date:20060728

Re[2]: FreeBSD Gateway to replace old Linux gateway

2006-07-28 Thread vladone

Hello elaconta.com,

Thursday, July 27, 2006, 2:03:26 AM, you wrote:

> Tony Abou-Assaleh wrote:
>> I would like to see a reference that shows that it is not possible to have
>> two networks with the same subnet IP ranges. In fact, your working linux
>> PC is a good example that it can be done.
>>
>> You need to be careful not to use the same full IP address on both sides
>> of the network, that's about it. The rest can be handled with a proper
>> configuration of the routing table.
>>
>> take a look at your routing table (using route) and see if you can
>> reproduce it on FreeBSD. If you run into problems on the freebsd, report
>> them, and someone might recognize something.
>>
>> Cheers,
>>
>> TAA
>>
>> -
>> Tony Abou-Assaleh
>> Email:[EMAIL PROTECTED]
>> Web site: http://taa.eits.ca
>> --[THE END]--
>>
>> On Wed, 26 Jul 2006, elaconta.com Webmaster wrote:
>>
>>   
>>> Howdy
>>>
>>> We have here an old (Mandrake Linux 8 - yeah i know...) PC with two NICs
>>> which serves as a firewall for our LAN and runs a Bind caching nameserver.
>>> Although the machine is getting old, it still works well. Thing is, i'm
>>> having a hard time trying to reproduce it, that is, getting another PC
>>> to do exactly the same thing this PC is doing. It was configured by a
>>> guy that left the company, so i can't simply ask him how he configured
>>> it configured.
>>> It's a precautionary measure, if the machine breaks down we need another
>>> one to go in its place.
>>> So while am at it i would love to replace the crusty old thing with a
>>> new one running FreeBSD.
>>> The networking scheme is:
>>>
>>> Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122)
>>> <-> (192.168.1.0/24) LAN
>>>
>>> Now, thing is, the Linux firewall has two NICs:
>>>
>>> NIC 1: 192.168.1.121
>>> NIC 2: 192.168.1.122
>>>
>>> The two NICs on the Linux box are configured with 192.168.1.121 and
>>> 192.168.1.122, both interfaces on the same subnet. 192.168.1.121 acesses
>>> the company router (192.168.1.120) and 192.168.1.122 acesses the company
>>> LAN (192.168.1.0/24)
>>> >From what i've googled, this shouldn't even be possible, everything is
>>> on the same subnet. Regardless, it works great, and if i went and got an
>>> FreeBSD rig to replace the old Linux rig, it would have to retain this
>>> networking scheme, we can't afford to reconfigure the entire network
>>> just for switching our firewall.
>>>
>>> I known we could use a network bridge, but we need the caching
>>> nameserver functionality.
>>>
>>> I'm an all round Unix guy, but i'm a bit green on the routing departament.
>>>
>>> Can an FreeBSD box be configured the same way the Linux box is so it can
>>> be a drop-in replacement for the Linux box? I can of course depict in
>>> further detail the configuration of the Linux box (netstat -r to show
>>> the routes, ifconfig or whatever).
>>>
>>> I've already prepped a FreeBSD 6.1 box which already works if the NICs in 
>>> the gateway
>>> are in different subnets (dc0 is 192.168.1.125 and dc1 is 192.168.0.5, for 
>>> instance),
>>> i've changed a PC in the network to the 192.168.0.20 IP (instead of 
>>> 192.168.1.20) and
>>> if connected without a problem to the Internet, but we have lots of 
>>> appliances which
>>> depend on the 192.168.1.0 style network. We would need the two NICs in the 
>>> box to be in the same subnet...
>>>
>>> -
>>> Elaconta.com Webmaster
>>> -
>>>
>>> ___
>>> freebsd-ipfw@freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>>> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
>>>
>>> 
>>
>>
>>   
> The routing table on the Linux box, as shown per the "route" command:

> [EMAIL PROTECTED] root]# route
> Tabela de Roteamento IP do Kernel
> DestinoRoteadorMáscaraGen. Opções  Métrica
> RefUso Iface
> 192.168.1.0*   255.255.255.0   U   0 
>  0  0   eth1
> 192.168.1.0*   255.255.255.0   U   0 
>  0  0   eth1
> 127.0.0.0  *   255.0.0.0   U   0 
>  0  0   lo
> default192.168.1.120   0.0.0.0 UG  0 
>  0  0   eth0

