Re: qemu with tap networking on FreeBSD 6.1
mal content [EMAIL PROTECTED] wrote: On 28/07/06, Fabian Keil [EMAIL PROTECTED] wrote: Personally I prefer to use NAT to connect qemu (and jails) with the world outside. This way you can use pfctl -ss -r to see which connections come from the host system and which don't. How does this work? In my PF default configuration there are anchor and nat-anchor lines for every device from tap0 to tap9. My qemu configuration script is: |#!/bin/sh -x |tap_if=$1 |ext_if=iwi0 |number=`expr \`echo $tap_if | cut -c 4\` + 7` | |sudo ifconfig $tap_if 192.168.$number.49 |echo nat pass on $ext_if from $tap_if:network to any - $ext_if | sudo pfctl -N -a $tap_if -f - |echo pass quick on $tap_if flags S/SA keep state | sudo pfctl -a $tap_if -R -f - I start qemu with: sudo dd if=/dev/null of=/dev/tap0 sudo chown fk /dev/tap0 qemu -m 32 -net nic -net tap,script=/home/fk/scripts/qemu-config -hda ~/test/netbsd.img If I have to use other tap device I have to change the network settings in the guest system, but usually I only need one qemu process. if_tap is loaded on boot and net.link.tap.user_open is enabled in /etc/sysctl.conf. Fabian -- http://www.fabiankeil.de/ signature.asc Description: PGP signature
Re: qemu with tap networking on FreeBSD 6.1
On 29/07/06, Fabian Keil [EMAIL PROTECTED] wrote: mal content [EMAIL PROTECTED] wrote: On 28/07/06, Fabian Keil [EMAIL PROTECTED] wrote: Personally I prefer to use NAT to connect qemu (and jails) with the world outside. This way you can use pfctl -ss -r to see which connections come from the host system and which don't. How does this work? In my PF default configuration there are anchor and nat-anchor lines for every device from tap0 to tap9. My qemu configuration script is: |#!/bin/sh -x |tap_if=$1 |ext_if=iwi0 |number=`expr \`echo $tap_if | cut -c 4\` + 7` | |sudo ifconfig $tap_if 192.168.$number.49 |echo nat pass on $ext_if from $tap_if:network to any - $ext_if | sudo pfctl -N -a $tap_if -f - |echo pass quick on $tap_if flags S/SA keep state | sudo pfctl -a $tap_if -R -f - I start qemu with: sudo dd if=/dev/null of=/dev/tap0 sudo chown fk /dev/tap0 qemu -m 32 -net nic -net tap,script=/home/fk/scripts/qemu-config -hda ~/test/netbsd.img If I have to use other tap device I have to change the network settings in the guest system, but usually I only need one qemu process. if_tap is loaded on boot and net.link.tap.user_open is enabled in /etc/sysctl.conf. Very interesting, I wouldn't have thought of doing it like that. I'll try it. thanks! MC ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: qemu with tap networking on FreeBSD 6.1
mal content [EMAIL PROTECTED] wrote: Followed instructions from various places and ended up with the following procedure: # kldload bridge.ko # sysctl net.link.ether.bridge_cfg=fxp0,tap0 # sysctl net.link.ether.bridge.enable=1 I don't think it's part of your problem, but on FreeBSD 6.1 it is recommended to use if_bridge instead of bridge. I created 'if-up' for qemu: #!/bin/sh ifconfig ${1} 0.0.0.0 I have a working OpenBSD image, 3.9. I started it up, set an IP address and default route, etc. Everything appears to be fine there. The network was working? I reboot the qemu image and just before the login prompt, qemu goes insane. For some reason, it blasts UDP packets: (on the host) # netstat -an snip udp4 0 0 *.62756 *.* udp4 0 0 *.62324 *.* udp4 0 0 *.62127 *.* udp4 0 0 *.62741 *.* udp4 0 0 *.59182 *.* udp4 0 0 *.63792 *.* /snip How do you know that these connections came from qemu? Personally I prefer to use NAT to connect qemu (and jails) with the world outside. This way you can use pfctl -ss -r to see which connections come from the host system and which don't. Fabian -- http://www.fabiankeil.de/ signature.asc Description: PGP signature
Re: qemu with tap networking on FreeBSD 6.1
