Re: qemu with tap networking on FreeBSD 6.1

[Fabian Keil]

mal content [EMAIL PROTECTED] wrote:

 On 28/07/06, Fabian Keil [EMAIL PROTECTED] wrote:

  Personally I prefer to use NAT to connect qemu
  (and jails) with the world outside. This way you can
  use pfctl -ss -r to see which connections come
  from the host system and which don't.
 
 
 How does this work?

In my PF default configuration there are anchor
and nat-anchor lines for every device from tap0 to tap9.

My qemu configuration script is: 

|#!/bin/sh -x
|tap_if=$1
|ext_if=iwi0
|number=`expr \`echo $tap_if | cut -c 4\` + 7`
|
|sudo ifconfig $tap_if 192.168.$number.49
|echo nat pass on $ext_if from $tap_if:network to any - $ext_if | sudo pfctl 
-N -a $tap_if -f -   
|echo pass quick on $tap_if flags S/SA keep state | sudo pfctl -a $tap_if -R 
-f -

I start qemu with:

sudo dd if=/dev/null of=/dev/tap0
sudo chown fk /dev/tap0
qemu -m 32 -net nic -net tap,script=/home/fk/scripts/qemu-config -hda 
~/test/netbsd.img

If I have to use other tap device I have to change the network settings
in the guest system, but usually I only need one qemu process.

if_tap is loaded on boot and net.link.tap.user_open is
enabled in /etc/sysctl.conf.

Fabian
-- 
http://www.fabiankeil.de/


signature.asc
Description: PGP signature

Re: qemu with tap networking on FreeBSD 6.1

[mal content]

On 29/07/06, Fabian Keil [EMAIL PROTECTED] wrote:

mal content [EMAIL PROTECTED] wrote:

 On 28/07/06, Fabian Keil [EMAIL PROTECTED] wrote:

  Personally I prefer to use NAT to connect qemu
  (and jails) with the world outside. This way you can
  use pfctl -ss -r to see which connections come
  from the host system and which don't.
 

 How does this work?

In my PF default configuration there are anchor
and nat-anchor lines for every device from tap0 to tap9.

My qemu configuration script is:

|#!/bin/sh -x
|tap_if=$1
|ext_if=iwi0
|number=`expr \`echo $tap_if | cut -c 4\` + 7`
|
|sudo ifconfig $tap_if 192.168.$number.49
|echo nat pass on $ext_if from $tap_if:network to any - $ext_if | sudo pfctl 
-N -a $tap_if -f -
|echo pass quick on $tap_if flags S/SA keep state | sudo pfctl -a $tap_if -R 
-f -

I start qemu with:

sudo dd if=/dev/null of=/dev/tap0
sudo chown fk /dev/tap0
qemu -m 32 -net nic -net tap,script=/home/fk/scripts/qemu-config -hda 
~/test/netbsd.img

If I have to use other tap device I have to change the network settings
in the guest system, but usually I only need one qemu process.

if_tap is loaded on boot and net.link.tap.user_open is
enabled in /etc/sysctl.conf.



Very interesting, I wouldn't have thought of doing it like that. I'll try it.

thanks!
MC
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: qemu with tap networking on FreeBSD 6.1

[Fabian Keil]

mal content [EMAIL PROTECTED] wrote:

 Followed instructions from various places and ended up with
 the following procedure:
 
 # kldload bridge.ko
 # sysctl net.link.ether.bridge_cfg=fxp0,tap0
 # sysctl net.link.ether.bridge.enable=1

I don't think it's part of your problem,
but on FreeBSD 6.1 it is recommended to
use if_bridge instead of bridge. 
 
 I created 'if-up' for qemu:
 
 #!/bin/sh
 ifconfig ${1} 0.0.0.0
 
 I have a working OpenBSD image, 3.9. I started it up,
 set an IP address and default route, etc. Everything appears
 to be fine there.

The network was working?
 
 I reboot the qemu image and just before the login prompt,
 qemu goes insane. For some reason, it blasts UDP packets:
 
 (on the host)
 # netstat -an
 snip
 udp4   0  0  *.62756  *.*
 udp4   0  0  *.62324  *.*
 udp4   0  0  *.62127  *.*
 udp4   0  0  *.62741  *.*
 udp4   0  0  *.59182  *.*
 udp4   0  0  *.63792  *.*
 /snip

How do you know that these connections came from qemu?

Personally I prefer to use NAT to connect qemu
(and jails) with the world outside. This way you can
use pfctl -ss -r to see which connections come
from the host system and which don't. 

Fabian
-- 
http://www.fabiankeil.de/


signature.asc
Description: PGP signature

Re: qemu with tap networking on FreeBSD 6.1

[mal content]

On 28/07/06, Fabian Keil [EMAIL PROTECTED] wrote:

mal content [EMAIL PROTECTED] wrote:

 Followed instructions from various places and ended up with
 the following procedure:

 # kldload bridge.ko
 # sysctl net.link.ether.bridge_cfg=fxp0,tap0
 # sysctl net.link.ether.bridge.enable=1

I don't think it's part of your problem,
but on FreeBSD 6.1 it is recommended to
use if_bridge instead of bridge.


Ok, I'll try it anyway to be on the safe side.



 I created 'if-up' for qemu:

 #!/bin/sh
 ifconfig ${1} 0.0.0.0

 I have a working OpenBSD image, 3.9. I started it up,
 set an IP address and default route, etc. Everything appears
 to be fine there.

The network was working?


I meant that as far as OpenBSD was concerned (had it been on
a physical machine) the network would have been correctly
configured.



 I reboot the qemu image and just before the login prompt,
 qemu goes insane. For some reason, it blasts UDP packets:

 (on the host)
 # netstat -an
 snip
 udp4   0  0  *.62756  *.*
 udp4   0  0  *.62324  *.*
 udp4   0  0  *.62127  *.*
 udp4   0  0  *.62741  *.*
 udp4   0  0  *.59182  *.*
 udp4   0  0  *.63792  *.*
 /snip

How do you know that these connections came from qemu?


Because as soon as I ctrl-C the qemu process, all of them stop
instantly. They may not be coming FROM the qemu process,
but may be being generated as a side effect of what the host
is trying to do for the hosted image.



Personally I prefer to use NAT to connect qemu
(and jails) with the world outside. This way you can
use pfctl -ss -r to see which connections come
from the host system and which don't.



How does this work? I really don't care how I get networking
for qemu, as long as it works. I only picked tap because that
seemed to be the most common choice.

cheers,
MC
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

qemu with tap networking on FreeBSD 6.1

[mal content]

Hi.

I've been having serious trouble with this.

I posted a message in the qemu forum, but with only 30-something
threads in the BSD section, I don't think it's really a good place to
get a decent answer about BSD.

A copy of the post follows:

Followed instructions from various places and ended up with
the following procedure:

# kldload bridge.ko
# sysctl net.link.ether.bridge_cfg=fxp0,tap0
# sysctl net.link.ether.bridge.enable=1

I created 'if-up' for qemu:

#!/bin/sh
ifconfig ${1} 0.0.0.0

I have a working OpenBSD image, 3.9. I started it up,
set an IP address and default route, etc. Everything appears
to be fine there.

I reboot the qemu image and just before the login prompt,
qemu goes insane. For some reason, it blasts UDP packets:

(on the host)
# netstat -an
snip
udp4   0  0  *.62756  *.*
udp4   0  0  *.62324  *.*
udp4   0  0  *.62127  *.*
udp4   0  0  *.62741  *.*
udp4   0  0  *.59182  *.*
udp4   0  0  *.63792  *.*
/snip

(this goes on for several screens).

During this time, my ethernet switch is understandably going
mad and the qemu process has slowed to an unusable crawl.
The host doesn't seem particularly affected.

My prime suspicion is that those UDP packets are DNS
queries. It also sends ICMP packets, that I captured with
ethereal (most of them are along the lines of 'host not
reachable).

Did I do something to cause offense to some electronic deity
somewhere?

Anybody here seen anything like this? Qemu without networking
is next to useless.

MC
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Networking with FreeBSD

[Ivailo Tanusheff]

You can use ipf or ipfw as firewall to create a set of rules, allowind and 
denying access to different resources from/to different network. Also you 
can use ipnat to make NAT translation if needed.
Personally I'd advice you to use ipf as packet filter, ipfw as traffic 
shaper and ipnat for NAT.

Hope this will help you, there are tons of topics and howto's about using 
ipf, ipfw and ipnat :)

Ivailo Tanusheff
Senior System administrator
ProCredit Bank (Bulgaria) AD

tel. +359 2 921 7161
fax +359 2 921 7110
http://www.procreditbank.bg


Disclaimer: The information contained in this message is intended solely 
for the use of individual or entity to whom it is addressed and other 
authorized to receive it. It may contain confidential or legally 
privileged information. If you are not the intended recipient you are 
hereby notified that any disclosure, copying, distribution or taking any 
action in reliance on the contents of this message is strictly prohibited 
and may be unlawful. If you have received this communication in error, 
please notify us immediately by responding to this email and then delete 
it from your system. ProCredit Bank is neither liable for the proper and 
complete transmission of the information contained in this message nor for 
any delay in its receipt. 



Stephan Weaver [EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED]
08/02/2005 07:26 PM

To
freebsd-questions@freebsd.org
cc

Subject
Networking with FreeBSD






Hello Everyone.

We are going to be connecting our Stores to our Main Head Office Via 
Fiber.
We want to separate our Internal Lan from the store computers.
So we have decided to separate them by networks [ip addressing] because of 

security.


Head Office
I have 3 Servers in my LAN. And 4 Networks in Total inside of out Head 
Office.
10.10.10.1 - Pixel Replication Server
192.168.1.1 - Web Based Server [Delivery Server]
192.168.100.1 - File Server
Including Internet Users.
192.168.0.1-254 [ Lan ].


The store computers that need to access specific servers, are only on that 

network.
For example.
Store 1, Computer 1 Needs to Replicate [he will have an ip of 
10.10.10.105]
Store 1, Computer 2 [The Delivery Pc]. he will have an ip of 192.168.1.105
Store 1, Computer 3 Will access the File Server by having an ip of 
192.168.100.105.


Now the Risk involved with this is we have no Real Security, For Example.
A Malicious user can easily change his ip address to 192.168.0.105 For 
Example and Get on our Head Office Internal Network. Which We don't Want.


So i would like to Setup, Install And Configure a FreeBSD Based Firewall, 
that will have 4 Network Cards, and will be placed between Our Head Office 

Switch, and out Fibre Switch [Wan].

But AFAIK, By Placing all these network cards in the Same Machine, FreeBSD 

Will Bridge All Those Networks.
How Can i keep the networks Separate, and Secure the Servers by 
Firewalling 
by ip addressing?


I would appreciate Advice / Suggestions / Anything That will give me a 
better clue on how to secure my network.



Yours Sincerely,
Stephan Weaver

_
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
[EMAIL PROTECTED]

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Networking with FreeBSD

[Stephan Weaver]

From: Nikolas Britton [EMAIL PROTECTED]
Reply-To: Nikolas Britton [EMAIL PROTECTED]
To: Stephan Weaver [EMAIL PROTECTED]
CC: [EMAIL PROTECTED], freebsd-questions@freebsd.org
Subject: Re: Networking with FreeBSD
Date: Tue, 2 Aug 2005 18:26:15 -0500

On 8/2/05, Stephan Weaver [EMAIL PROTECTED] wrote:


 From: Chuck Swiger [EMAIL PROTECTED]
 To: Stephan Weaver [EMAIL PROTECTED]
 CC: freebsd-questions@freebsd.org
 Subject: Re: Networking with FreeBSD
 Date: Tue, 02 Aug 2005 14:26:07 -0400
 
 Stephan Weaver wrote:
 [ ... ]
 Thank You So Very Much for your quick response.
 
 You're welcome.
 
 I am familar with firewalling, but i never done something like this.
 Mabee you can give me an actual Example from my reference.
 Using my networks ect.
 
 Sure, if I had lots of free time and nothing else to do, I could 
probably

 write up a security policy, firewall rules, along with pretty network
 topology diagrams and so forth.  But I was up 'til 2AM doing pretty 
much
 just that for a client yesterday (*), and I'd rather not spend that 
much

 effort again today without a good cause, or at least more beer.  :-)
 
 There is an expectation on the freebsd lists that you spend your own 
time
 to learn about the tasks you want to accomplish before asking other 
people

 to repeat what the documentation says for your own specific use case.
 (Read the docs.  Try stuff out.  Ask questions which show what you've 
done

 and what the specific error message or problem you have is.)
 
