bridge + transparent proxy with 4-stable

[CHOI Junho]

Hi,

Recently I've installed new bridge+ipfw at office. It is configured as:

 outer network --  --  --   ---> inner network

I installed FreeBSD 4.4-RELEASE and immediately update to
4-stable. Kernel configuration has:

options IPFIREWALL  #firewall
options IPFIREWALL_VERBOSE  #print information about dropped packets
options IPFIREWALL_FORWARD  #enable transparent proxy support
options IPFIREWALL_VERBOSE_LIMIT=100#limit verbosity
options IPFIREWALL_DEFAULT_TO_ACCEPT#allow everything by default
options IPV6FIREWALL#firewall for IPv6
options IPV6FIREWALL_VERBOSE
options IPV6FIREWALL_VERBOSE_LIMIT=100
options IPV6FIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT#divert sockets
options DUMMYNET
options BRIDGE

And this machine has fxp0(outer), fxp1(inner) interface. Only fxp1 has
IP address.

Bridged firewall was successful; it works nicely.

I wish to try one more thing: Transparent proxy via Squid.

I've installed www/squid24 port. squid.conf has:

  http_port 127.0.0.1:3128
  httpd_accel_host virtual
  httpd_accel_port 80
  httpd_accel_with_proxy on
  httpd_accel_uses_host_header on

After running squid, I've added this rule at top of rules(output of
ipfw -a list). 208.2.3.200(not real IP) is our firewall.

00500   0  0 allow tcp from 208.2.3.200 to any via fxp0
00550 173  11165 fwd 127.0.0.1,3128 tcp from 208.2.3.128/25 to any 80 via fxp1

As shown, rule 550 _filters_ packets, but it seems not to forward
packets to 3128 ports(squid). All clients can go out with its IP, and
nothing remains in squid log.

Am I doing something wrong? I've searched many mailing lists(freebsd
and squid) but I can't get good answers.

p.s. I am doing NAT + Transparent Proxy in my home(ADSL). It works nicely.

--
 +++ Any opinions in this posting are my own and not those of my employers +++
 CHOI Junho [sleeping now]
 [while sleeping]   
 Korea FreeBSD Users GroupWeb Data Bank

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Re: kernel welded?? (VERY off-topic)

[[EMAIL PROTECTED]]

firstly, my apologises for the misaddressed question to this list. The matter is 
already settled thanks to some list-friends which pointed me that the 
kernel_security_level (rc.conf) was the culprit. Under level 2 the kernel is set to 
'unchangeable' - and no chflags are accepted either.

Many thanks to all of you. And sorry for the inconvenience.


>Sounds like you booted it and its locked.  Does FreeBSD do that?
>
>At 11:13 AM 10/4/2001 -0700, [EMAIL PROTECTED] wrote:
>>I am completely blind and stuck: I was recompiling (2nd time) my kernel, when (make 
>install) suddenly I was surprised with the following message:



saudações,
   irado furioso com tudo
   linux user 179402
deus é construído à imagem e semelhança do homem. Principalmente em seus defeitos.
   
   por favor, clique aqui: http://www.thehungersite.com
   e aqui também: http://cf6.uol.com.br/umminuto/ 


Nettaxi would like to ask for your help in donations to the RED CROSS today!
http://www.nyredcross.org/donate/

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Re: bridge + transparent proxy with 4-stable

[Hroi Sigurdsson]

CHOI Junho wrote:

> After running squid, I've added this rule at top of rules(output of
> ipfw -a list). 208.2.3.200(not real IP) is our firewall.
> 
> 00500   0  0 allow tcp from 208.2.3.200 to any via fxp0
> 00550 173  11165 fwd 127.0.0.1,3128 tcp from 208.2.3.128/25 to any 80 via 
>fxp1
> 
> As shown, rule 550 _filters_ packets, but it seems not to forward
> packets to 3128 ports(squid). All clients can go out with its IP, and
> nothing remains in squid log.

Bridging and transparent proxying are incompatible.

