.1.120) and 192.168.1.122 acesses the company
LAN (192.168.1.0/24)
>From what i've googled, this shouldn't even be possible, everything is
on the same subnet. Regardless, it works great, and if i went and got an
FreeBSD rig to replace the old Linux rig, it would have to retain this
networking scheme, we can't afford to reconfigure the entire network
just for switching our firewall.

I known we could use a network bridge, but we need the caching
nameserver functionality.


I'm an all round Unix guy, but i'm a bit green on the routing 
departament.


Can an FreeBSD box be configured the same way the Linux box is so it can
be a drop-in replacement for the Linux box? I can of course depict in
further detail the configuration of the Linux box (netstat -r to show
the routes, ifconfig or whatever).


I've already prepped a FreeBSD 6.1 box which already works if the NICs in 
the gateway
are in different subnets (dc0 is 192.168.1.125 and dc1 is 192.168.0.5, 
for instance),
i've changed a PC in the network to the 192.168.0.20 IP (instead of 
192.168.1.20) and
if connected without a problem to the Internet, but we have lots of 
appliances which
depend on the 192.168.1.0 style network. We would need the two NICs in 
the box to be in the same subnet...


-----------------------------
Elaconta.com Webmaster
-----------------------------

_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"




------------------------------

Message: 3
Date: Thu, 27 Jul 2006 00:03:26 +0100
From: "elaconta.com Webmaster" <[EMAIL PROTECTED]>
Subject: Re: FreeBSD Gateway to replace old Linux gateway
To: Tony Abou-Assaleh <[EMAIL PROTECTED]>
Cc: [email protected]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1

Tony Abou-Assaleh wrote:

I would like to see a reference that shows that it is not possible to 
have

two networks with the same subnet IP ranges. In fact, your working linux
PC is a good example that it can be done.

You need to be careful not to use the same full IP address on both sides
of the network, that's about it. The rest can be handled with a proper
configuration of the routing table.

take a look at your routing table (using route) and see if you can
reproduce it on FreeBSD. If you run into problems on the freebsd, report
them, and someone might recognize something.

Cheers,

TAA

-----------------------------------------------------
Tony Abou-Assaleh
Email:    [EMAIL PROTECTED]
Web site: http://taa.eits.ca
----------------------[THE END]----------------------

On Wed, 26 Jul 2006, elaconta.com Webmaster wrote:



Howdy

We have here an old (Mandrake Linux 8 - yeah i know...) PC with two NICs

which serves as a firewall for our LAN and runs a Bind caching 
nameserver.

Although the machine is getting old, it still works well. Thing is, i'm
having a hard time trying to reproduce it, that is, getting another PC
to do exactly the same thing this PC is doing. It was configured by a
guy that left the company, so i can't simply ask him how he configured
it configured.
It's a precautionary measure, if the machine breaks down we need another
one to go in its place.
So while am at it i would love to replace the crusty old thing with a
new one running FreeBSD.
The networking scheme is:

Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122)
<-> (192.168.1.0/24) LAN

Now, thing is, the Linux firewall has two NICs:

NIC 1: 192.168.1.121
NIC 2: 192.168.1.122

The two NICs on the Linux box are configured with 192.168.1.121 and
192.168.1.122, both interfaces on the same subnet. 192.168.1.121 acesses
the company router (192.168.1.120) and 192.168.1.122 acesses the company
LAN (192.168.1.0/24)
>From what i've googled, this shouldn't even be possible, everything is
on the same subnet. Regardless, it works great, and if i went and got an
FreeBSD rig to replace the old Linux rig, it would have to retain this
networking scheme, we can't afford to reconfigure the entire network
just for switching our firewall.

I known we could use a network bridge, but we need the caching
nameserver functionality.


I'm an all round Unix guy, but i'm a bit green on the routing 
departament.


Can an FreeBSD box be configured the same way the Linux box is so it can
be a drop-in replacement for the Linux box? I can of course depict in
further detail the configuration of the Linux box (netstat -r to show
the routes, ifconfig or whatever).


I've already prepped a FreeBSD 6.1 box which already works if the NICs 
in the gateway
are in different subnets (dc0 is 192.168.1.125 and dc1 is 192.168.0.5, 
for instance),
i've changed a PC in the network to the 192.168.0.20 IP (instead of 
192.168.1.20) and
if connected without a problem to the Internet, but we have lots of 
appliances which
depend on the 192.168.1.0 style network. We would need the two NICs in 
the box to be in the same subnet...


-----------------------------
Elaconta.com Webmaster
-----------------------------

_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"







The routing table on the Linux box, as shown per the "route" command:

[EMAIL PROTECTED] root]# route
Tabela de Roteamento IP do Kernel
Destino        Roteador        MáscaraGen.         Opções      Métrica
   Ref    Uso     Iface
192.168.1.0    *               255.255.255.0       U           0
    0      0       eth1
192.168.1.0    *               255.255.255.0       U           0
    0      0       eth1
127.0.0.0      *               255.0.0.0           U           0
    0      0       lo
default        192.168.1.120   0.0.0.0             UG          0
    0      0       eth0

Hum, some things in this table are in portuguese... Basically "Tabela de
Roteamento IP do Kernel" means Kernel IP Routing Table, "Destino" means
Destiny, "Roteador" means Router, "Máscara" means Mask.
Now the thing that strikes me in this Linux routing table are the
asterisks (*).Are they normal, or some kind of Linux black magic?
Is there a way to reproduce this routing table on FreeBSD? What do the
asteriks mean?