 What i want to do is seperate the network's on the same wire.
 
 Hmm.  Why do you want to put separate subnets on the same wire?
 
 (What does that mean to you, anyway?  Using the same external ISP
 connection? All boxes all on the same ethernet hub?  Something else?
 Consider IPsec. :-)
 
 --
 -Chuck
 
 (*): Client is in Denmark.  They wanted stuff urgently by this 
morning
 their time, after getting me something to respond to yesterday at 4PM 
my

 time.  Bleh, this global outsourcing thing really is overrated
 


 What i want to do in a nutshell,
 Connect all stores together via fibre, and protect my HeadOffice Lan, 
which

 will now be connected to all the stores. And Have some sort of security.

What fibre? how far are the stores? fibre networking gear? you have
fibre going all the way to your stores from HQ?

Also, why do you have pixel, httpd, and samba servers on different LANs?

Internet
   |
   |   |WANs 1-4, 192.168.2/24, 192.168.3/24, 192.168.4/24, 
192.168.5/24

Firewall -- DMZ 192.168.1/24 - Pixel, httpd, samba
   |
   |
HQ LAN 192.168.0/24


OR:

Internet
  |
  |   |-WAN, 192.168.2/24
Firewall --- DMZ, 192.168.1/24 - Pixel, httpd
  |
  |--- Samba
  |
HQ LAN 192.168.0/24

OR:

Internet
  |
  |   |---WAN(s)
Firewall
  |
  |
HQ LAN

Etc.

We need more info to help you.




Thank you for your concern and quick response everyone.

Now i will use your example as mentioned above.

I have one quick question though.
These WAN's will be on seperate networks because of the /24. correct?

So if Wan1 [192.168.2/24] Wants to Connect to our Pixel Server[192.168.1/24] 
 for example He would not be able to communicate because of the /24? Is 
this correct?


If so, how do allow them to communicate?

Yours Sincerely
Stephan Weaver

_
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Networking with FreeBSD

[Nikolas Britton]

On 8/3/05, Stephan Weaver [EMAIL PROTECTED] wrote:
 
 
 From: Nikolas Britton [EMAIL PROTECTED]
 
 
 Internet
 |
 |   |WANs 1-4, 192.168.2/24, 192.168.3/24, 192.168.4/24,
 192.168.5/24
 Firewall -- DMZ 192.168.1/24 - Pixel, httpd, samba
 |
 |
 HQ LAN 192.168.0/24
 
 
 OR:
 
 Internet
|
|   |-WAN, 192.168.2/24
 Firewall --- DMZ, 192.168.1/24 - Pixel, httpd
|
|--- Samba
|
 HQ LAN 192.168.0/24
 
 OR:
 
 Internet
|
|   |---WAN(s)
 Firewall
|
|
 HQ LAN
 
 Etc.
 
 We need more info to help you.
 
 
 
 Thank you for your concern and quick response everyone.
 
 Now i will use your example as mentioned above.
 
 I have one quick question though.
 These WAN's will be on seperate networks because of the /24. correct?
 
Yes, 24 = class C = netmask of 255.255.255.0

http://public.pacbell.net/dedicated/cidr.html

 So if Wan1 [192.168.2/24] Wants to Connect to our Pixel Server[192.168.1/24]
   for example He would not be able to communicate because of the /24? Is
 this correct?

Yes because they are on different networks. you will need a router for
them to communicate.
 
 
 If so, how do allow them to communicate?
 

firewall = firewall, router, gateway, bridge, etc. with FreeBSD and
the right software it will do all of that transparently.

Setup a test lab of some sorts, start with this layout and work your
way up until you understand what it's doing:

Internet
   |
   |   |---WAN(s) 192.168.1/24
Firewall
   |
   |
HQ LAN 192.168.0/24

You will need 3 PCs; one for the LAN, one on the WAN1 side and one for
the firewall. For the firewall you will be using m0n0wall, 48MB ram
(minimum) and 3 network cards.

http://en.wikipedia.org/wiki/M0n0wall
http://m0n0.ch/wall/download.php?file=generic-pc-1.2b9.img
http://m0n0.ch/wall/installation_generic.php
http://m0n0.ch/wall/quickstart/
http://www.tomsnetworking.com/Reviews-161-ProdID-MONOWALL.php
http://www.tomsnetworking.com/Reviews-161-ProdID-MONOWALL.php

If you need any help setting it up etc. just ask me, I started using
it sometime late in 2003 so I probably have more experience using the
software then most people you'll run across
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Networking with FreeBSD

[Stephan Weaver]

Hello Everyone.

We are going to be connecting our Stores to our Main Head Office Via Fiber.
We want to separate our Internal Lan from the store computers.
So we have decided to separate them by networks [ip addressing] because of 
security.



Head Office
I have 3 Servers in my LAN. And 4 Networks in Total inside of out Head 
Office.

10.10.10.1 - Pixel Replication Server
192.168.1.1 - Web Based Server [Delivery Server]
192.168.100.1 - File Server
Including Internet Users.
192.168.0.1-254 [ Lan ].


The store computers that need to access specific servers, are only on that 
network.

For example.
Store 1, Computer 1 Needs to Replicate [he will have an ip of 10.10.10.105]
Store 1, Computer 2 [The Delivery Pc]. he will have an ip of 192.168.1.105
Store 1, Computer 3 Will access the File Server by having an ip of 
192.168.100.105.



Now the Risk involved with this is we have no Real Security, For Example.
A Malicious user can easily change his ip address to 192.168.0.105 For 
Example and Get on our Head Office Internal Network. Which We don't Want.



So i would like to Setup, Install And Configure a FreeBSD Based Firewall, 
that will have 4 Network Cards, and will be placed between Our Head Office 
Switch, and out Fibre Switch [Wan].


But AFAIK, By Placing all these network cards in the Same Machine, FreeBSD 
Will Bridge All Those Networks.
How Can i keep the networks Separate, and Secure the Servers by Firewalling 
by ip addressing?



I would appreciate Advice / Suggestions / Anything That will give me a 
better clue on how to secure my network.




Yours Sincerely,
Stephan Weaver

_
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Networking with FreeBSD

[Kevin Kinsey]

Stephan Weaver wrote:


Hello Everyone.

We are going to be connecting our Stores to our Main Head Office Via 
Fiber.

We want to separate our Internal Lan from the store computers.
So we have decided to separate them by networks [ip addressing] 
because of security.



Head Office
I have 3 Servers in my LAN. And 4 Networks in Total inside of out Head 
Office.

10.10.10.1 - Pixel Replication Server
192.168.1.1 - Web Based Server [Delivery Server]
192.168.100.1 - File Server
Including Internet Users.
192.168.0.1-254 [ Lan ].


The store computers that need to access specific servers, are only on 
that network.

For example.
Store 1, Computer 1 Needs to Replicate [he will have an ip of 
10.10.10.105]
Store 1, Computer 2 [The Delivery Pc]. he will have an ip of 
192.168.1.105
Store 1, Computer 3 Will access the File Server by having an ip of 
192.168.100.105.


Now the Risk involved with this is we have no Real Security, For Example.
A Malicious user can easily change his ip address to 192.168.0.105 For
Example and Get on our Head Office Internal Network. Which We don't Want.

So i would like to Setup, Install And Configure a FreeBSD Based 
Firewall, that
will have 4 Network Cards, and will be placed between Our Head Office 
Switch, and out Fibre Switch [Wan].


But AFAIK, By Placing all these network cards in the Same Machine, 
FreeBSD Will Bridge All Those Networks.
How Can i keep the networks Separate, and Secure the Servers by 
Firewalling by ip addressing?


I would appreciate Advice / Suggestions / Anything That will give me a 
better clue on how to secure my network.


Yours Sincerely,
Stephan Weaver



This is probably not Real Helpful(tm), but maybe we can get the
ball rolling here (so I've included your entire post)  --- I'm looking
at m0n0wall (http://m0n0.ch/wall) to do a little of this on a smaller
scale --- basically just keeping 2 LAN's on the same wire seperate
from one another, and limiting access to the big bad Net via a
captive portal.

Not sure if it would be any help to you, however

Kevin Kinsey
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Networking with FreeBSD

[Garrett Cooper]

On Tue, 2 Aug 2005, Stephan Weaver wrote:


Hello Everyone.

We are going to be connecting our Stores to our Main Head Office Via Fiber.
We want to separate our Internal Lan from the store computers.
So we have decided to separate them by networks [ip addressing] because of 
security.



Head Office
I have 3 Servers in my LAN. And 4 Networks in Total inside of out Head 
Office.

10.10.10.1 - Pixel Replication Server
192.168.1.1 - Web Based Server [Delivery Server]
192.168.100.1 - File Server
Including Internet Users.
192.168.0.1-254 [ Lan ].


The store computers that need to access specific servers, are only on that 
network.

For example.
Store 1, Computer 1 Needs to Replicate [he will have an ip of 10.10.10.105]
Store 1, Computer 2 [The Delivery Pc]. he will have an ip of 192.168.1.105
Store 1, Computer 3 Will access the File Server by having an ip of 
192.168.100.105.



Now the Risk involved with this is we have no Real Security, For Example.
A Malicious user can easily change his ip address to 192.168.0.105 For 
Example and Get on our Head Office Internal Network. Which We don't Want.



So i would like to Setup, Install And Configure a FreeBSD Based Firewall, 
that will have 4 Network Cards, and will be placed between Our Head Office 
Switch, and out Fibre Switch [Wan].


But AFAIK, By Placing all these network cards in the Same Machine, FreeBSD 
Will Bridge All Those Networks.
How Can i keep the networks Separate, and Secure the Servers by Firewalling 
by ip addressing?



I would appreciate Advice / Suggestions / Anything That will give me a better 
clue on how to secure my network.




Yours Sincerely,
Stephan Weaver


	I can tell you as of right now that you're going to have to setup 
a NAT with your FreeBSD box acting as the gateway using something like 
ipf, ipfilter, etc. However, I have little experience with this, and 
depending on what you want in terms of user interaction, different 
solutions will pose certain pros and cons.
	Also, no one outside of the network can just change their IP 
address to 192.168.0.x because the 192.168.x.y IP address blocks are 
reserved as Class C addresses which under all correct implementations of 
IP physically inaccessible outside the network. Therefore, that isn't so 
much of an issue... however, it still doesn't hurt to have a firewall 
because you don't want someone tunnelling in and wreaking havok on your 
network. That is of course if the information you listed above was in fact 
what's currently implemented as opposed to what should be implemented.

Just a few minor thoughts.
-Garrett
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Networking with FreeBSD

[Stephan Weaver]

From: Garrett Cooper [EMAIL PROTECTED]
To: Stephan Weaver [EMAIL PROTECTED]
CC: freebsd-questions@freebsd.org
Subject: Re: Networking with FreeBSD
Date: Tue, 2 Aug 2005 10:10:44 -0700 (PDT)

On Tue, 2 Aug 2005, Stephan Weaver wrote:


Hello Everyone.

We are going to be connecting our Stores to our Main Head Office Via 
Fiber.

We want to separate our Internal Lan from the store computers.
So we have decided to separate them by networks [ip addressing] because of 
security.



Head Office
I have 3 Servers in my LAN. And 4 Networks in Total inside of out Head 
Office.

10.10.10.1 - Pixel Replication Server
192.168.1.1 - Web Based Server [Delivery Server]
192.168.100.1 - File Server
Including Internet Users.
192.168.0.1-254 [ Lan ].


The store computers that need to access specific servers, are only on that 
network.

For example.
Store 1, Computer 1 Needs to Replicate [he will have an ip of 
10.10.10.105]

Store 1, Computer 2 [The Delivery Pc]. he will have an ip of 192.168.1.105
Store 1, Computer 3 Will access the File Server by having an ip of 
192.168.100.105.



Now the Risk involved with this is we have no Real Security, For Example.
A Malicious user can easily change his ip address to 192.168.0.105 For 
Example and Get on our Head Office Internal Network. Which We don't Want.



So i would like to Setup, Install And Configure a FreeBSD Based Firewall, 
that will have 4 Network Cards, and will be placed between Our Head Office 
Switch, and out Fibre Switch [Wan].


But AFAIK, By Placing all these network cards in the Same Machine, FreeBSD 
Will Bridge All Those Networks.
How Can i keep the networks Separate, and Secure the Servers by 
Firewalling by ip addressing?