On 28/07/06, Fabian Keil [EMAIL PROTECTED] wrote: mal content [EMAIL PROTECTED] wrote: Followed instructions from various places and ended up with the following procedure: # kldload bridge.ko # sysctl net.link.ether.bridge_cfg=fxp0,tap0 # sysctl net.link.ether.bridge.enable=1 I don't think it's part of your problem, but on FreeBSD 6.1 it is recommended to use if_bridge instead of bridge. Ok, I'll try it anyway to be on the safe side. I created 'if-up' for qemu: #!/bin/sh ifconfig ${1} 0.0.0.0 I have a working OpenBSD image, 3.9. I started it up, set an IP address and default route, etc. Everything appears to be fine there. The network was working? I meant that as far as OpenBSD was concerned (had it been on a physical machine) the network would have been correctly configured. I reboot the qemu image and just before the login prompt, qemu goes insane. For some reason, it blasts UDP packets: (on the host) # netstat -an snip udp4 0 0 *.62756 *.* udp4 0 0 *.62324 *.* udp4 0 0 *.62127 *.* udp4 0 0 *.62741 *.* udp4 0 0 *.59182 *.* udp4 0 0 *.63792 *.* /snip How do you know that these connections came from qemu? Because as soon as I ctrl-C the qemu process, all of them stop instantly. They may not be coming FROM the qemu process, but may be being generated as a side effect of what the host is trying to do for the hosted image. Personally I prefer to use NAT to connect qemu (and jails) with the world outside. This way you can use pfctl -ss -r to see which connections come from the host system and which don't. How does this work? I really don't care how I get networking for qemu, as long as it works. I only picked tap because that seemed to be the most common choice. cheers, MC ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
qemu with tap networking on FreeBSD 6.1
Hi. I've been having serious trouble with this. I posted a message in the qemu forum, but with only 30-something threads in the BSD section, I don't think it's really a good place to get a decent answer about BSD. A copy of the post follows: Followed instructions from various places and ended up with the following procedure: # kldload bridge.ko # sysctl net.link.ether.bridge_cfg=fxp0,tap0 # sysctl net.link.ether.bridge.enable=1 I created 'if-up' for qemu: #!/bin/sh ifconfig ${1} 0.0.0.0 I have a working OpenBSD image, 3.9. I started it up, set an IP address and default route, etc. Everything appears to be fine there. I reboot the qemu image and just before the login prompt, qemu goes insane. For some reason, it blasts UDP packets: (on the host) # netstat -an snip udp4 0 0 *.62756 *.* udp4 0 0 *.62324 *.* udp4 0 0 *.62127 *.* udp4 0 0 *.62741 *.* udp4 0 0 *.59182 *.* udp4 0 0 *.63792 *.* /snip (this goes on for several screens). During this time, my ethernet switch is understandably going mad and the qemu process has slowed to an unusable crawl. The host doesn't seem particularly affected. My prime suspicion is that those UDP packets are DNS queries. It also sends ICMP packets, that I captured with ethereal (most of them are along the lines of 'host not reachable). Did I do something to cause offense to some electronic deity somewhere? Anybody here seen anything like this? Qemu without networking is next to useless. MC ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Networking with FreeBSD
You can use ipf or ipfw as firewall to create a set of rules, allowind and denying access to different resources from/to different network. Also you can use ipnat to make NAT translation if needed. Personally I'd advice you to use ipf as packet filter, ipfw as traffic shaper and ipnat for NAT. Hope this will help you, there are tons of topics and howto's about using ipf, ipfw and ipnat :) Ivailo Tanusheff Senior System administrator ProCredit Bank (Bulgaria) AD tel. +359 2 921 7161 fax +359 2 921 7110 http://www.procreditbank.bg Disclaimer: The information contained in this message is intended solely for the use of individual or entity to whom it is addressed and other authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this message is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. ProCredit Bank is neither liable for the proper and complete transmission of the information contained in this message nor for any delay in its receipt. Stephan Weaver [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/02/2005 07:26 PM To freebsd-questions@freebsd.org cc Subject Networking with FreeBSD Hello Everyone. We are going to be connecting our Stores to our Main Head Office Via Fiber. We want to separate our Internal Lan from the store computers. So we have decided to separate them by networks [ip addressing] because of security. Head Office I have 3 Servers in my LAN. And 4 Networks in Total inside of out Head Office. 