> Hum, some things in this table are in portuguese... Basically "Tabela de
> Roteamento IP do Kernel" means Kernel IP Routing Table, "Destino" means
> Destiny, "Roteador" means Router, "Máscara" means Mask.
U have two simply solutions, and one a little more complicated
1. use bridge, ho suggest someoane
2. if dont' wnat to change network configuration, then change part
from firewall to hub or modem or what u have. For example
 modem 10.1.1.1 <> 10.1.1.2 firewall (freebsd 6.1)
 192.168.1.2<-->lan 192.168.1.0/24
 with simple natd confi

Re[3]: FreeBSD Gateway to replace old Linux gateway

2006-07-28 Thread vladone

> U have two simply solutions, and one a little more complicated
> 1. use bridge, ho suggest someoane
> 2. if dont' wnat to change network configuration, then change part
> from firewall to hub or modem or what u have. For example
>  modem 10.1.1.1 <> 10.1.1.2 firewall (freebsd 6.1)
>  192.168.1.2<-->lan 192.168.1.0/24
>  with simple natd config like this
>  use_sockets yes
>  same_ports yes
>  interface xl0
>  dynamic yes
>  assuming that in your firewall, xl0 is external interface with
>  ip 10.1.1.2, config kernel with proper oprions, and use
>  ipfirewall.
> 3. i think that is a bit more complicate with route but i don't think
> that can work, but u can try.

>  I recommend u variant 2 because is very clear, and need to change
>  only modem internal ip.
 U can try and this. Put ip's how u want, and then use ipfw+natd, with
 natd configured how i explain at previous message. In ipfw rules u
 need to have an rule like:
 100 natd ip from any to any
 Shoul be work but i think that u need to manipulate and routing
 table, because packets need to know where to go.
 For that try to set this in rc.conf (but i think that u have already
 set that)
defaultrouter="192.168.1.2"
gateway_enable="YES"
where 192.168.1.2 (for example)is ip of external interface on your firewall.





-- 
Best regards,
 vladonemailto:[EMAIL PROTECTED]

___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

ipfw and natd routing problems

2006-07-28 Thread Adam Egan


Hi,

I've recently installed FreeBSD on a Soekris Net 4801 to act as my
LAN's router. I have got natd and ipfw working fine (there was
originally some trouble with getting an IP from NTL via dhcp because I
hadn't allowed the cable modem's ip to talk to the router, or NTL's
dhcp servers to also talk to the router). My only problem now is that
although connections going out through natd work fine, natd port
forwarding does not work correctly. I am not sure whether this is a
problem with natd or just my ipfw rule(s), though I am more inclined
to believe it is ipfw!

ipfw and natd are enabled in /etc/rc.conf through the following lines:

#enable firewall
firewall_enable="YES"
#path to rules
firewall_type="/etc/fw/firewall.rules"
#be non-verbose?
firewall_quiet="NO"

#enable natd
natd_enable="YES"
#natd interface
natd_interface="sis0"
#flags for natd
natd_flags="-f /etc/fw/natd.conf"

Below is my ipfw natd rule, and the natd.conf file:

[ipfw]
# check if incoming packets belong to a natted session, allow through if yes
add 01000 divert natd ip from any to any in via sis0
add 01001 check-state

[natd.conf]
unregistered_only
interface sis0
use_sockets
dynamic
punch_fw 2000:100
same_ports
redirect_port tcp 192.168.0.5:80 80
redirect_port tcp 192.168.0.5:6700-6725 6700-6725

When trying to access port 80 (the httpd) externally, the connection
just times out, as does any other connection. Any help would be
greatly appreciated!

Adam
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Re[2]: FreeBSD Gateway to replace old Linux gateway

2006-07-28 Thread Webmaster Elaconta

Thanks for the tips everyone. I've thought about the subject and i'm
going to use a bridge to solve the problem. As it is, we're nat'ing
something that is already nat'ed (our router already hands out
addresses in the 192.168.1.x range). Therefore, we're going with the
bridge, even if it means reconfiguring all the clients in the LAN.