I would appreciate Advice / Suggestions / Anything That will give me a 
better clue on how to secure my network.




Yours Sincerely,
Stephan Weaver


	I can tell you as of right now that you're going to have to setup a NAT 
with your FreeBSD box acting as the gateway using something like ipf, 
ipfilter, etc. However, I have little experience with this, and depending 
on what you want in terms of user interaction, different solutions will 
pose certain pros and cons.
	Also, no one outside of the network can just change their IP address to 
192.168.0.x because the 192.168.x.y IP address blocks are reserved as Class 
C addresses which under all correct implementations of IP physically 
inaccessible outside the network. Therefore, that isn't so much of an 
issue... however, it still doesn't hurt to have a firewall because you 
don't want someone tunnelling in and wreaking havok on your network. That 
is of course if the information you listed above was in fact what's 
currently implemented as opposed to what should be implemented.

Just a few minor thoughts.
-Garrett




Nothing is implimented as yet, i am looking for solutions.


Thanks EVERYONE!
Love You Guys
stephan weaver

_
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Networking with FreeBSD

[Chuck Swiger]

Stephan Weaver wrote:
[ ... ]
But AFAIK, By Placing all these network cards in the Same Machine, 
FreeBSD Will Bridge All Those Networks.


FreeBSD is well-behaved in terms of security.  It will not act as a layer-2 
bridge or as a layer-3 IP router/firewall, unless and until you tell it to do so.


See the options set in /etc/rc.conf and /etc/defaults/rc.conf such as:

gateway_enable=NO # Set to YES if this host will be a gateway.
router_enable=NO  # Set to YES to enable a routing daemon.
firewall_enable=NO# Set to YES to enable firewall functionality
firewall_script=/etc/rc.firewall # Which script to run to set up the firewall
firewall_type=UNKNOWN # Firewall type (see /etc/rc.firewall)

...or man bridge.

How Can i keep the networks Separate, and Secure the Servers by 
Firewalling by ip addressing?


Well, if you set the machines up on three or four seperate subnets, each on a 
seperate collision domain (ie, each with it's own hub or switch VLAN), you can 
firewall traffic both by subnet and by individual IPs.  A proper ruleset will 
integrate anti-spoofing rules which will prevent a machine from sending traffic 
as if it were an IP on another subnet, or at least prevent the traffic from 
going through the firewall to reach your private internal networks.


Obviously, you want to keep untrusted machines on another subnet than the 
servers you are protecting.  Go read Building Internet Firewalls published by 
O'Reilley, as well as http://www.ietf.org/rfc/rfc2196.txt...


--
-Chuck

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Networking with FreeBSD

[Stephan Weaver]

From: Chuck Swiger [EMAIL PROTECTED]
To: Stephan Weaver [EMAIL PROTECTED]
CC: freebsd-questions@freebsd.org
Subject: Re: Networking with FreeBSD
Date: Tue, 02 Aug 2005 13:38:27 -0400

Stephan Weaver wrote:
[ ... ]
But AFAIK, By Placing all these network cards in the Same Machine, FreeBSD 
Will Bridge All Those Networks.


FreeBSD is well-behaved in terms of security.  It will not act as a layer-2 
bridge or as a layer-3 IP router/firewall, unless and until you tell it to 
do so.


See the options set in /etc/rc.conf and /etc/defaults/rc.conf such as:

gateway_enable=NO # Set to YES if this host will be a 
gateway.

router_enable=NO  # Set to YES to enable a routing daemon.
firewall_enable=NO# Set to YES to enable firewall 
functionality
firewall_script=/etc/rc.firewall # Which script to run to set up the 
firewall

firewall_type=UNKNOWN # Firewall type (see /etc/rc.firewall)

...or man bridge.

How Can i keep the networks Separate, and Secure the Servers by 
Firewalling by ip addressing?


Well, if you set the machines up on three or four seperate subnets, each on 
a seperate collision domain (ie, each with it's own hub or switch VLAN), 
you can firewall traffic both by subnet and by individual IPs.  A proper 
ruleset will integrate anti-spoofing rules which will prevent a machine 
from sending traffic as if it were an IP on another subnet, or at least 
prevent the traffic from going through the firewall to reach your private 
internal networks.


Obviously, you want to keep untrusted machines on another subnet than the 
servers you are protecting.  Go read Building Internet Firewalls 
published by O'Reilley, as well as http://www.ietf.org/rfc/rfc2196.txt...


--
-Chuck




Thank You So Very Much for your quick response.
I am familar with firewalling, but i never done something like this.
Mabee you can give me an actual Example from my reference.
Using my networks ect.


What i want to do is seperate the network's on the same wire.

_
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Networking with FreeBSD

[Chuck Swiger]

Stephan Weaver wrote:
[ ... ]

Thank You So Very Much for your quick response.


You're welcome.


I am familar with firewalling, but i never done something like this.
Mabee you can give me an actual Example from my reference.
Using my networks ect.


Sure, if I had lots of free time and nothing else to do, I could probably write 
up a security policy, firewall rules, along with pretty network topology 
diagrams and so forth.  But I was up 'til 2AM doing pretty much just that for a 
client yesterday (*), and I'd rather not spend that much effort again today 
without a good cause, or at least more beer.  :-)


There is an expectation on the freebsd lists that you spend your own time to 
learn about the tasks you want to accomplish before asking other people to 
repeat what the documentation says for your own specific use case.  (Read the 
docs.  Try stuff out.  Ask questions which show what you've done and what the 
specific error message or problem you have is.)



What i want to do is seperate the network's on the same wire.


Hmm.  Why do you want to put separate subnets on the same wire?

(What does that mean to you, anyway?  Using the same external ISP connection? 
All boxes all on the same ethernet hub?  Something else?  Consider IPsec. :-)


--
-Chuck

(*): Client is in Denmark.  They wanted stuff urgently by this morning their 
time, after getting me something to respond to yesterday at 4PM my time.  Bleh, 
this global outsourcing thing really is overrated


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Networking with FreeBSD

[Nikolas Britton]

On 8/2/05, Kevin Kinsey [EMAIL PROTECTED] wrote:
 Stephan Weaver wrote:
 
  Hello Everyone.
 
  We are going to be connecting our Stores to our Main Head Office Via
  Fiber.
  We want to separate our Internal Lan from the store computers.
  So we have decided to separate them by networks [ip addressing]
  because of security.
 
 
  Head Office
  I have 3 Servers in my LAN. And 4 Networks in Total inside of out Head
  Office.
  10.10.10.1 - Pixel Replication Server
  192.168.1.1 - Web Based Server [Delivery Server]
  192.168.100.1 - File Server
  Including Internet Users.
  192.168.0.1-254 [ Lan ].
 
 
  The store computers that need to access specific servers, are only on
  that network.
  For example.
  Store 1, Computer 1 Needs to Replicate [he will have an ip of
  10.10.10.105]
  Store 1, Computer 2 [The Delivery Pc]. he will have an ip of
  192.168.1.105
  Store 1, Computer 3 Will access the File Server by having an ip of
  192.168.100.105.
 
  Now the Risk involved with this is we have no Real Security, For Example.
  A Malicious user can easily change his ip address to 192.168.0.105 For
  Example and Get on our Head Office Internal Network. Which We don't Want.
 
  So i would like to Setup, Install And Configure a FreeBSD Based
  Firewall, that
  will have 4 Network Cards, and will be placed between Our Head Office
  Switch, and out Fibre Switch [Wan].
 
  But AFAIK, By Placing all these network cards in the Same Machine,
  FreeBSD Will Bridge All Those Networks.
  How Can i keep the networks Separate, and Secure the Servers by
  Firewalling by ip addressing?
 
  I would appreciate Advice / Suggestions / Anything That will give me a
  better clue on how to secure my network.
 
  Yours Sincerely,
  Stephan Weaver
 
 
 This is probably not Real Helpful(tm), but maybe we can get the
 ball rolling here (so I've included your entire post)  --- I'm looking
 at m0n0wall (http://m0n0.ch/wall) to do a little of this on a smaller
 scale --- basically just keeping 2 LAN's on the same wire seperate
 from one another, and limiting access to the big bad Net via a
 captive portal.
 
 Not sure if it would be any help to you, however
 

I'm a big fan of m0n0wall! The thing can do just about anything and
it's so easy to setup and  maintain it.

This problem should be a simple fix... Treat your connections to the
stores as if it where a connection the public Internet! If I wanted to
connect my LAN/Servers to the Internet then I would setup a firewall
(m0n0wall) that has a deny all policy. After I've done that I would
setup some pass rules like, store server with the IP address of xyz
can access HQ server that has the IP address of xyz only on port xyz.
If you want you could setup a DMZ and put your HQ servers there.

All WANs, MANs, 802.11x, Ethernet over AC power lines, etc. should
always be treated like the public Internet.

m0n0wall can do everything you need... Have you thought about site to
site VPNs using the Internet to connect the stores?... what kind of
bandwidth do you need?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Networking with FreeBSD

[Stephan Weaver]

From: Chuck Swiger [EMAIL PROTECTED]
To: Stephan Weaver [EMAIL PROTECTED]
CC: freebsd-questions@freebsd.org
Subject: Re: Networking with FreeBSD
Date: Tue, 02 Aug 2005 14:26:07 -0400

Stephan Weaver wrote:
[ ... ]

Thank You So Very Much for your quick response.


You're welcome.


I am familar with firewalling, but i never done something like this.
Mabee you can give me an actual Example from my reference.
Using my networks ect.


Sure, if I had lots of free time and nothing else to do, I could probably 
write up a security policy, firewall rules, along with pretty network 
topology diagrams and so forth.  But I was up 'til 2AM doing pretty much 
just that for a client yesterday (*), and I'd rather not spend that much 
effort again today without a good cause, or at least more beer.  :-)


There is an expectation on the freebsd lists that you spend your own time 
to learn about the tasks you want to accomplish before asking other people 
to repeat what the documentation says for your own specific use case.  
(Read the docs.  Try stuff out.  Ask questions which show what you've done 
and what the specific error message or problem you have is.)



What i want to do is seperate the network's on the same wire.


Hmm.  Why do you want to put separate subnets on the same wire?

(What does that mean to you, anyway?  Using the same external ISP 
connection? All boxes all on the same ethernet hub?  Something else?  
Consider IPsec. :-)


--
-Chuck

(*): Client is in Denmark.  They wanted stuff urgently by this morning 
their time, after getting me something to respond to yesterday at 4PM my 
time.  Bleh, this global outsourcing thing really is overrated





What i want to do in a nutshell,
Connect all stores together via fibre, and protect my HeadOffice Lan, which 
will now be connected to all the stores. And Have some sort of security.


_
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Networking with FreeBSD

[Nikolas Britton]

On 8/2/05, Stephan Weaver [EMAIL PROTECTED] wrote:
 
 
 From: Chuck Swiger [EMAIL PROTECTED]
 To: Stephan Weaver [EMAIL PROTECTED]
 CC: freebsd-questions@freebsd.org
 Subject: Re: Networking with FreeBSD
 Date: Tue, 02 Aug 2005 14:26:07 -0400
 
 Stephan Weaver wrote:
 [ ... ]
 Thank You So Very Much for your quick response.
 
 You're welcome.
 
 I am familar with firewalling, but i never done something like this.
 Mabee you can give me an actual Example from my reference.
 Using my networks ect.
 
 Sure, if I had lots of free time and nothing else to do, I could probably
 write up a security policy, firewall rules, along with pretty network
 topology diagrams and so forth.  But I was up 'til 2AM doing pretty much
 just that for a client yesterday (*), and I'd rather not spend that much
 effort again today without a good cause, or at least more beer.  :-)
 
 There is an expectation on the freebsd lists that you spend your own time
 to learn about the tasks you want to accomplish before asking other people
 to repeat what the documentation says for your own specific use case.
 (Read the docs.  Try stuff out.  Ask questions which show what you've done
 and what the specific error message or problem you have is.)
 
 What i want to do is seperate the network's on the same wire.
 
 Hmm.  Why do you want to put separate subnets on the same wire?
 
 (What does that mean to you, anyway?  Using the same external ISP
 connection? All boxes all on the same ethernet hub?  Something else?
 Consider IPsec. :-)
 
 --
 -Chuck
 
 (*): Client is in Denmark.  They wanted stuff urgently by this morning
 their time, after getting me something to respond to yesterday at 4PM my
 time.  Bleh, this global outsourcing thing really is overrated
 
 
 
 What i want to do in a nutshell,
 Connect all stores together via fibre, and protect my HeadOffice Lan, which
 will now be connected to all the stores. And Have some sort of security.