10.10.10.1 - Pixel Replication Server 192.168.1.1 - Web Based Server [Delivery Server] 192.168.100.1 - File Server Including Internet Users. 192.168.0.1-254 [ Lan ]. The store computers that need to access specific servers, are only on that network. For example. Store 1, Computer 1 Needs to Replicate [he will have an ip of 10.10.10.105] Store 1, Computer 2 [The Delivery Pc]. he will have an ip of 192.168.1.105 Store 1, Computer 3 Will access the File Server by having an ip of 192.168.100.105. Now the Risk involved with this is we have no Real Security, For Example. A Malicious user can easily change his ip address to 192.168.0.105 For Example and Get on our Head Office Internal Network. Which We don't Want. So i would like to Setup, Install And Configure a FreeBSD Based Firewall, that will have 4 Network Cards, and will be placed between Our Head Office Switch, and out Fibre Switch [Wan]. But AFAIK, By Placing all these network cards in the Same Machine, FreeBSD Will Bridge All Those Networks. How Can i keep the networks Separate, and Secure the Servers by Firewalling by ip addressing? I would appreciate Advice / Suggestions / Anything That will give me a better clue on how to secure my network. Yours Sincerely, Stephan Weaver _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Networking with FreeBSD
From: Nikolas Britton [EMAIL PROTECTED] Reply-To: Nikolas Britton [EMAIL PROTECTED] To: Stephan Weaver [EMAIL PROTECTED] CC: [EMAIL PROTECTED], freebsd-questions@freebsd.org Subject: Re: Networking with FreeBSD Date: Tue, 2 Aug 2005 18:26:15 -0500 On 8/2/05, Stephan Weaver [EMAIL PROTECTED] wrote: From: Chuck Swiger [EMAIL PROTECTED] To: Stephan Weaver [EMAIL PROTECTED] CC: freebsd-questions@freebsd.org Subject: Re: Networking with FreeBSD Date: Tue, 02 Aug 2005 14:26:07 -0400 Stephan Weaver wrote: [ ... ] Thank You So Very Much for your quick response. You're welcome. I am familar with firewalling, but i never done something like this. Mabee you can give me an actual Example from my reference. Using my networks ect. Sure, if I had lots of free time and nothing else to do, I could probably write up a security policy, firewall rules, along with pretty network topology diagrams and so forth. But I was up 'til 2AM doing pretty much just that for a client yesterday (*), and I'd rather not spend that much effort again today without a good cause, or at least more beer. :-) There is an expectation on the freebsd lists that you spend your own time to learn about the tasks you want to accomplish before asking other people to repeat what the documentation says for your own specific use case. (Read the docs. Try stuff out. Ask questions which show what you've done and what the specific error message or problem you have is.) What i want to do is seperate the network's on the same wire. Hmm. Why do you want to put separate subnets on the same wire? (What does that mean to you, anyway? Using the same external ISP connection? All boxes all on the same ethernet hub? Something else? Consider IPsec. :-) -- -Chuck (*): Client is in Denmark. They wanted stuff urgently by this morning their time, after getting me something to respond to yesterday at 4PM my time. Bleh, this global outsourcing thing really is overrated What i want to do in a nutshell, Connect all stores together via fibre, and protect my HeadOffice Lan, which will now be connected to all the stores. And Have some sort of security. What fibre? how far are the stores? fibre networking gear? you have fibre going all the way to your stores from HQ? Also, why do you have pixel, httpd, and samba servers on different LANs? Internet | | |WANs 1-4, 192.168.2/24, 192.168.3/24, 192.168.4/24, 192.168.5/24 Firewall -- DMZ 192.168.1/24 - Pixel, httpd, samba | | HQ LAN 192.168.0/24 OR: Internet | | |-WAN, 192.168.2/24 Firewall --- DMZ, 192.168.1/24 - Pixel, httpd | |--- Samba | HQ LAN 192.168.0/24 OR: Internet | | |---WAN(s) Firewall | | HQ LAN Etc. We need more info to help you. Thank you for your concern and quick response everyone. Now i will use your example as mentioned above. I have one quick question though. These WAN's will be on seperate networks because of the /24. correct? So if Wan1 [192.168.2/24] Wants to Connect to our Pixel Server[192.168.1/24] for example He would not be able to communicate because of the /24? Is this correct? If so, how do allow them to communicate? Yours Sincerely Stephan Weaver _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Networking with FreeBSD