---
Elaconta.com webmaster
---

Em 7/28/2006, "vladone" <[EMAIL PROTECTED]> escreveu:

>Hello elaconta.com,
>
>Thursday, July 27, 2006, 2:03:26 AM, you wrote:
>
>> Tony Abou-Assaleh wrote:
>>> I would like to see a reference that shows that it is not possible to have
>>> two networks with the same subnet IP ranges. In fact, your working linux
>>> PC is a good example that it can be done.
>>>
>>> You need to be careful not to use the same full IP address on both sides
>>> of the network, that's about it. The rest can be handled with a proper
>>> configuration of the routing table.
>>>
>>> take a look at your routing table (using route) and see if you can
>>> reproduce it on FreeBSD. If you run into problems on the freebsd, report
>>> them, and someone might recognize something.
>>>
>>> Cheers,
>>>
>>> TAA
>>>
>>> -
>>> Tony Abou-Assaleh
>>> Email:[EMAIL PROTECTED]
>>> Web site: http://taa.eits.ca
>>> --[THE END]--
>>>
>>> On Wed, 26 Jul 2006, elaconta.com Webmaster wrote:
>>>
>>>   
 Howdy

 We have here an old (Mandrake Linux 8 - yeah i know...) PC with two NICs
 which serves as a firewall for our LAN and runs a Bind caching nameserver.
 Although the machine is getting old, it still works well. Thing is, i'm
 having a hard time trying to reproduce it, that is, getting another PC
 to do exactly the same thing this PC is doing. It was configured by a
 guy that left the company, so i can't simply ask him how he configured
 it configured.
 It's a precautionary measure, if the machine breaks down we need another
 one to go in its place.
 So while am at it i would love to replace the crusty old thing with a
 new one running FreeBSD.
 The networking scheme is:

 Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122)
 <-> (192.168.1.0/24) LAN

 Now, thing is, the Linux firewall has two NICs:

 NIC 1: 192.168.1.121
 NIC 2: 192.168.1.122

 The two NICs on the Linux box are configured with 192.168.1.121 and
 192.168.1.122, both interfaces on the same subnet. 192.168.1.121 acesses
 the company router (192.168.1.120) and 192.168.1.122 acesses the company
 LAN (192.168.1.0/24)
 >From what i've googled, this shouldn't even be possible, everything is
 on the same subnet. Regardless, it works great, and if i went and got an
 FreeBSD rig to replace the old Linux rig, it would have to retain this
 networking scheme, we can't afford to reconfigure the entire network
 just for switching our firewall.

 I known we could use a network bridge, but we need the caching
 nameserver functionality.

 I'm an all round Unix guy, but i'm a bit green on the routing departament.

 Can an FreeBSD box be configured the same way the Linux box is so it can
 be a drop-in replacement for the Linux box? I can of course depict in
 further detail the configuration of the Linux box (netstat -r to show
 the routes, ifconfig or whatever).

 I've already prepped a FreeBSD 6.1 box which already works if the NICs in 
 the gateway
 are in different subnets (dc0 is 192.168.1.125 and dc1 is 192.168.0.5, for 
 instance),
 i've changed a PC in the network to the 192.168.0.20 IP (instead of 
 192.168.1.20) and
 if connected without a problem to the Internet, but we have lots of 
 appliances which
 depend on the 192.168.1.0 style network. We would need the two NICs in the 
 box to be in the same subnet...

 -
 Elaconta.com Webmaster
 -

 ___
 freebsd-ipfw@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
 To unsubscribe, send any mail to "[EMAIL PROTECTED]"

>>>
>>>
>>>   
>> The routing table on the Linux box, as shown per the "route" command:
>
>> [EMAIL PROTECTED] root]# route
>> Tabela de Roteamento IP do Kernel
>> DestinoRoteadorMáscaraGen. Opções  Métrica
>> RefUso Iface
>> 192.168.1.0*   255.255.255.0   U   0 
>>  0  0   eth1
>> 192.168.1.0*   255.255.255.0   U   0 
>>  0  0   eth1
>> 127.0.0.0  *   255.0.0.0   U   0 
>>  0  0   lo
>> default192.168.1.120   0.0.0.0 UG

Re: ipfw and natd routing problems

2006-07-28 Thread Peter Rosa


Hi,


[ipfw]
# check if incoming packets belong to a natted session, allow through if 
add 01000 divert natd ip from any to any in via sis0

add 01001 check-state
Default behavior of ipfw is to *BLOCK EVERY PACKET* if you did not say 
in your kernel-config "options IPFIREWALL_DEFAULT_TO_ACCEPT.