What fibre? how far are the stores? fibre networking gear? you have
fibre going all the way to your stores from HQ?

Also, why do you have pixel, httpd, and samba servers on different LANs?

Internet
   |   
   |   |WANs 1-4, 192.168.2/24, 192.168.3/24, 192.168.4/24, 192.168.5/24
Firewall -- DMZ 192.168.1/24 - Pixel, httpd, samba
   |
   |
HQ LAN 192.168.0/24


OR: 

Internet
  |
  |   |-WAN, 192.168.2/24
Firewall --- DMZ, 192.168.1/24 - Pixel, httpd
  |
  |--- Samba
  |
HQ LAN 192.168.0/24

OR:

Internet
  |
  |   |---WAN(s)
Firewall
  |
  |
HQ LAN

Etc.  

We need more info to help you.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: SMP and networking under FreeBSD 5.3

[Joe]

Hello,

ps:

root542  0.0  0.7  1320  812  ??  Ss   Tue09AM   2:22.10
/sbin/natd -dynamic -d -log_ipfw_denied -log_denied -dynamic -n
dc0

ifconfig:
pccard_ifconfig=NO
ifconfig_xl0=inet 192.168.0.15  netmask 255.255.255.0
ifconfig_dc0=DHCP

So FreeBSD 5.3 isn't production?  I had read somewhere that
5.2.1 wasn't production and that 5.3 was supposed to be
production.

I'll look into upgrading to 5.4, it will take a bit of time to
do that though.  

Joe

--- Alex Zbyslaw [EMAIL PROTECTED] wrote:

 Joe wrote:
 
 Okay, I've been looking and looking for duplicate natd's.
 
 I have the /etc/rc.conf which has natd stuff below, and the
 only
 other place I see it is in ipfw.  
 
 I was able to change my rc and use /etc/rc.d/natd start and
 that
 works.  Which is better as it does not require me to reload
 my
 firewall rules.  
 
 I still don't know why natd refuses to start the first time
 when
 called from ipfw.  
   
 
 If I understand the boot procedure correctly, natd ought to be
 started 
 as part of the /etc/rc.d/ipfw and that just calls
 /etc/rc.d/natd start 
 which is what you are typing later from the command line with
 success, 
 so why it fails at boot, I really don't know at this point.
 
 The cannot bind to divert socket error I thought could
 happen if a) 
 you weren't root (seems unlikely from bootup) or b) something
 had 
 already bound the socket.  After your machine boots, what does
 ps uagxww | egrep natd
 show?
 
 Google also found this:
 
 - In FreeBSD, IPDIVERT must be enabled at compile time.
 
 I guess your kernel has this option, or natd would never have
 worked.
 
 what ifconfig lines do you have in /etc.rc.conf
 
 egrep ifconfig /etc/rc.conf
 
 I have no rc.conf.local
   
 
 Not too surprising.  It could be used under 4.X as a second
 level to 
 rc.conf, but exists nowadays for backwards compatibility and
 AFAIK isn't 
 created by anything.
 
 As a more drastic attempt at a solution, could you try
 upgrading to 
 5.4?  It has numerous improvements over 5.3, which was never a
 
 production release.  Maybe some ordering problems was fixed.
 
 --Alex
 
 




 
Yahoo! Sports 
Rekindle the Rivalries. Sign up for Fantasy Football 
http://football.fantasysports.yahoo.com
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: SMP and networking under FreeBSD 5.3

[Alex Zbyslaw]

Joe wrote:


Hello,

ps:

root542  0.0  0.7  1320  812  ??  Ss   Tue09AM   2:22.10
/sbin/natd -dynamic -d -log_ipfw_denied -log_denied -dynamic -n
dc0
 

Is this just after a reboot?  If so, it does show that natd is running, 
so I'm not sure why you're getting the message you were getting.



ifconfig:
pccard_ifconfig=NO
ifconfig_xl0=inet 192.168.0.15  netmask 255.255.255.0
ifconfig_dc0=DHCP
 


That looks right.


So FreeBSD 5.3 isn't production?  I had read somewhere that
5.2.1 wasn't production and that 5.3 was supposed to be
production.

 

I'm not sure if I'm getting the terminology quite right, but I believe 
5.4 was the first -STABLE release.  Up until then 4.X was still the 
recommended release to use unless you required 5.X for particular 
hardware and were prepared to accept that it might not be quite 
production ready.  My memory, when I was tracking this stuff, was that 
a lot of improvements went into 5.4.  (I'm sure a lot went into 5.3 as 
well, but I'm reasonably sure it was not made the -STABLE or 
recommended branch or whatever).



I'll look into upgrading to 5.4, it will take a bit of time to
do that though.  

I don't think it's as bad as you might think -- my experience is that 
upgrades within a major release number (4.X, or 5.X) have been very 
easy.  The compiling can take time, but I just try to make it coincide 
with a good movie on the telly, or a sunny afternoon in the garden.  The 
bit I don't like is mergemaster, just because it's fiddly and hands on 
and requires lots of concentration.  (Mergemaster is a great deal better 
than anything which preceded it, which if you go back far enough was 
nothing at all.  It's not so much mergemaster that I dislike as just 
staring at the diffs trying to decipher how the OS-related changes 
affect my own changes).


The handbook has a great section on upgrading.  I'd recommend printing 
it off, especially if upgrading isn't something you have done often.


Please note, I'm not saying that upgrading will fix your problem, but it 
might and 5.4 ought to be better than 5.3.


Since no-one else has yet chimed in with any help, it might be worth 
posting a brand new message (with a more descriptive subject line) and 
just summarise the relevant bits of config and the natd error you are 
getting.  (Summarise your natd_* config variables, ifconfig_* variables, 
OS version and an excerpt from your firewall showing any divert rules.  
That ought to be enough).



One final thought.  Did you start with a fresh install of 5.3?  Did you 
upgrade from 4.X?  If the latter, then make sure that you don't have any 
stray config/boot script files lying about.  The easiest way to do that 
would be to run mergemaster (I like -s -v as options).  You can always 
say no to everything, but you should study the list of files in /etc 
which are not in CVS and make sure that you recognize them all.  If 
there are some you don't recognize which sound like they might be 
network/natd/firewall related, then they may be causing your problem.



--Alex

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: SMP and networking under FreeBSD 5.3

[Joe]

Okay, I've been looking and looking for duplicate natd's.

I have the /etc/rc.conf which has natd stuff below, and the only
other place I see it is in ipfw.  

I was able to change my rc and use /etc/rc.d/natd start and that
works.  Which is better as it does not require me to reload my
firewall rules.  

I still don't know why natd refuses to start the first time when
called from ipfw.  

I have no rc.conf.local

Joe

--- Alex Zbyslaw [EMAIL PROTECTED] wrote:

 Joe wrote:
 
 Okay, back on topic.
 
 I've changed my rules in ipfw, and no longer get the hostname
 ..
 messages.  
 
 Now natd does not start and it complains 'unable to bind
 divert
 socket, and then cant assign requested address'.  I'm using:
 
 natd_enable=YES
 natd_interface=dc0
 natd_flags=-dynamic -d -log_ipfw_denied -log_denied
   
 
 
 These are my parameters below which definitely work -- or you
 wouldn't 
 be seeing this email :)  I can't see anything obviously wrong
 with 
 yours; what I would suggest is to start with just -dynamic
 since 
 that's the only one that's *required* for this setup to work
 and see how 
 that does.  I can't find your original rules: I assume that a)
 dc0 *is* 
 your external interface (typos are a common source of errors,
 though I 
 don't think that's the case here) b) you have an
 ifconfig_dc0=DHCP 
 line in /etc/rc.conf.
 
 natd_enable=YES   # Natd packet
 translation
 natd_flags=-log -log_denied -dynamic
 natd_interface=sis0
 ifconfig_sis0=DHCP# External
 network
 
 At startup I get a message like:
 
 Jun 18 10:38:58 natd[701]: Aliasing to 0.0.0.0, mtu 1500 bytes
 
 just after the firewall rules start up.
 
 The divert rule in my firewall says:
 
 ipfw add divert natd all from any to any via ${natd_interface}
 
 If you have static rules rather than a script then you need 
 ${natd_interface} to be replaced directly with dc0.
 
 The other things to check, I guess, are that those are the
 *only* natd 
 lines you have:
 
 egrep natd /etc/rc.conf /etc.rc.conf.local
 
 --Alex
 
 




__ 
Discover Yahoo! 
Find restaurants, movies, travel and more fun for the weekend. Check it out! 
http://discover.yahoo.com/weekend.html 

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: SMP and networking under FreeBSD 5.3

[Alex Zbyslaw]

Joe wrote:


Okay, back on topic.

I've changed my rules in ipfw, and no longer get the hostname ..
messages.  


Now natd does not start and it complains 'unable to bind divert
socket, and then cant assign requested address'.  I'm using:

natd_enable=YES
natd_interface=dc0
natd_flags=-dynamic -d -log_ipfw_denied -log_denied
 



These are my parameters below which definitely work -- or you wouldn't 
be seeing this email :)  I can't see anything obviously wrong with 
yours; what I would suggest is to start with just -dynamic since 
that's the only one that's *required* for this setup to work and see how 
that does.  I can't find your original rules: I assume that a) dc0 *is* 
your external interface (typos are a common source of errors, though I 
don't think that's the case here) b) you have an ifconfig_dc0=DHCP 
line in /etc/rc.conf.


natd_enable=YES   # Natd packet translation
natd_flags=-log -log_denied -dynamic
natd_interface=sis0
ifconfig_sis0=DHCP# External network

At startup I get a message like:

Jun 18 10:38:58 natd[701]: Aliasing to 0.0.0.0, mtu 1500 bytes

just after the firewall rules start up.

The divert rule in my firewall says:

ipfw add divert natd all from any to any via ${natd_interface}

If you have static rules rather than a script then you need 
${natd_interface} to be replaced directly with dc0.


The other things to check, I guess, are that those are the *only* natd 
lines you have:


egrep natd /etc/rc.conf /etc.rc.conf.local

--Alex

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: SMP and networking under FreeBSD 5.3

[Joe]

Okay, back on topic.

I've changed my rules in ipfw, and no longer get the hostname ..
messages.  

Now natd does not start and it complains 'unable to bind divert
socket, and then cant assign requested address'.  I'm using:

natd_enable=YES
natd_interface=dc0
natd_flags=-dynamic -d -log_ipfw_denied -log_denied

Rules get set, natd does not start.

Interesting thing is that if I restart ipfw at the end of
/etc/rc  ( /etc/rc.d/ipfw start ) natd starts.

Hmm, I'm confused on this one.  

Joe

--- Alex Zbyslaw [EMAIL PROTECTED] wrote:

 Joe wrote:
 
 Thanks Alex, 
 
Below are my rules.  I have removed the IP addresses and
 replaced with x.x.x.x in most cases.  Also some ports have
 been
 turned to y's instead of the actual port. 
   
 
 I don't want to go into the details of your firewall; all I
 can offer is 
 general advice for you to apply if you wish.  There are plenty
 resources 
 out there from the various man pages to the handbook. 
 Firewalls can be 
 trickier than they look and NAT makes them significantly more 
 complicated to fathom correctly.  I don't claim to be any kind
 of expert 
 and everything I know started life being written by someone
 else :-)  
 Any mistakes are most likely my own!  I will say that it is
 worth making 
 sure you understand your own firewall. 
 
 At one point you suggested that you wanted to make your
 firewall script 
 start later so that you had access to your IP address.  I
 think you are 
 on to a loser there because there is not particular time when
 DHCP 
 finally gets the IP address.  If your provider is down, it
 might take 
 minutes, hours or even days.  You could keep polling in some
 way to see 
 if you had an IP address and not running your rules script
 until you 
 did, but it would seem better to just write rules which work
 even 
 without the IP address.  Plus, that would also not work if you
 ever had 
 a second external interface (e.g. an old-fashioned modem)
 which needed 
 firewalling irrespective of the status of your ethernet
 interface.
 
 Although a firewall often need to know the actual addresses of
 hosts 
 other than itself there is, as far as I can figure out, no
 logical 
 reason for it to need to know it's own IP address if you have
 the me 
 construct.  (If, like my machine, your firewall is just
 another computer 
 on a small network that is allowed to do exactly the same
 things as any 
 other host on that network, then it needn't even use me. 
 This makes 
 life much easier because it interferes less with NAT).
 