On 8/3/05, Stephan Weaver [EMAIL PROTECTED] wrote: From: Nikolas Britton [EMAIL PROTECTED] Internet | | |WANs 1-4, 192.168.2/24, 192.168.3/24, 192.168.4/24, 192.168.5/24 Firewall -- DMZ 192.168.1/24 - Pixel, httpd, samba | | HQ LAN 192.168.0/24 OR: Internet | | |-WAN, 192.168.2/24 Firewall --- DMZ, 192.168.1/24 - Pixel, httpd | |--- Samba | HQ LAN 192.168.0/24 OR: Internet | | |---WAN(s) Firewall | | HQ LAN Etc. We need more info to help you. Thank you for your concern and quick response everyone. Now i will use your example as mentioned above. I have one quick question though. These WAN's will be on seperate networks because of the /24. correct? Yes, 24 = class C = netmask of 255.255.255.0 http://public.pacbell.net/dedicated/cidr.html So if Wan1 [192.168.2/24] Wants to Connect to our Pixel Server[192.168.1/24] for example He would not be able to communicate because of the /24? Is this correct? Yes because they are on different networks. you will need a router for them to communicate. If so, how do allow them to communicate? firewall = firewall, router, gateway, bridge, etc. with FreeBSD and the right software it will do all of that transparently. Setup a test lab of some sorts, start with this layout and work your way up until you understand what it's doing: Internet | | |---WAN(s) 192.168.1/24 Firewall | | HQ LAN 192.168.0/24 You will need 3 PCs; one for the LAN, one on the WAN1 side and one for the firewall. For the firewall you will be using m0n0wall, 48MB ram (minimum) and 3 network cards. http://en.wikipedia.org/wiki/M0n0wall http://m0n0.ch/wall/download.php?file=generic-pc-1.2b9.img http://m0n0.ch/wall/installation_generic.php http://m0n0.ch/wall/quickstart/ http://www.tomsnetworking.com/Reviews-161-ProdID-MONOWALL.php http://www.tomsnetworking.com/Reviews-161-ProdID-MONOWALL.php If you need any help setting it up etc. just ask me, I started using it sometime late in 2003 so I probably have more experience using the software then most people you'll run across ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Networking with FreeBSD
Hello Everyone. We are going to be connecting our Stores to our Main Head Office Via Fiber. We want to separate our Internal Lan from the store computers. So we have decided to separate them by networks [ip addressing] because of security. Head Office I have 3 Servers in my LAN. And 4 Networks in Total inside of out Head Office. 10.10.10.1 - Pixel Replication Server 192.168.1.1 - Web Based Server [Delivery Server] 192.168.100.1 - File Server Including Internet Users. 192.168.0.1-254 [ Lan ]. The store computers that need to access specific servers, are only on that network. For example. Store 1, Computer 1 Needs to Replicate [he will have an ip of 10.10.10.105] Store 1, Computer 2 [The Delivery Pc]. he will have an ip of 192.168.1.105 Store 1, Computer 3 Will access the File Server by having an ip of 192.168.100.105. Now the Risk involved with this is we have no Real Security, For Example. A Malicious user can easily change his ip address to 192.168.0.105 For Example and Get on our Head Office Internal Network. Which We don't Want. So i would like to Setup, Install And Configure a FreeBSD Based Firewall, that will have 4 Network Cards, and will be placed between Our Head Office Switch, and out Fibre Switch [Wan]. But AFAIK, By Placing all these network cards in the Same Machine, FreeBSD Will Bridge All Those Networks. How Can i keep the networks Separate, and Secure the Servers by Firewalling by ip addressing? I would appreciate Advice / Suggestions / Anything That will give me a better clue on how to secure my network. Yours Sincerely, Stephan Weaver _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Networking with FreeBSD