That's why all your connections time-out...

You need to add few rules for check-state to work:
add 01002 allow tcp from any to any via sis0 setup keep-state
add 01003 allow udp from any to any via sis0 keep-state
add 01004 allow icmp from any to any via sis0 keep-state

BE AWARE YOUR 'FIREWALL' IS COMPLETELY OPEN FOR ANY CONNECTION FROM 
INSIDE AND EVEN OUTSIDE!!!


It is very well explained in man ipfw and even better in handbook:
(http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html)


Peter Rosa
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

ipfw pipe changes from 5.4 to 6.1-RELEASE

2006-07-28 Thread Tobias P. Santos


Hello!

I've noticed some changes in ipfw, as follows:


RELEASE-5.4:

# ipfw pipe 1 config bw 64Kbit/s
# ipfw pipe 2 config bw 512Kbit/s
# ipfw pipe 3 config bw 512Kbit/s mask dst-ip 0xfffc
# ipfw pipe show
1:  64.000 Kbit/s0 ms   50 sl. 0 queues (1 buckets) droptail
mask: 0x00 0x/0x -> 0x/0x
2: 512.000 Kbit/s0 ms   50 sl. 0 queues (1 buckets) droptail
mask: 0x00 0x/0x -> 0x/0x
3: 512.000 Kbit/s0 ms   50 sl. 0 queues (64 buckets) droptail
mask: 0x00 0x/0x -> 0xfffc/0x


RELEASE-6.1

# ipfw pipe 1 config bw 64Kbit/s
# ipfw pipe 2 config bw 512Kbit/s
# ipfw pipe 3 config bw 512Kbit/s mask dst-ip 0xfffc
# ipfw pipe show
1:  64.000 Kbit/s0 ms   50 sl. 0 queues (1 buckets) droptail
2: 512.000 Kbit/s0 ms   50 sl. 0 queues (1 buckets) droptail
3: 512.000 Kbit/s0 ms   50 sl. 0 queues (64 buckets) droptail


In RELEASE-6.1, the line containing mask options is not shown.
IMHO, it should be displayed because it's part of pipe attributes.
I went to check the differences in the source code and it seems that 
adding IPv6 to ipfw2.c made the 'mask' line appears only when there is a 
flow to that pipe.
I made some changes trying to revert to the previous behaviour, but as I 
am not keen to this kind of programming, I'd like to someone more 
experienced to take a look at it.
It seems to work, but currently I can't check whether IPv6 masks are 
shown correctly.


I need the 'old' behaviour because some shell scripts stopped working 
when we upgraded our server.


Thank you,
Tobias.

--- ipfw2.c.origFri Jul 28 09:52:04 2006
+++ ipfw2.c Fri Jul 28 12:05:29 2006
@@ -2004,9 +2004,32 @@
 {
int l;
int index_printed, indexes = 0;
-   char buff[255];
+   int ipv6_masks = 0;
+   char buff[255], buff2[255];
struct protoent *pe;
 
+   inet_ntop(AF_INET6, &(fs->flow_mask.src_ip6),
+   buff, sizeof(buff));
+   inet_ntop(AF_INET6, &(fs->flow_mask.dst_ip6),
+   buff2, sizeof(buff2));
+
+   if (fs->flow_mask.flow_id6 != 0 || strlen(buff) > 2 || strlen(buff2) > 
2)
+   ipv6_masks = 1;
+
+   if (!ipv6_masks) {
+   printf(""
+  "mask: 0x%02x 0x%08x/0x%04x -> 0x%08x/0x%04x\n",
+   fs->flow_mask.proto,
+   fs->flow_mask.src_ip, fs->flow_mask.src_port,
+   fs->flow_mask.dst_ip, fs->flow_mask.dst_port);
+   } else {
+   printf(""
+   "mask: proto: 0x%02x, flow_id: 0x%08x,  %s/0x%04x -> 
%s/0x%04x\n",
+   fs->flow_mask.proto, fs->flow_mask.flow_id6,
+   buff, fs->flow_mask.src_port,
+   buff2, fs->flow_mask.dst_port);
+   }
+
if (fs->rq_elements == 0)
return;
 