 If you have me then you can always distinguish between your
 firewall 
 and the rest of your network.
 
 Take the non-NAT case first:
 
 allow all from me to any out xmit ext_if
 allow all from any to me in recv ext_if
 
 These rules could only be triggered by packets addressed
 directly to 
 your firewall.  If you follow it with e.g.
 
 deny all from any to any out via ext_if
 deny all from any to any in via ext_if
 
 then you close off your internal network.
 
 NAT makes things more complicated, because before or after
 NATing 
 (depending on the direction) packets from your network can
 look like 
 they originate on your machine or are destined for it.
 
 
 E.g.
 
 allow all from me to any out xmit ext_if
 
 must come before the NAT rule because after NAT-ing all your
 internal 
 packets are going out ext_if.
 
 whereas
 
 allow all from any to me in recv ext_if
 
 must come after the NAT rule to be sure that it is actually
 your 
 firewall which is the recipient.
 
 If all you have is a small network, then there may be no
 reason to 
 differentiate your firewall from any other machine.  In this
 case, it is 
 perfectly sufficient to  write rules based on the ext_if
 alone.
 
 So I have rules like:
 # Allow connections initiated from internal network
 ipfw add allow tcp from any to any out xmit ext_if setup
 
  # Allow TCP through if setup succeeded
 ipfw add pass tcp from any to any via ext_if established
 
 The only IP addresses in my whole firewall are the limited
 number of 
 hosts which can initiate some kind of connection into my
 network
 
 e.g.
 
 ipfw add allow tcp from x.x.x.x to any ssh setup
 
 (x.x.x.x not because I need to hide the IP but because I can't
 be 
 bothered to find it in the firewall script :-))
 
 NB that rule says any for recipient because it was written
 before me 
 existed.  But since my network is NATed, it would always be a
 packet 
 header for my firewall and could only get elsewhere if I
 explicitly 
 forwarded it.  There's no mention of the interface because a
 prior rule 
 has already allowed internal connections which would match. 
 Looking at 
 it now, I might get picky and put an interface spec in there
 just to be 
 completist.
 
 It's often said that there is no security in obscurity, and
 while I 
 don't always agree, I do think that if you actually have to
 hide the IPs 
 in your firewall for it be secure, then it isn't secure. 
 Since my 
 firewall never 

Re: SMP and networking under FreeBSD 5.3

[Alex Zbyslaw]

Joe wrote:


I'm not sure why I get the hostname ``or'' unknown message
though.

 

If you still get it once you take away your ifconfig stuff then you'll 
know that it was responsible.  You haven't posted the actual lines you 
use, so no-one is going to be able to figure out what might be 
happening.  Where you currently have


variable=`ifconfig interface | stuff`

or whatever, put

echo $variable

after it and you will see if you got it right or not.  From what you've 
said I think your stuff works fine when there is an ip address and 
produces some junk when there isn't and you then feed that junk to an 
ipfw rule which gives you the error.


--Alex

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: SMP and networking under FreeBSD 5.3

[Joe]

Thanks Alex, 

   Below are my rules.  I have removed the IP addresses and
replaced with x.x.x.x in most cases.  Also some ports have been
turned to y's instead of the actual port. 

   Some of these rules are probably not needed, but it works, or
at least it seems to be working.

   In looking at the rules, 8 rules are not processed, I get 8
of the messages below, and 8 rules rely on the E_IPADDR to be
set ( The allowTcpConnectionOut shell function sets 3 rules ).

Since E_IPADDR is always used when referering to the
FULL_LAN  which includes the interal interface, I'm just going
to switch to using 'me' instead. 

Is it better to use 'me' or an ip address?

Joe

#! /bin/sh
# ipfw rules
#
##
# set up the ipf command
ipfw_cmd=/sbin/ipfw -q
#
##
# globals
##
GREP=/usr/bin/grep
E_IPADDR=`/sbin/ifconfig dc0 | $GREP -v inet6|$GREP inet  | awk
'{print $2}'`
I_IPADDR=x.x.x.0   # x.x.x has been removed for this email
DNS_LOOKUPS=`$GREP nameserver /etc/resolv.conf|awk '{print $2}'
`
INTERNET_IFACE=dc0
LAN_IFACE=xl0
FULL_LAN={ $E_IPADDR or $I_IPADDR/24 }
DNS_SERVER=x.x.x.x   # I've removed this for this email
##
#
##
# function for allowing tcp connections
# takes from to and interface
###
tcpAddAllow=$ipfw_cmd add allow tcp from 
setup=setup keep-state
###
allowTcpEst() {
FROM=$1
TOWHO=$2
INTERFACE=$3
$tcpAddAllow $FROM to $TOWHO via $INTERFACE
established
$tcpAddAllow $TOWHO to $FROM via $INTERFACE
established
}
###
allowTcpConnectionOut() {
FROM=$1
TOWHO=$2
INTERFACE=$3

$tcpAddAllow $FROM to $TOWHO out xmit $INTERFACE
$setup

allowTcpEst $FROM $TOWHO $INTERFACE
}
###
allowTcpConnectionIn() {
FROM=$1
TOWHO=$2
INTERFACE=$3

$tcpAddAllow $FROM to $TOWHO in recv $INTERFACE $setup

allowTcpEst $FROM $TOWHO $INTERFACE
}
##
# flush all the rules
$ipfw_cmd -f flush
#
##
# allow from loop back
#$ipfw_cmd set enable 0
#$ipfw_cmd set enable 1
$ipfw_cmd add allow all from any to any via lo0
$ipfw_cmd add deny all from 127.0.0.1 to 127.0.0.1
$ipfw_cmd add deny all from any to 127.0.0.0/8
$ipfw_cmd add deny ip from 127.0.0.0/8 to any
#
##
# from the dsl modem / router  , once again masked, they are
fixed IP's here
$ipfw_cmd add allow udp from x.x.x.x y to x.x.255.255 y via
$INTERNET_IFACE
#
##
# deny this shit worm and MS crap and SYN in
$ipfw_cmd add deny tcp from any to any in recv $INTERNET_IFACE
setup
$ipfw_cmd add deny ip from any to any 0-19,135-139,445,1214,1434
in recv $INTERNET_IFACE
#
##
# need to divert all packets to get them where we want them
$ipfw_cmd add divert natd all from any to any via
$INTERNET_IFACE
#
$ipfw_cmd add check-state
#
##
# this is the dc0 interface
###
# tcp
###
allowTcpConnectionOut $FULL_LAN any $INTERNET_IFACE
#
# for passive ftp (port 20) x-fers eek! does MS need this?
#$ipfw_cmd add allow log tcp from any 20 to any in recv
$INTERNET_IFACE
#
###
# this is udp DNS and NTP
###
$ipfw_cmd add allow udp from $FULL_LAN to any 53 out xmit
$INTERNET_IFACE keep-state
#
# ntp
$ipfw_cmd add allow udp from $FULL_LAN to any 123 out xmit
$INTERNET_IFACE keep-state
#
# this is apple talk shit we dont want
$ipfw_cmd add deny udp from any to any 192
#
# this is our new netgear router port crap we dont want, as well
as MS
$ipfw_cmd add deny udp from any to any 137
#
# the rest of UDP that should not have anything in it
$ipfw_cmd add allow log udp from any to any out xmit
$INTERNET_IFACE keep-state
#
###
# this is icmp out
###
$ipfw_cmd add allow icmp from $FULL_LAN to any out xmit
$INTERNET_IFACE keep-state
#
###
# icmp from router to any
###
# this is masked for internat email
$ipfw_cmd add allow icmp from x.x.0.254 to $FULL_LAN icmptypes
3,4
#
###
# for big joe to access mindspring ?
# and yahoo and some other places that like to ping ??
###
$ipfw_cmd add allow log icmp from any to any in recv
$INTERNET_IFACE 

Re: SMP and networking under FreeBSD 5.3

[Alex Zbyslaw]

Joe wrote:

Thanks Alex, 


  Below are my rules.  I have removed the IP addresses and
replaced with x.x.x.x in most cases.  Also some ports have been
turned to y's instead of the actual port. 
 

I don't want to go into the details of your firewall; all I can offer is 
general advice for you to apply if you wish.  There are plenty resources 
out there from the various man pages to the handbook.  Firewalls can be 
trickier than they look and NAT makes them significantly more 
complicated to fathom correctly.  I don't claim to be any kind of expert 
and everything I know started life being written by someone else :-)  
Any mistakes are most likely my own!  I will say that it is worth making 
sure you understand your own firewall. 

At one point you suggested that you wanted to make your firewall script 
start later so that you had access to your IP address.  I think you are 
on to a loser there because there is not particular time when DHCP 
finally gets the IP address.  If your provider is down, it might take 
minutes, hours or even days.  You could keep polling in some way to see 
if you had an IP address and not running your rules script until you 
did, but it would seem better to just write rules which work even 
without the IP address.  Plus, that would also not work if you ever had 
a second external interface (e.g. an old-fashioned modem) which needed 
firewalling irrespective of the status of your ethernet interface.


Although a firewall often need to know the actual addresses of hosts 
other than itself there is, as far as I can figure out, no logical 
reason for it to need to know it's own IP address if you have the me 
construct.  (If, like my machine, your firewall is just another computer 
on a small network that is allowed to do exactly the same things as any 
other host on that network, then it needn't even use me.  This makes 
life much easier because it interferes less with NAT).


If you have me then you can always distinguish between your firewall 
and the rest of your network.


Take the non-NAT case first:

allow all from me to any out xmit ext_if
allow all from any to me in recv ext_if

These rules could only be triggered by packets addressed directly to 
your firewall.  If you follow it with e.g.


deny all from any to any out via ext_if
deny all from any to any in via ext_if

then you close off your internal network.

NAT makes things more complicated, because before or after NATing 
(depending on the direction) packets from your network can look like 
they originate on your machine or are destined for it.



E.g.

allow all from me to any out xmit ext_if

must come before the NAT rule because after NAT-ing all your internal 
packets are going out ext_if.


whereas

allow all from any to me in recv ext_if

must come after the NAT rule to be sure that it is actually your 
firewall which is the recipient.


If all you have is a small network, then there may be no reason to 
differentiate your firewall from any other machine.  In this case, it is 
perfectly sufficient to  write rules based on the ext_if alone.


So I have rules like:
   # Allow connections initiated from internal network
   ipfw add allow tcp from any to any out xmit ext_if setup

# Allow TCP through if setup succeeded
   ipfw add pass tcp from any to any via ext_if established

The only IP addresses in my whole firewall are the limited number of 
hosts which can initiate some kind of connection into my network


e.g.

ipfw add allow tcp from x.x.x.x to any ssh setup

(x.x.x.x not because I need to hide the IP but because I can't be 
bothered to find it in the firewall script :-))


NB that rule says any for recipient because it was written before me 
existed.  But since my network is NATed, it would always be a packet 
header for my firewall and could only get elsewhere if I explicitly 
forwarded it.  There's no mention of the interface because a prior rule 
has already allowed internal connections which would match.  Looking at 
it now, I might get picky and put an interface spec in there just to be 
completist.


It's often said that there is no security in obscurity, and while I 
don't always agree, I do think that if you actually have to hide the IPs 
in your firewall for it be secure, then it isn't secure.  Since my 
firewall never mentions my IP address, I can publish the whole thing and 
even if it has flaws it won't help since you don't know where I am :-)


A bit long-winded, but I hope it helps,

--Alex






___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: SMP and networking under FreeBSD 5.3

[Joe]

I'm still learning the firewall thing.  

I didn't understand the 'me' clause until recently.  I'm using
it on my UP box.

My router actually runs off a cdrom.  Its hard to make changes
to it :-).  Its an SMP box.  It wouldn't help telling you my ip
addresses anyway, because my system is internet IP - nat(dsl
modem) - nat(lan).  I have no idea what my real ip address is
on the internet.  

In any case, thanks for the advice.  I've been thinking of
redoing these rules for 2 years now.

So how would your rules look if nat were in the picture?  

Thanks, 
Joe  

--- Alex Zbyslaw [EMAIL PROTECTED] wrote:

 Joe wrote:
 
 Thanks Alex, 
 
Below are my rules.  I have removed the IP addresses and
 replaced with x.x.x.x in most cases.  Also some ports have
 been
 turned to y's instead of the actual port. 
   