Stephan Weaver wrote: Hello Everyone. We are going to be connecting our Stores to our Main Head Office Via Fiber. We want to separate our Internal Lan from the store computers. So we have decided to separate them by networks [ip addressing] because of security. Head Office I have 3 Servers in my LAN. And 4 Networks in Total inside of out Head Office. 10.10.10.1 - Pixel Replication Server 192.168.1.1 - Web Based Server [Delivery Server] 192.168.100.1 - File Server Including Internet Users. 192.168.0.1-254 [ Lan ]. The store computers that need to access specific servers, are only on that network. For example. Store 1, Computer 1 Needs to Replicate [he will have an ip of 10.10.10.105] Store 1, Computer 2 [The Delivery Pc]. he will have an ip of 192.168.1.105 Store 1, Computer 3 Will access the File Server by having an ip of 192.168.100.105. Now the Risk involved with this is we have no Real Security, For Example. A Malicious user can easily change his ip address to 192.168.0.105 For Example and Get on our Head Office Internal Network. Which We don't Want. So i would like to Setup, Install And Configure a FreeBSD Based Firewall, that will have 4 Network Cards, and will be placed between Our Head Office Switch, and out Fibre Switch [Wan]. But AFAIK, By Placing all these network cards in the Same Machine, FreeBSD Will Bridge All Those Networks. How Can i keep the networks Separate, and Secure the Servers by Firewalling by ip addressing? I would appreciate Advice / Suggestions / Anything That will give me a better clue on how to secure my network. Yours Sincerely, Stephan Weaver This is probably not Real Helpful(tm), but maybe we can get the ball rolling here (so I've included your entire post) --- I'm looking at m0n0wall (http://m0n0.ch/wall) to do a little of this on a smaller scale --- basically just keeping 2 LAN's on the same wire seperate from one another, and limiting access to the big bad Net via a captive portal. Not sure if it would be any help to you, however Kevin Kinsey ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Networking with FreeBSD
On Tue, 2 Aug 2005, Stephan Weaver wrote: Hello Everyone. We are going to be connecting our Stores to our Main Head Office Via Fiber. We want to separate our Internal Lan from the store computers. So we have decided to separate them by networks [ip addressing] because of security. Head Office I have 3 Servers in my LAN. And 4 Networks in Total inside of out Head Office. 10.10.10.1 - Pixel Replication Server 192.168.1.1 - Web Based Server [Delivery Server] 192.168.100.1 - File Server Including Internet Users. 192.168.0.1-254 [ Lan ]. The store computers that need to access specific servers, are only on that network. For example. Store 1, Computer 1 Needs to Replicate [he will have an ip of 10.10.10.105] Store 1, Computer 2 [The Delivery Pc]. he will have an ip of 192.168.1.105 Store 1, Computer 3 Will access the File Server by having an ip of 192.168.100.105. Now the Risk involved with this is we have no Real Security, For Example. A Malicious user can easily change his ip address to 192.168.0.105 For Example and Get on our Head Office Internal Network. Which We don't Want. So i would like to Setup, Install And Configure a FreeBSD Based Firewall, that will have 4 Network Cards, and will be placed between Our Head Office Switch, and out Fibre Switch [Wan]. But AFAIK, By Placing all these network cards in the Same Machine, FreeBSD Will Bridge All Those Networks. How Can i keep the networks Separate, and Secure the Servers by Firewalling by ip addressing? I would appreciate Advice / Suggestions / Anything That will give me a better clue on how to secure my network. Yours Sincerely, Stephan Weaver I can tell you as of right now that you're going to have to setup a NAT with your FreeBSD box acting as the gateway using something like ipf, ipfilter, etc. However, I have little experience with this, and depending on what you want in terms of user interaction, different solutions will pose certain pros and cons. Also, no one outside of the network can just change their IP address to 192.168.0.x because the 192.168.x.y IP address blocks are reserved as Class C addresses which under all correct implementations of IP physically inaccessible outside the network. Therefore, that isn't so much of an issue... however, it still doesn't hurt to have a firewall because you don't want someone tunnelling in and wreaking havok on your network. That is of course if the information you listed above was in fact what's currently implemented as opposed to what should be implemented. Just a few minor thoughts. -Garrett ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Networking with FreeBSD