@@ -2027,11 +2050,6 @@
if (indexes > 0)/* currently a no-op */
printf("\n");
indexes++;
-   printf(""
-   "mask: 0x%02x 0x%08x/0x%04x -> 0x%08x/0x%04x\n",
-   fs->flow_mask.proto,
-   fs->flow_mask.src_ip, fs->flow_mask.src_port,
-   fs->flow_mask.dst_ip, fs->flow_mask.dst_port);
 
printf("BKT Prot ___Source IP/port "
"Dest. IP/port "
@@ -2069,14 +2087,6 @@
if (indexes > 0)
printf("\n");
indexes++;
-   printf("\nmask: proto: 0x%02x, flow_id: 0x%08x, 
 ",
-   fs->flow_mask.proto, fs->flow_mask.flow_id6);
-   inet_ntop(AF_INET6, &(fs->flow_mask.src_ip6),
-   buff, sizeof(buff));
-   printf("%s/0x%04x -> ", buff, fs->flow_mask.src_port);
-   inet_ntop( AF_INET6, &(fs->flow_mask.dst_ip6),
-   buff, sizeof(buff) );
-   printf("%s/0x%04x\n", buff, fs->flow_mask.dst_port);
 
printf("BKT ___Prot___ _flow-id_ "
"__Source IPv6/port___ "
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: ipfw and natd routing problems

2006-07-28 Thread vladone

Hello Adam,

Friday, July 28, 2006, 2:12:32 PM, you wrote:

> Hi,

> I've recently installed FreeBSD on a Soekris Net 4801 to act as my
> LAN's router. I have got natd and ipfw working fine (there was
> originally some trouble with getting an IP from NTL via dhcp because I
> hadn't allowed the cable modem's ip to talk to the router, or NTL's
> dhcp servers to also talk to the router). My only problem now is that
> although connections going out through natd work fine, natd port
> forwarding does not work correctly. I am not sure whether this is a
> problem with natd or just my ipfw rule(s), though I am more inclined
> to believe it is ipfw!

> ipfw and natd are enabled in /etc/rc.conf through the following lines:

> #enable firewall
> firewall_enable="YES"
> #path to rules
> firewall_type="/etc/fw/firewall.rules"
> #be non-verbose?
> firewall_quiet="NO"

> #enable natd
> natd_enable="YES"
> #natd interface
> natd_interface="sis0"
> #flags for natd
> natd_flags="-f /etc/fw/natd.conf"

> Below is my ipfw natd rule, and the natd.conf file:

> [ipfw]
> # check if incoming packets belong to a natted session, allow through if yes
> add 01000 divert natd ip from any to any in via sis0
> add 01001 check-state

> [natd.conf]
> unregistered_only
> interface sis0
> use_sockets
> dynamic
> punch_fw 2000:100
> same_ports
> redirect_port tcp 192.168.0.5:80 80
> redirect_port tcp 192.168.0.5:6700-6725 6700-6725

> When trying to access port 80 (the httpd) externally, the connection
> just times out, as does any other connection. Any help would be
> greatly appreciated!

> Adam
> ___
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to
> "[EMAIL PROTECTED]"
 U need to add an natd rules and for outgoing packets, not only for
 for incoming.
 So u need an rule like this at the end of rules
 add 05000 divert natd ip from any to any out via sis0
 With two rules for natd (one for incoming and another for outgoing) u
 can control more exactly traffic flow.
 
 Else u can us an single natd rule at begining like this
 add 1000 divert natd all from any to any via sis0

-- 
Best regards,
 vladonemailto:[EMAIL PROTECTED]

___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re[2]: FreeBSD Gateway to replace old Linux gateway

Re[3]: FreeBSD Gateway to replace old Linux gateway

ipfw and natd routing problems

Re: Re[2]: FreeBSD Gateway to replace old Linux gateway

Re: ipfw and natd routing problems

ipfw pipe changes from 5.4 to 6.1-RELEASE

Re: ipfw and natd routing problems

7 matches

Site Navigation

Mail list logo

Footer information