 
 I don't want to go into the details of your firewall; all I
 can offer is 
 general advice for you to apply if you wish.  There are plenty
 resources 
 out there from the various man pages to the handbook. 
 Firewalls can be 
 trickier than they look and NAT makes them significantly more 
 complicated to fathom correctly.  I don't claim to be any kind
 of expert 
 and everything I know started life being written by someone
 else :-)  
 Any mistakes are most likely my own!  I will say that it is
 worth making 
 sure you understand your own firewall. 
 
 At one point you suggested that you wanted to make your
 firewall script 
 start later so that you had access to your IP address.  I
 think you are 
 on to a loser there because there is not particular time when
 DHCP 
 finally gets the IP address.  If your provider is down, it
 might take 
 minutes, hours or even days.  You could keep polling in some
 way to see 
 if you had an IP address and not running your rules script
 until you 
 did, but it would seem better to just write rules which work
 even 
 without the IP address.  Plus, that would also not work if you
 ever had 
 a second external interface (e.g. an old-fashioned modem)
 which needed 
 firewalling irrespective of the status of your ethernet
 interface.
 
 Although a firewall often need to know the actual addresses of
 hosts 
 other than itself there is, as far as I can figure out, no
 logical 
 reason for it to need to know it's own IP address if you have
 the me 
 construct.  (If, like my machine, your firewall is just
 another computer 
 on a small network that is allowed to do exactly the same
 things as any 
 other host on that network, then it needn't even use me. 
 This makes 
 life much easier because it interferes less with NAT).
 
 If you have me then you can always distinguish between your
 firewall 
 and the rest of your network.
 
 Take the non-NAT case first:
 
 allow all from me to any out xmit ext_if
 allow all from any to me in recv ext_if
 
 These rules could only be triggered by packets addressed
 directly to 
 your firewall.  If you follow it with e.g.
 
 deny all from any to any out via ext_if
 deny all from any to any in via ext_if
 
 then you close off your internal network.
 
 NAT makes things more complicated, because before or after
 NATing 
 (depending on the direction) packets from your network can
 look like 
 they originate on your machine or are destined for it.
 
 
 E.g.
 
 allow all from me to any out xmit ext_if
 
 must come before the NAT rule because after NAT-ing all your
 internal 
 packets are going out ext_if.
 
 whereas
 
 allow all from any to me in recv ext_if
 
 must come after the NAT rule to be sure that it is actually
 your 
 firewall which is the recipient.
 
 If all you have is a small network, then there may be no
 reason to 
 differentiate your firewall from any other machine.  In this
 case, it is 
 perfectly sufficient to  write rules based on the ext_if
 alone.
 
 So I have rules like:
 # Allow connections initiated from internal network
 ipfw add allow tcp from any to any out xmit ext_if setup
 
  # Allow TCP through if setup succeeded
 ipfw add pass tcp from any to any via ext_if established
 
 The only IP addresses in my whole firewall are the limited
 number of 
 hosts which can initiate some kind of connection into my
 network
 
 e.g.
 
 ipfw add allow tcp from x.x.x.x to any ssh setup
 
 (x.x.x.x not because I need to hide the IP but because I can't
 be 
 bothered to find it in the firewall script :-))
 
 NB that rule says any for recipient because it was written
 before me 
 existed.  But since my network is NATed, it would always be a
 packet 
 header for my firewall and could only get elsewhere if I
 explicitly 
 forwarded it.  There's no mention of the interface because a
 prior rule 
 has already allowed internal connections which would match. 
 Looking at 
 it now, I might get picky and put an interface spec in there
 just to be 
 completist.
 
 It's often said that there is no security in obscurity, and
 while I 
 don't always agree, I do think that if you actually have to
 hide the IPs 
 in your firewall for 

Re: SMP and networking under FreeBSD 5.3

[Alex Zbyslaw]

Joe wrote:

Hey thanks, 


  it seems that ipfw complains during boot with a message:

hostname ``or'' unknown

  which I have no idea where that is coming from yet, but will
look.  

  Then natd doesn't get started.  


  If I run /etc/rc.d/ipfw start then the router is up and natd
gets started.


  For now, I'll probably just add it to rc at the end.  I think
it has something to do with the order things get run.  


  My firewall script is for a dhcp interface.  Since I don't
know the IP, I use ifconfig dc0 | grep -v inet6 | grep inet |
awk ... to get the IP address for some of the rules.  I'm
wondering if this is failing and causing the message above.

  Is there a 'recommended' way to create a rule for ipfw on a
dhcp interface  using its IP address?  

 

You don't need any of your awk/grep palaver.  Your ipfw rules should 
probably be specifying the interface not ip addresses.  Natd with 
-dynamic will do the right thing when dhcp picks up its actual ip address.


from man natd

-dynamicIf the -n or -interface option is used, natd will 
monitor the

routing socket for alterations to the interface passed.  If
the interface's IP address is changed, natd will 
dynamically

alter its concept of the alias address.

I have, for example:

/etc/rc.conf:

   ifconfig_sis0=DHCP# External network

/etc/rc.firewall script

   ipfw add divert natd all from any to any via sis0

and it all works just fine even though natd starts off saying that it 
sees an IP address of 0.0.0.0


Your error message is very likely down to your ifconfig | stuff 
command which may well run when there is no ip address configured.  
It'll work fine when you run it once the ip address is configured, but 
probably not before when the script actually runs.


Why do you think your firewall rules need to know the IP address?  If 
you do need it then ipfw2 (5.X only?) has me.  From man ipfw


me matches any IP address configured on an interface in the system.
The address list is evaluated at the time the packet is 
analyzed.


If you have that after your natd rule, though, it will (I think) just 
match everything so the interface name is good enough.  e.g. from any to 
any via sis0


--Alex
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: SMP and networking under FreeBSD 5.3

[Joe]

Actually it is not my divert rule that I am using the ip
address. In fact my rc.conf has the 'right stuff' for natd, as
the same ipfw rules worked in 5.2 and 5.1.  Same rc.conf stuff
for natd too.

The ifconfig stuff is for other rules like:

ipfw add allow tcp from $EXT_IPADDR to any out xmit dc0 setup
keep-state

I use ifconfig stuff to get EXT_IPADDR for the above rule.  I
suppose I could use 'me' as I usually am referring to both
interfaces.   I'll probably change to use me and see how that
goes. 

I'm not sure why I get the hostname ``or'' unknown message
though.

Joe

--- Alex Zbyslaw [EMAIL PROTECTED] wrote:

 Joe wrote:
 
 Hey thanks, 
 
it seems that ipfw complains during boot with a message:
 
 hostname ``or'' unknown
 
which I have no idea where that is coming from yet, but
 will
 look.  
 
Then natd doesn't get started.  
 
If I run /etc/rc.d/ipfw start then the router is up and
 natd
 gets started.
 
For now, I'll probably just add it to rc at the end.  I
 think
 it has something to do with the order things get run.  
 
My firewall script is for a dhcp interface.  Since I don't
 know the IP, I use ifconfig dc0 | grep -v inet6 | grep inet |
 awk ... to get the IP address for some of the rules.  I'm
 wondering if this is failing and causing the message above.
 
Is there a 'recommended' way to create a rule for ipfw on
 a
 dhcp interface  using its IP address?  
 
   
 
 You don't need any of your awk/grep palaver.  Your ipfw rules
 should 
 probably be specifying the interface not ip addresses.  Natd
 with 
 -dynamic will do the right thing when dhcp picks up its actual
 ip address.
 
 from man natd
 
  -dynamicIf the -n or -interface option is used, natd
 will 
 monitor the
  routing socket for alterations to the
 interface passed.  If
  the interface's IP address is changed, natd
 will 
 dynamically
  alter its concept of the alias address.
 
 I have, for example:
 
 /etc/rc.conf:
 
 ifconfig_sis0=DHCP# External
 network
 
 /etc/rc.firewall script
 
 ipfw add divert natd all from any to any via sis0
 
 and it all works just fine even though natd starts off saying
 that it 
 sees an IP address of 0.0.0.0
 
 Your error message is very likely down to your ifconfig |
 stuff 
 command which may well run when there is no ip address
 configured.  
 It'll work fine when you run it once the ip address is
 configured, but 
 probably not before when the script actually runs.
 
 Why do you think your firewall rules need to know the IP
 address?  If 
 you do need it then ipfw2 (5.X only?) has me.  From man ipfw
 
  me matches any IP address configured on an interface
 in the system.
  The address list is evaluated at the time the
 packet is 
 analyzed.
 
 If you have that after your natd rule, though, it will (I
 think) just 
 match everything so the interface name is good enough.  e.g.
 from any to 
 any via sis0
 
 --Alex
 




__ 
Discover Yahoo! 
Get on-the-go sports scores, stock quotes, news and more. Check it out! 
http://discover.yahoo.com/mobile.html
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: SMP and networking under FreeBSD 5.3

[Kris Kennaway]

On Tue, Jun 14, 2005 at 09:15:01AM -0700, Joe wrote:
 Hello, 
 
 Not sure if this is the place to ask this.  But this is a
 freebsd question.
 
 I've been running FreeBSD since about 4.6.  I have 2
 machines running FreeBSD.  One is used as a router, its an SMP
 machine, and the other is used to build the source code.  
 
 I'm having a problem with the SMP machine.  When the machine
 boots, dmesg shows two messages, that the UP does not show.
 
 WARNING: debug.mpsafenet forced to 0 as ipsec requires Giant
 WARNING: MPSAFE network stack disabled, expect reduced
 performance.
 
In v52a I did not get these messages.  After doing some
 research, I understand that this has to do with the kernel
 locking.  
 
It seems that now my networking is not working on the SMP
 machine.  I know others have asked about this, and saw the
 release notes, about setting debug.mpsafenet=0, but my
 networking is still not working right.  

This does not indicate a bug.  Rather, the situation is *exactly the
same as it was in every previous version of FreeBSD* -- there was just
not point in mentioning the condition specifically because it applied
to every system.  If you remove IPSEC from your kernel (e.g. use
FAST_IPSEC instead), you will be able to benefit from improved SMP
performance relative to previous versions (actually, you should
upgrade to 5.4 which has much better performance than 5.3).

Also /dev/kmem and /dev/mem are missing so netstat -ar does
 not work either.  

You probably omitted them from your kernel.

Kris



pgpa0QcRQudz8.pgp
Description: PGP signature

SMP and networking under FreeBSD 5.3

[Joe]

Hello, 

Not sure if this is the place to ask this.  But this is a
freebsd question.

I've been running FreeBSD since about 4.6.  I have 2
machines running FreeBSD.  One is used as a router, its an SMP
machine, and the other is used to build the source code.  

I'm having a problem with the SMP machine.  When the machine
boots, dmesg shows two messages, that the UP does not show.

WARNING: debug.mpsafenet forced to 0 as ipsec requires Giant
WARNING: MPSAFE network stack disabled, expect reduced
performance.

   In v52a I did not get these messages.  After doing some
research, I understand that this has to do with the kernel
locking.  

   It seems that now my networking is not working on the SMP
machine.  I know others have asked about this, and saw the
release notes, about setting debug.mpsafenet=0, but my
networking is still not working right.  

   Also /dev/kmem and /dev/mem are missing so netstat -ar does
not work either.  

   Where do I start to find a solution to this?

Thanks, Joe




 
















__ 
Do you Yahoo!? 
Read only the mail you want - Yahoo! Mail SpamGuard. 
http://promotions.yahoo.com/new_mail 
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: SMP and networking under FreeBSD 5.3

[Dmitry Mityugov]

On 6/14/05, Joe [EMAIL PROTECTED] wrote:
 Hello,
 
 Not sure if this is the place to ask this.  But this is a
 freebsd question.
 
 I've been running FreeBSD since about 4.6.  I have 2
 machines running FreeBSD.  One is used as a router, its an SMP
 machine, and the other is used to build the source code.
 
 I'm having a problem with the SMP machine.  When the machine
 boots, dmesg shows two messages, that the UP does not show.
 
 WARNING: debug.mpsafenet forced to 0 as ipsec requires Giant
 WARNING: MPSAFE network stack disabled, expect reduced
 performance.
 
In v52a I did not get these messages.  After doing some
 research, I understand that this has to do with the kernel
 locking.
 
It seems that now my networking is not working on the SMP
 machine.  I know others have asked about this, and saw the
 release notes, about setting debug.mpsafenet=0, but my
 networking is still not working right.
 
Also /dev/kmem and /dev/mem are missing so netstat -ar does
 not work either.
 