-- 
Hroi Sigurdsson [EMAIL PROTECTED]
Netgroup A/S  http://www.netgroup.dk

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

FreeBSD divert, redir, what?? :-\

[[EMAIL PROTECTED]]

maybe just my pain, but I am perusing everywhere (http://groups.google.com), also 
faq's, tutorials and so on, but I am not able to get a single reply (maybe I am too 
newbie even for the man pages - I cannot apply it to my question):

I need to mount a server in a (sort of) dmz, serving http, pop3 and smtp for both 
sides of a firewall (the public and the private), like this:

/internet/---/firewall/--->internal lan (192.168.1.0)
   |
   |-->/server(s) 192.168.2.0)

any request to the external ip for any available service must be addressed to the 
192.168.2.0. Also, any request from 192.168.1.0 *must* be addressed to the 192.168.2.0

Anybody please can point me out to any document, tutorial, easy-hands-on on the 
subject?? Even RTFM will help, *if* mentioning the correct expression which must be 
searched.





saudações,
   irado furioso com tudo
   linux user 179402
deus é construído à imagem e semelhança do homem. Principalmente em seus defeitos.
   
   por favor, clique aqui: http://www.thehungersite.com
   e aqui também: http://cf6.uol.com.br/umminuto/ 


Nettaxi would like to ask for your help in donations to the RED CROSS today!
http://www.nyredcross.org/donate/

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

ifconfig quirks

[Matthew]

I just wanted to point out something strange I ran into on my test
network with release 4.4.

if I use "ifconfig xl1 inet 10.0.0.007 netmask 255.255.255.0"
I get upon looking at the adapter
inet 10.0.0.7 netmask 0xff00 broadcast 10.0.0.255

however when I use "ifconfig xl1 inet 10.0.0.034 netmask 255.255.255.0"
I get
inet 10.0.0.28 netmask 0xff00 broadcast 10.0.0.255

and yet again if I use " ifconfig xl1 inet 10.0.0.52 netmask 255.255.255.0 "
I get
inet 10.0.0.42 netmask 0xff00 broadcast 10.0.0.255

and a third time I use "ifconfig xl1 inet 10.0.0.61 netmask 255.255.255.0"
and I get
inet 10.0.0.49 netmask 0xff00 broadcast 10.0.0.255

I have done this on three different freebsd 4.4 release machines with the
exact same results on each. if I do not use the leading zero's in the last
octet it works correctly. However I have at least three nics in each machine
with multiple ip's on
most interfaces to simulate my existing network so it would be nice to be
able to use them as place holders to make the files look a bit cleaner.
Cheers,
Matthew


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Re: ifconfig quirks

[Thiago Damas]

When you use numbers with a zero (0) as the first caracter, the C
language think that is in octal.
007 in octal = 7 in decimal
034 in octal = 24 in decimal
...
...

Then, use the ifconfig without the zero (0) in the first caracter

On Fri, 5 Oct 2001, Matthew wrote:

> I just wanted to point out something strange I ran into on my test
> network with release 4.4.
>
> if I use "ifconfig xl1 inet 10.0.0.007 netmask 255.255.255.0"
> I get upon looking at the adapter
> inet 10.0.0.7 netmask 0xff00 broadcast 10.0.0.255
>
> however when I use "ifconfig xl1 inet 10.0.0.034 netmask 255.255.255.0"
> I get
> inet 10.0.0.28 netmask 0xff00 broadcast 10.0.0.255
>
> and yet again if I use " ifconfig xl1 inet 10.0.0.52 netmask 255.255.255.0 "
> I get
> inet 10.0.0.42 netmask 0xff00 broadcast 10.0.0.255
>
> and a third time I use "ifconfig xl1 inet 10.0.0.61 netmask 255.255.255.0"
> and I get
> inet 10.0.0.49 netmask 0xff00 broadcast 10.0.0.255
>
> I have done this on three different freebsd 4.4 release machines with the
> exact same results on each. if I do not use the leading zero's in the last
> octet it works correctly. However I have at least three nics in each machine
> with multiple ip's on
> most interfaces to simulate my existing network so it would be nice to be
> able to use them as place holders to make the files look a bit cleaner.
> Cheers,
> Matthew
>
>
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-net" in the body of the message
>


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

multihomed, multirouted and balanced FreeBSD??