From: Garrett Cooper [EMAIL PROTECTED] To: Stephan Weaver [EMAIL PROTECTED] CC: freebsd-questions@freebsd.org Subject: Re: Networking with FreeBSD Date: Tue, 2 Aug 2005 10:10:44 -0700 (PDT) On Tue, 2 Aug 2005, Stephan Weaver wrote: Hello Everyone. We are going to be connecting our Stores to our Main Head Office Via Fiber. We want to separate our Internal Lan from the store computers. So we have decided to separate them by networks [ip addressing] because of security. Head Office I have 3 Servers in my LAN. And 4 Networks in Total inside of out Head Office. 10.10.10.1 - Pixel Replication Server 192.168.1.1 - Web Based Server [Delivery Server] 192.168.100.1 - File Server Including Internet Users. 192.168.0.1-254 [ Lan ]. The store computers that need to access specific servers, are only on that network. For example. Store 1, Computer 1 Needs to Replicate [he will have an ip of 10.10.10.105] Store 1, Computer 2 [The Delivery Pc]. he will have an ip of 192.168.1.105 Store 1, Computer 3 Will access the File Server by having an ip of 192.168.100.105. Now the Risk involved with this is we have no Real Security, For Example. A Malicious user can easily change his ip address to 192.168.0.105 For Example and Get on our Head Office Internal Network. Which We don't Want. So i would like to Setup, Install And Configure a FreeBSD Based Firewall, that will have 4 Network Cards, and will be placed between Our Head Office Switch, and out Fibre Switch [Wan]. But AFAIK, By Placing all these network cards in the Same Machine, FreeBSD Will Bridge All Those Networks. How Can i keep the networks Separate, and Secure the Servers by Firewalling by ip addressing? I would appreciate Advice / Suggestions / Anything That will give me a better clue on how to secure my network. Yours Sincerely, Stephan Weaver I can tell you as of right now that you're going to have to setup a NAT with your FreeBSD box acting as the gateway using something like ipf, ipfilter, etc. However, I have little experience with this, and depending on what you want in terms of user interaction, different solutions will pose certain pros and cons. Also, no one outside of the network can just change their IP address to 192.168.0.x because the 192.168.x.y IP address blocks are reserved as Class C addresses which under all correct implementations of IP physically inaccessible outside the network. Therefore, that isn't so much of an issue... however, it still doesn't hurt to have a firewall because you don't want someone tunnelling in and wreaking havok on your network. That is of course if the information you listed above was in fact what's currently implemented as opposed to what should be implemented. Just a few minor thoughts. -Garrett Nothing is implimented as yet, i am looking for solutions. Thanks EVERYONE! Love You Guys stephan weaver _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Networking with FreeBSD
Stephan Weaver wrote: [ ... ] But AFAIK, By Placing all these network cards in the Same Machine, FreeBSD Will Bridge All Those Networks. FreeBSD is well-behaved in terms of security. It will not act as a layer-2 bridge or as a layer-3 IP router/firewall, unless and until you tell it to do so. See the options set in /etc/rc.conf and /etc/defaults/rc.conf such as: gateway_enable=NO # Set to YES if this host will be a gateway. router_enable=NO # Set to YES to enable a routing daemon. firewall_enable=NO# Set to YES to enable firewall functionality firewall_script=/etc/rc.firewall # Which script to run to set up the firewall firewall_type=UNKNOWN # Firewall type (see /etc/rc.firewall) ...or man bridge. How Can i keep the networks Separate, and Secure the Servers by Firewalling by ip addressing? Well, if you set the machines up on three or four seperate subnets, each on a seperate collision domain (ie, each with it's own hub or switch VLAN), you can firewall traffic both by subnet and by individual IPs. A proper ruleset will integrate anti-spoofing rules which will prevent a machine from sending traffic as if it were an IP on another subnet, or at least prevent the traffic from going through the firewall to reach your private internal networks. Obviously, you want to keep untrusted machines on another subnet than the servers you are protecting. Go read Building Internet Firewalls published by O'Reilley, as well as http://www.ietf.org/rfc/rfc2196.txt... -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Networking with FreeBSD