Where do I start to find a solution to this?

Does FreeBSD 5.4 exhibit the same behavior?

-- 
Dmitry

We live less by imagination than despite it - Rockwell Kent, N by E
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: SMP and networking under FreeBSD 5.3

[Joe]

I haven't tried 5.4 yet.  To build a 5.4 could take a couple of
days on these old machines.  

Joe

--- Dmitry Mityugov [EMAIL PROTECTED] wrote:

 On 6/14/05, Joe [EMAIL PROTECTED] wrote:
  Hello,
  
  Not sure if this is the place to ask this.  But this is
 a
  freebsd question.
  
  I've been running FreeBSD since about 4.6.  I have 2
  machines running FreeBSD.  One is used as a router, its an
 SMP
  machine, and the other is used to build the source code.
  
  I'm having a problem with the SMP machine.  When the
 machine
  boots, dmesg shows two messages, that the UP does not show.
  
  WARNING: debug.mpsafenet forced to 0 as ipsec requires Giant
  WARNING: MPSAFE network stack disabled, expect reduced
  performance.
  
 In v52a I did not get these messages.  After doing some
  research, I understand that this has to do with the kernel
  locking.
  
 It seems that now my networking is not working on the SMP
  machine.  I know others have asked about this, and saw the
  release notes, about setting debug.mpsafenet=0, but my
  networking is still not working right.
  
 Also /dev/kmem and /dev/mem are missing so netstat -ar
 does
  not work either.
  
 Where do I start to find a solution to this?
 
 Does FreeBSD 5.4 exhibit the same behavior?
 
 -- 
 Dmitry
 
 We live less by imagination than despite it - Rockwell Kent,
 N by E
 




__ 
Discover Yahoo! 
Get on-the-go sports scores, stock quotes, news and more. Check it out! 
http://discover.yahoo.com/mobile.html
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: SMP and networking under FreeBSD 5.3

[Joe]

Okay, I've figure it out.  

natd is not starting via rc.conf, or if it is, it dies.  I can
start it manually, and it works okay.

Also it seems that for some reason some of my ipfw rules don't
get set, so I have to rerun ipfw also to make things work.  

I'll just hack the rc scripts to get this machine up.

Joe

--- Dmitry Mityugov [EMAIL PROTECTED] wrote:

 On 6/14/05, Joe [EMAIL PROTECTED] wrote:
  Hello,
  
  Not sure if this is the place to ask this.  But this is
 a
  freebsd question.
  
  I've been running FreeBSD since about 4.6.  I have 2
  machines running FreeBSD.  One is used as a router, its an
 SMP
  machine, and the other is used to build the source code.
  
  I'm having a problem with the SMP machine.  When the
 machine
  boots, dmesg shows two messages, that the UP does not show.
  
  WARNING: debug.mpsafenet forced to 0 as ipsec requires Giant
  WARNING: MPSAFE network stack disabled, expect reduced
  performance.
  
 In v52a I did not get these messages.  After doing some
  research, I understand that this has to do with the kernel
  locking.
  
 It seems that now my networking is not working on the SMP
  machine.  I know others have asked about this, and saw the
  release notes, about setting debug.mpsafenet=0, but my
  networking is still not working right.
  
 Also /dev/kmem and /dev/mem are missing so netstat -ar
 does
  not work either.
  
 Where do I start to find a solution to this?
 
 Does FreeBSD 5.4 exhibit the same behavior?
 
 -- 
 Dmitry
 
 We live less by imagination than despite it - Rockwell Kent,
 N by E
 




__ 
Discover Yahoo! 
Stay in touch with email, IM, photo sharing and more. Check it out! 
http://discover.yahoo.com/stayintouch.html
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: SMP and networking under FreeBSD 5.3

[Jarrod Martin]

Joe wrote:

Okay, I've figure it out.  


natd is not starting via rc.conf, or if it is, it dies.  I can
start it manually, and it works okay.

Also it seems that for some reason some of my ipfw rules don't
get set, so I have to rerun ipfw also to make things work.  


I'll just hack the rc scripts to get this machine up.

Joe

--- Dmitry Mityugov [EMAIL PROTECTED] wrote:

 

rc_debug=YES in rc.conf, then run 'dmesg -a | grep natd' and see if 
anything pops up.  This should tell you everything that's goin on with 
natd at boot.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: SMP and networking under FreeBSD 5.3

[Joe]

Hey thanks, 

   it seems that ipfw complains during boot with a message:

hostname ``or'' unknown

   which I have no idea where that is coming from yet, but will
look.  

   Then natd doesn't get started.  

   If I run /etc/rc.d/ipfw start then the router is up and natd
gets started.

   For now, I'll probably just add it to rc at the end.  I think
it has something to do with the order things get run.  

   My firewall script is for a dhcp interface.  Since I don't
know the IP, I use ifconfig dc0 | grep -v inet6 | grep inet |
awk ... to get the IP address for some of the rules.  I'm
wondering if this is failing and causing the message above.

   Is there a 'recommended' way to create a rule for ipfw on a
dhcp interface  using its IP address?  

Joe



--- Jarrod Martin [EMAIL PROTECTED] wrote:

 Joe wrote:
 
 Okay, I've figure it out.  
 
 natd is not starting via rc.conf, or if it is, it dies.  I
 can
 start it manually, and it works okay.
 
 Also it seems that for some reason some of my ipfw rules
 don't
 get set, so I have to rerun ipfw also to make things work.  
 
 I'll just hack the rc scripts to get this machine up.
 
 Joe
 
 --- Dmitry Mityugov [EMAIL PROTECTED] wrote:
 
   
 
 rc_debug=YES in rc.conf, then run 'dmesg -a | grep natd' and
 see if 
 anything pops up.  This should tell you everything that's goin
 on with 
 natd at boot.
 




__ 
Discover Yahoo! 
Use Yahoo! to plan a weekend, have fun online and more. Check it out! 
http://discover.yahoo.com/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Wireless Networking in FreeBSD 5.2.1

[Eric Crist]

Hey all,

I'm trying to get wifi working in freebsd 5.2.1.  This card WAS working
in 4.9 and 4.10, but I get an error similar to:

Error: busy bit won't clean on wi0

Or something to that effect.  If I boot the system without the card, I
can see it and make lights blink, but it never associates to any
networks (I have one).  If I pull the card out, I get the above listed
error.  Is there something I'm missing in 5.x?

Thanks.

P.S. I have a linksys WPC11 ver 3 card.

Eric.

Found on Conan O'Brian:
Children's books written by celebrities;
   By Mel Gibson: Jesus Christ and the Terrible, Horrible, No Good, Very
Bad Day.

-
Keep your powder dry and your pecker hard and the world WILL turn.

-
Eric F Crist


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Newbie Issues (networking w/ FreeBSD)

[Kevin Stevens]

On Jun 14, 2004, at 05:08, Jon Adams wrote:
 My network connectivity is ridiculously slow...  I had OpenSSH 
timeout set to
the default, 120 secs, and the messages file said the connections (on 
the same
100MBPs hub mind you) were timing out before authentication 
(password).  I went
in and doubled the timeout, and after a long wait (I didnt check the 
time) I
could get a password prompt...  at first I thought this was just a SSH 
problem,
but it is the same if I use telnet (or any other network service).  I 
have
several devices on my Lan including 2 (eww) Windows XP laptops, and a 
PS2 and a
XP workstation.  I have 3 public IPs, (Speakeasy is the ISP) The 
laptops use a
LinkSys 54G Wireless Hub and one public IP (its plugged into a NetGear 
4 port
hub), I split another IP with the Desktop and PS2, and the FreeBSD box 
will
have its own IP, of course the final port is the uplink.  There are 
absolutly
no connectivity problems with the other machines.  The FreeBSD box 
cannot
connect to the dns servers (on three different networks) or much of 
anything
else.

Here is the really weird part, when I run an NMAP scan from inside the 
network
and one from outside the network, the box is reachable (NMAP can see 
the ports
and determine the OS), but nothing can connect to it (all connections 
time out).
If you can ping devices by ip address, you have basic connectivity.  
Start with the local interface itself, then devices on the same 
physical network, then devices on other subnets of the local LAN.  Any 
of these local devices should respond in single-digit milliseconds, 
with perhaps a drop of the first ping packet.  If you get no route to 
host messages, or other total failure messages, check for 
correct/consistent subnet masking on all devices involved, or potential 
firewall blocking (if appropriate to configuration).  If you get poor 
response (high dropped packet percentage, excessive delays), check for 
port speed/duplex matching problems or bad cabling.

Assuming basic connectivity, many application timeout issues in Unix 
systems result from either forward or reverse name resolution failure.  
It can be frustrating to resolve, generally hard-coding the host and 
FQDN entries in the local hosts file and with the hostname utility is a 
good debugging step.

KeS
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Newbie Issues (networking w/ FreeBSD).. Solved

[Jon Adams]

Thanks for the response,
turns out Speakeasy (ISP) had... ahem.. reprovisioned my IP Address when I 
made some changes to my service.. figured this out by putting rl0 on another IP 
with the same settings.. its all fixed now.. and the IPFW issue is resolved 
(thanks to the person who posted the kld) (doh)... 

Still havent figured out how i was able to NMAP it from outside my net...  

oh well.. it works now..

Thanks
-- Jon


Quoting Kevin Stevens [EMAIL PROTECTED]:

 
 On Jun 14, 2004, at 05:08, Jon Adams wrote:
 
   My network connectivity is ridiculously slow...  I had OpenSSH 
  timeout set to
  the default, 120 secs, and the messages file said the connections (on 
  the same
  100MBPs hub mind you) were timing out before authentication 
  (password).  I went
  in and doubled the timeout, and after a long wait (I didnt check the 
  time) I
  could get a password prompt...  at first I thought this was just a SSH 
  problem,
  but it is the same if I use telnet (or any other network service).  I 
  have
  several devices on my Lan including 2 (eww) Windows XP laptops, and a 
  PS2 and a
  XP workstation.  I have 3 public IPs, (Speakeasy is the ISP) The 
  laptops use a
  LinkSys 54G Wireless Hub and one public IP (its plugged into a NetGear 
  4 port
  hub), I split another IP with the Desktop and PS2, and the FreeBSD box 
  will
  have its own IP, of course the final port is the uplink.  There are 
  absolutly
  no connectivity problems with the other machines.  The FreeBSD box 
  cannot
  connect to the dns servers (on three different networks) or much of 
  anything
  else.
 
  Here is the really weird part, when I run an NMAP scan from inside the 
  network
  and one from outside the network, the box is reachable (NMAP can see 
  the ports
  and determine the OS), but nothing can connect to it (all connections 
  time out).
 
 If you can ping devices by ip address, you have basic connectivity.  
 Start with the local interface itself, then devices on the same 
 physical network, then devices on other subnets of the local LAN.  Any 
 of these local devices should respond in single-digit milliseconds, 
 with perhaps a drop of the first ping packet.  If you get no route to 
 host messages, or other total failure messages, check for 
 correct/consistent subnet masking on all devices involved, or potential 
 firewall blocking (if appropriate to configuration).  If you get poor 
 response (high dropped packet percentage, excessive delays), check for 
 port speed/duplex matching problems or bad cabling.
 
 Assuming basic connectivity, many application timeout issues in Unix 
 systems result from either forward or reverse name resolution failure.  
 It can be frustrating to resolve, generally hard-coding the host and 
 FQDN entries in the local hosts file and with the hostname utility is a 
 good debugging step.
 
 KeS
 
 


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Newbie Issues (networking w/ FreeBSD)

[Jon Adams]

Hi all,

  First a qualifier:  I am FreeBSD noob, I have had exposure to it for about 
two years, but I just built my first FreeBSD box last nite... fresh install 
over an old (and extremely tweaked) Red Hat Linux box  After much 
procrastination, I have finally made the change (been stuck on linux since 98).

The (main) problem -

 My network connectivity is ridiculously slow...  I had OpenSSH timeout set to 
the default, 120 secs, and the messages file said the connections (on the same 
100MBPs hub mind you) were timing out before authentication (password).  I went 
in and doubled the timeout, and after a long wait (I didnt check the time) I 
could get a password prompt...  at first I thought this was just a SSH problem, 
but it is the same if I use telnet (or any other network service).  I have 
several devices on my Lan including 2 (eww) Windows XP laptops, and a PS2 and a 
XP workstation.  I have 3 public IPs, (Speakeasy is the ISP) The laptops use a 
LinkSys 54G Wireless Hub and one public IP (its plugged into a NetGear 4 port 
hub), I split another IP with the Desktop and PS2, and the FreeBSD box will 
have its own IP, of course the final port is the uplink.  There are absolutly 
no connectivity problems with the other machines.  The FreeBSD box cannot 
connect to the dns servers (on three different networks) or much of anything 
else.