-----------------------------
Elaconta.com Webmaster
-----------------------------




------------------------------

Message: 4
Date: Wed, 26 Jul 2006 18:11:09 -0500
From: <[EMAIL PROTECTED]>
Subject: RE: FreeBSD Gateway to replace old Linux gateway
To: <[email protected]>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="US-ASCII"


I was thinking that the interfaces could simply be bridged, and could you 
do

a traceroute from a workstation to say google.com and see if the firewall
appears as a hop. If it's a hop, its routing, vs if its invisible, its
bridging. That should help guide you in the creation of a replacement.

DBM


-----Original Message-----

From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]

On Behalf Of elaconta.com Webmaster
Sent: Wednesday, July 26, 2006 2:41 PM
To: [email protected]
Subject: FreeBSD Gateway to replace old Linux gateway

Howdy

We have here an old (Mandrake Linux 8 - yeah i know...) PC with two NICs
which serves as a firewall for our LAN and runs a Bind caching nameserver.
Although the machine is getting old, it still works well. Thing is, i'm

having a hard time trying to reproduce it, that is, getting another PC to 
do

exactly the same thing this PC is doing. It was configured by a guy that

left the company, so i can't simply ask him how he configured it 
configured.
It's a precautionary measure, if the machine breaks down we need another 
one

to go in its place.
So while am at it i would love to replace the crusty old thing with a new
one running FreeBSD.
The networking scheme is:

Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122) <->
(192.168.1.0/24) LAN

Now, thing is, the Linux firewall has two NICs:

NIC 1: 192.168.1.121
NIC 2: 192.168.1.122

The two NICs on the Linux box are configured with 192.168.1.121 and

192.168.1.122, both interfaces on the same subnet. 192.168.1.121 acesses 
the

company router (192.168.1.120) and 192.168.1.122 acesses the company LAN
(192.168.1.0/24)

From what i've googled, this shouldn't even be possible, everything is

on the same subnet. Regardless, it works great, and if i went and got an
FreeBSD rig to replace the old Linux rig, it would have to retain this
networking scheme, we can't afford to reconfigure the entire network just
for switching our firewall.

I known we could use a network bridge, but we need the caching nameserver
functionality.

I'm an all round Unix guy, but i'm a bit green on the routing departament.


Can an FreeBSD box be configured the same way the Linux box is so it can 
be

a drop-in replacement for the Linux box? I can of course depict in further
detail the configuration of the Linux box (netstat -r to show the routes,
ifconfig or whatever).

I've already prepped a FreeBSD 6.1 box which already works if the NICs in
the gateway are in different subnets (dc0 is 192.168.1.125 and dc1 is
192.168.0.5, for instance), i've changed a PC in the network to the

192.168.0.20 IP (instead of 192.168.1.20) and if connected without a 
problem

to the Internet, but we have lots of appliances which depend on the
192.168.1.0 style network. We would need the two NICs in the box to be in
the same subnet...

-----------------------------
Elaconta.com Webmaster
-----------------------------

_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"



------------------------------

Message: 5
Date: Thu, 27 Jul 2006 00:15:44 -0300 (ADT)
From: Tony Abou-Assaleh <[EMAIL PROTECTED]>
Subject: Re: FreeBSD Gateway to replace old Linux gateway
To: "elaconta.com Webmaster" <[EMAIL PROTECTED]>
Cc: [email protected]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN

On Thu, 27 Jul 2006, elaconta.com Webmaster wrote:

The routing table on the Linux box, as shown per the "route" command:

[EMAIL PROTECTED] root]# route
Tabela de Roteamento IP do Kernel
Destino        Roteador        MáscaraGen.         Opções      Métrica
    Ref    Uso     Iface
192.168.1.0    *               255.255.255.0       U           0
     0      0       eth1
192.168.1.0    *               255.255.255.0       U           0
     0      0       eth1
127.0.0.0      *               255.0.0.0           U           0
     0      0       lo
default        192.168.1.120   0.0.0.0             UG          0
     0      0       eth0

Hum, some things in this table are in portuguese... Basically "Tabela de
Roteamento IP do Kernel" means Kernel IP Routing Table, "Destino" means
Destiny, "Roteador" means Router, "Máscara" means Mask.
Now the thing that strikes me in this Linux routing table are the
asterisks (*).Are they normal, or some kind of Linux black magic?
Is there a way to reproduce this routing table on FreeBSD? What do the
asteriks mean?


In English, the headings are:

Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface

Gateway is more appropriately described as 'next hop'. In your case, that
would be the IP of your router for all outgoing external traffic. Since
the internal traffic is connected directly (likely through an Ethernet
hub), packets going to the LAN should be destined directly to their
destination IP.

According to your routing table, I believe there is no way to access the
web interface of your router (if any) from your LAN, because all
192.168.1.* traffic will be sent on eth1, which is your LAN.

You can use the route command manipulate the routing table directly and
reproduce the above. I think it can also be done using the firewall, but
it's a little trickier there. Check your firewall rules to see if it is

set explicitly there. (if it is, then you should see rules that are 
similar

to the entries in the routing table in terms of content).

Cheers,

TAA

-----------------------------------------------------
Tony Abou-Assaleh
Email:    [EMAIL PROTECTED]
Web site: http://taa.eits.ca
----------------------[THE END]----------------------


------------------------------

_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

End of freebsd-ipfw Digest, Vol 173, Issue 2
********************************************



_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"














    











					Reply via email to