[[EMAIL PROTECTED]]

A friend of mine wants to exchange their's multi-homed linux box for a new FBSD one. 
The defy:

4 nic - 3 pointing to ADSL linkz (fixed ip), last one pointing to internal lan.

Questions:

Is it possible to have so many nic in a single FreeBSD box?
How to enable 3 different routes there??
As far as I understood the original question, people there do not want a 'default' 
route - they will preffer some thing like 'automagic' routing: the available one will 
be the one for the (internal) box, if it is possible. Something like 'less-costing' 
path??

Hmm.. Can you please point me to the right white papers, how-to, recipes, hands-on, on 
the subject??




saudações,
   irado furioso com tudo
   linux user 179402
deus é construído à imagem e semelhança do homem. Principalmente em seus defeitos.
   
   por favor, clique aqui: http://www.thehungersite.com
   e aqui também: http://cf6.uol.com.br/umminuto/ 


Nettaxi would like to ask for your help in donations to the RED CROSS today!
http://www.nyredcross.org/donate/

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

No buffer space available

[fbdn]

I've run into problem that various prgorams (sendmail, ftpd) get often "cannot create 
socket: No buffer space available" error. Box is serving static html and images about 
300 requests/sec, no shortage of memory nor CPU resources. Kernel is compiled with:
maxusers256
options NMBCLUSTERS=16384

and netstat shows following:

# netstat -m
16634/25040/65536 mbufs in use (current/peak/max):
1318 mbufs allocated to data
15316 mbufs allocated to packet headers
1192/9452/16384 mbuf clusters in use (current/peak/max)
25164 Kbytes allocated to network (51% of mb_map in use)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines

# netstat -an | wc -l
   15207

My best guess is that system is running out of file descriptors. Any suggestions how 
to fix it?

/fb

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Re: No buffer space available

[Mike Silbersack]

On Sat, 6 Oct 2001 [EMAIL PROTECTED] wrote:

> I've run into problem that various prgorams (sendmail, ftpd) get often
> "cannot create socket: No buffer space available" error. Box is
> serving static html and images about 300 requests/sec, no shortage of
> memory nor CPU resources. Kernel is compiled with: maxusers 256
> options NMBCLUSTERS=16384
>
> # netstat -an | wc -l
>15207
>
> My best guess is that system is running out of file descriptors. Any suggestions how 
>to fix it?
>
> /fb

Yep, you're probably running out of sockets.  You can change the count in
loader.conf, the variable to tune is "kern.ipc.maxsockets".

Set it to something higher than 16384, I guess.

Mike "Silby" Silbersack


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Re: multihomed, multirouted and balanced FreeBSD??

[Mike Tancsa]

On Fri, 5 Oct 2001 20:01:57 + (UTC), in sentex.lists.freebsd.net you
wrote:

>
>A friend of mine wants to exchange their's multi-homed linux box for a new FBSD one. 
>The defy:
>
>4 nic - 3 pointing to ADSL linkz (fixed ip), last one pointing to internal lan.
>
>Questions:
>
>Is it possible to have so many nic in a single FreeBSD box?

Why would you think its not possible ? You have cram lots of nics in almost
any operating system and have multiple interfaces.

>How to enable 3 different routes there??

Use a dynamic routing protocol rip,ripng,ospf, bgp.  

>As far as I understood the original question, people there do not want a 'default' 
>route 

read up on the above dynamic routing protocols. Cisco has some good books
on BGP and OSPF as well as many online documents.  You can use zebra for
similar routing on FreeBSD (www.zebra.org)


---Mike
Mike Tancsa  ([EMAIL PROTECTED])  
Sentex Communications Corp, 
Waterloo, Ontario, Canada
"Given enough time, 100 monkeys on 100 routers 
could setup a national IP network." (KDW2)

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message