Here is the really weird part, when I run an NMAP scan from inside the network 
and one from outside the network, the box is reachable (NMAP can see the ports 
and determine the OS), but nothing can connect to it (all connections time out).


Any suggestions would help:

about the box

FreeBSD version 5.1 Release
CPU Celeron 733, 384 (3x128) MB Ram
30GB WD HD, 768 MB Swap, the rest in various partitions
12x4x40 CD Burner
48x CD Drive
SiS 6326 Video
RTL8139 chip network card (rl0) using static IP (I know I read about issues 
using this card and DHCP... but I am not using DHCP)


I dont know if this is a side effect of the networking problem, but my Xwindows 
is incredible slow as well.  This is with both KDE and Gnome.  I havent seen 
any other weirdness whatsoever in the system logs.

off the topic, if anybody could point me at how to build ipfw I would 
appreciate it, i have seen the basic tutorials via google, but have no idea 
where to get the kernel sources to do the install.

-- 
Jonathan Keirre Adams
PhD Candidate, Computer Information Systems
Graduate School of Computer and Information Sciences
Nova Southeastern University
Web: http://www.scis.nova.edu/~jonaadam





___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw (was Re: Newbie Issues (networking w/ FreeBSD))

[Geert Hendrickx]

 off the topic, if anybody could point me at how to build ipfw I would 
 appreciate it, i have seen the basic tutorials via google, but have no idea 
 where to get the kernel sources to do the install.

You don't need any additional stuff, it all comes with FreeBSD.  Either you
load the kernelmodule with kldload ipfw or you compile the code into your
kernel by adding options IPFIREWALL to your kernel-configuration.  Be warned
though that IPFW defaults to deny any connection, so either begin with an
open type of firewall or load a ruleset, otherwise you'll be cut off the
network.  

It's all in de Handbook (as always), see
http://www.freebsd.org/doc/en/books/handbook/firewalls.html, or
/usr/share/doc/en/books/handbook/firewalls.html.  

GH
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Newbie Issues (networking w/ FreeBSD)

[K. Greenwood]

--- Jon Adams [EMAIL PROTECTED] wrote:
snipped stuff

 The (main) problem -
 
  My network connectivity is ridiculously slow...  I
 had OpenSSH timeout set to 
 the default, 120 secs, and the messages file said
 the connections (on the same 
 100MBPs hub mind you) were timing out before
 authentication (password).  I went 
 in and doubled the timeout, and after a long wait (I
 didnt check the time) I 
 could get a password prompt...  at first I thought
 this was just a SSH problem, 
 but it is the same if I use telnet (or any other
 network service).  I have 
 several devices on my Lan including 2 (eww) Windows
 XP laptops, and a PS2 and a 
 XP workstation.  I have 3 public IPs, (Speakeasy is
 the ISP) The laptops use a 
 LinkSys 54G Wireless Hub and one public IP (its
 plugged into a NetGear 4 port 
 hub), I split another IP with the Desktop and PS2,
 and the FreeBSD box will 
 have its own IP, of course the final port is the
 uplink.  There are absolutly 
 no connectivity problems with the other machines. 
 The FreeBSD box cannot 
 connect to the dns servers (on three different
 networks) or much of anything 
 else.

Considering the only response you have received thus
far has been regarding IPFW, I may as well give a
ham-handed attempt.

My first guess is /etc/rc.conf.  Is there a
defaultrouter=x.x.x.x line?  If you do an ifconfig
-a are you getting an IP actually assigned?

Perhaps your resolv.conf is not right?  Should be
similar to:

domain nosuchdomainhere.net
nameserver 1.2.3.4

where there are two entries for nameserver that jive
with the ISP assigned DNS servers.

Considering that you are manually setting your rl0,
(not using DHCP), perhaps these are missing?  

Have you tried using rl0=DHCP?  Perhaps the chance
of finding a problem, is less of a pain then if your
ISP changes something on you.  Good luck.


snipped... I can think of one thing at a time




__
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/ 
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Networking w/ FreeBSD

[bhunter]

Hi everyone..

I have two computers systems in my network. The first system is a headless
FreeBSD 5.2.1 system. This system stores my mp3's, datafiles and runs mysql and
apache. I recently, got rid of windows off my laptop and installed FreeBSD
5.2.1. When I had windows on the laptop, I was able to Map a Network drive to
the headless system via Samba runing on the server.

My question is this: How would I set something up to perform the same
functionality, as when I had windows? I'm just not sure what needs to be
installed on either system? Any ideas or comments would be great!

Thanks,
Bruce


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Networking w/ FreeBSD

[Charles Swiger]

On Jun 1, 2004, at 2:07 PM, [EMAIL PROTECTED] wrote:
My question is this: How would I set something up to perform the same
functionality, as when I had windows? I'm just not sure what needs to 
be
installed on either system? Any ideas or comments would be great!
FreeBSD supports mounting Samba/CIFS shares.  See man mount_smbfs.
--
-Chuck
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Networking w/ FreeBSD

[Kevin Stevens]

On Tue, 1 Jun 2004 [EMAIL PROTECTED] wrote:

 I have two computers systems in my network. The first system is a headless
 FreeBSD 5.2.1 system. This system stores my mp3's, datafiles and runs mysql and
 apache. I recently, got rid of windows off my laptop and installed FreeBSD
 5.2.1. When I had windows on the laptop, I was able to Map a Network drive to
 the headless system via Samba runing on the server.

 My question is this: How would I set something up to perform the same
 functionality, as when I had windows? I'm just not sure what needs to be
 installed on either system? Any ideas or comments would be great!

You can run the Samba client software on the laptop, or change the file
sharing on the server to NFS.  Or, of course, you could change both to
some third sharing solution.  Which depends on your assessment of the
pros/cons of each; performance, interoperability (do you potentially have
other machines that need to reach those resources?), security , etc.

For the short term, running smbclient on the laptop is probably the
quickest way to get your connectivity back with the fewest config changes,
if that helps.

KeS
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Networking w/ FreeBSD

[Simon Barner]

[EMAIL PROTECTED] wrote:
 I have two computers systems in my network. The first system is a headless
 FreeBSD 5.2.1 system. This system stores my mp3's, datafiles and runs mysql and
 apache. I recently, got rid of windows off my laptop and installed FreeBSD
 5.2.1. When I had windows on the laptop, I was able to Map a Network drive to
 the headless system via Samba runing on the server.
 
 My question is this: How would I set something up to perform the same
 functionality, as when I had windows? I'm just not sure what needs to be
 installed on either system? Any ideas or comments would be great!

NFS (network file system).

There is a chapter in the handbook with detailed setup instructions.

http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/network-nfs.html

Simon


signature.asc
Description: Digital signature

Re: Networking w/ FreeBSD

[Thomas Farrell]

I just add an entry in /etc/fstab like this


/sbin/mount_smbfs   //[EMAIL PROTECTED]/interchk/mnt/interchk

  I use this command to mount my sophos em library share running on XP to my
BSD 5.0 machine and then symbolically link the /mnt/interchk to the root of
webserver for remote update via http.

- Original Message -
From: Kevin Stevens [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Tuesday, June 01, 2004 2:14 PM
Subject: Re: Networking w/ FreeBSD


 On Tue, 1 Jun 2004 [EMAIL PROTECTED] wrote:

  I have two computers systems in my network. The first system is a
headless
  FreeBSD 5.2.1 system. This system stores my mp3's, datafiles and runs
mysql and
  apache. I recently, got rid of windows off my laptop and installed
FreeBSD
  5.2.1. When I had windows on the laptop, I was able to Map a Network
drive to
  the headless system via Samba runing on the server.
 
  My question is this: How would I set something up to perform the same
  functionality, as when I had windows? I'm just not sure what needs to be
  installed on either system? Any ideas or comments would be great!

 You can run the Samba client software on the laptop, or change the file
 sharing on the server to NFS.  Or, of course, you could change both to
 some third sharing solution.  Which depends on your assessment of the
 pros/cons of each; performance, interoperability (do you potentially have
 other machines that need to reach those resources?), security , etc.

 For the short term, running smbclient on the laptop is probably the
 quickest way to get your connectivity back with the fewest config changes,
 if that helps.

 KeS
 ___
 [EMAIL PROTECTED] mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
[EMAIL PROTECTED]




___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Recommendations for wireless networking and FreeBSD

[David Lodeiro]

Hey, 

Ive been using a 54g card on 5.1 current for a while know quite successfully 
for a while know. The card I am using is a Dlink with an atheros chip, this 
chip is only supported in current at this stage.

If you are running 5.1-Current you can

# man ath

and it gives a list of card that use that driver


 I've just moved into an apartment in which drilling and running wires is
 taboo.  Has anyone delved successfully into the realms of wireless
 networking their FreeBSD groups?  My main server is running 4.8-STABLE, and
 I have a client machine running 5.1-RELEASE (which has been suspect to a
 lack of driver support for its onboard NIC in FBSD anyway), but I am not
 married to any of these releases and would up/downgrade if a solution was
 available. I'd also prefer a Wireless-G access point and adapter solution
 if possible, as opposed to the much slower B solutions available. Thanks
 ~John
If you wanted 802.1g you would more that likely have to upgrade to 5.1-Current




 -
 Do you Yahoo!?
 Exclusive Video Premiere - Britney Spears
 ___
 [EMAIL PROTECTED] mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
 [EMAIL PROTECTED]
Hope this helps

David Lodeiro

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Recommendations for wireless networking and FreeBSD

[John DeStefano]

I've just moved into an apartment in which drilling and running wires is taboo.  Has 
anyone delved successfully into the realms of wireless networking their FreeBSD 
groups?  My main server is running 4.8-STABLE, and I have a client machine running 
5.1-RELEASE (which has been suspect to a lack of driver support for its onboard NIC in 
FBSD anyway), but I am not married to any of these releases and would up/downgrade if 
a solution was available.
I'd also prefer a Wireless-G access point and adapter solution if possible, as opposed 
to the much slower B solutions available.
Thanks
~John


-
Do you Yahoo!?
Exclusive Video Premiere - Britney Spears
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Recommendations for wireless networking and FreeBSD

[Toni Schmidbauer]

On Mon, Nov 03, 2003 at 10:14:19AM -0800, John DeStefano wrote:
 I've just moved into an apartment in which drilling and running wires is taboo.  Has 
 anyone delved successfully into the realms of wireless networking their FreeBSD 
 groups?  My main server is running 4.8-STABLE, and I have a client machine running 
 5.1-RELEASE (which has been suspect to a lack of driver support for its onboard NIC 
 in FBSD anyway), but I am not married to any of these releases and would 
 up/downgrade if a solution was available.
 I'd also prefer a Wireless-G access point and adapter solution if possible, as 
 opposed to the much slower B solutions available.

man 4 wi. there you can find a list of support cards.

hth,
toni
-- 
Kann man etwas nicht verstehen, dann urteile man | toni at stderror dot at 
lieber gar nicht, als dass man verurteile.   | Toni Schmidbauer
-- Rudolf Steiner| 


pgp0.pgp
Description: PGP signature

Re: Recommendations for wireless networking and FreeBSD

[paul beard]

Toni Schmidbauer wrote:
On Mon, Nov 03, 2003 at 10:14:19AM -0800, John DeStefano wrote:


I've just moved into an apartment in which drilling and
running wires is taboo.  Has anyone delved successfully into
the realms of wireless networking their FreeBSD groups?  My
main server is running 4.8-STABLE, and I have a client
machine running 5.1-RELEASE (which has been suspect to a lack
of driver support for its onboard NIC in FBSD anyway), but I
am not married to any of these releases and would
up/downgrade if a solution was available. I'd also prefer a
Wireless-G access point and adapter solution if possible, as
opposed to the much slower B solutions available.


man 4 wi. there you can find a list of support cards.
man 4 an has the straight dope on the aironet driver: I have been 
using it for awhile with FreeBSD 4.4 - 4.8.

--
Paul Beard
http://paulbeard.no-ip.org/movabletype/
whois -h whois.networksolutions.com ha=pb202
A formal parsing algorithm should not always be used.
-- D. Gries
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]