From: Chuck Swiger [EMAIL PROTECTED] To: Stephan Weaver [EMAIL PROTECTED] CC: freebsd-questions@freebsd.org Subject: Re: Networking with FreeBSD Date: Tue, 02 Aug 2005 13:38:27 -0400 Stephan Weaver wrote: [ ... ] But AFAIK, By Placing all these network cards in the Same Machine, FreeBSD Will Bridge All Those Networks. FreeBSD is well-behaved in terms of security. It will not act as a layer-2 bridge or as a layer-3 IP router/firewall, unless and until you tell it to do so. See the options set in /etc/rc.conf and /etc/defaults/rc.conf such as: gateway_enable=NO # Set to YES if this host will be a gateway. router_enable=NO # Set to YES to enable a routing daemon. firewall_enable=NO# Set to YES to enable firewall functionality firewall_script=/etc/rc.firewall # Which script to run to set up the firewall firewall_type=UNKNOWN # Firewall type (see /etc/rc.firewall) ...or man bridge. How Can i keep the networks Separate, and Secure the Servers by Firewalling by ip addressing? Well, if you set the machines up on three or four seperate subnets, each on a seperate collision domain (ie, each with it's own hub or switch VLAN), you can firewall traffic both by subnet and by individual IPs. A proper ruleset will integrate anti-spoofing rules which will prevent a machine from sending traffic as if it were an IP on another subnet, or at least prevent the traffic from going through the firewall to reach your private internal networks. Obviously, you want to keep untrusted machines on another subnet than the servers you are protecting. Go read Building Internet Firewalls published by O'Reilley, as well as http://www.ietf.org/rfc/rfc2196.txt... -- -Chuck Thank You So Very Much for your quick response. I am familar with firewalling, but i never done something like this. Mabee you can give me an actual Example from my reference. Using my networks ect. What i want to do is seperate the network's on the same wire. _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Networking with FreeBSD
Stephan Weaver wrote: [ ... ] Thank You So Very Much for your quick response. You're welcome. I am familar with firewalling, but i never done something like this. Mabee you can give me an actual Example from my reference. Using my networks ect. Sure, if I had lots of free time and nothing else to do, I could probably write up a security policy, firewall rules, along with pretty network topology diagrams and so forth. But I was up 'til 2AM doing pretty much just that for a client yesterday (*), and I'd rather not spend that much effort again today without a good cause, or at least more beer. :-) There is an expectation on the freebsd lists that you spend your own time to learn about the tasks you want to accomplish before asking other people to repeat what the documentation says for your own specific use case. (Read the docs. Try stuff out. Ask questions which show what you've done and what the specific error message or problem you have is.) What i want to do is seperate the network's on the same wire. Hmm. Why do you want to put separate subnets on the same wire? (What does that mean to you, anyway? Using the same external ISP connection? All boxes all on the same ethernet hub? Something else? Consider IPsec. :-) -- -Chuck (*): Client is in Denmark. They wanted stuff urgently by this morning their time, after getting me something to respond to yesterday at 4PM my time. Bleh, this global outsourcing thing really is overrated ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Networking with FreeBSD
On 8/2/05, Kevin Kinsey [EMAIL PROTECTED] wrote: Stephan Weaver wrote: Hello Everyone. We are going to be connecting our Stores to our Main Head Office Via Fiber. We want to separate our Internal Lan from the store computers. So we have decided to separate them by networks [ip addressing] because of security. Head Office I have 3 Servers in my LAN. And 4 Networks in Total inside of out Head Office. 10.10.10.1 - Pixel Replication Server 192.168.1.1 - Web Based Server [Delivery Server] 192.168.100.1 - File Server Including Internet Users. 192.168.0.1-254 [ Lan ]. The store computers that need to access specific servers, are only on that network. For example. Store 1, Computer 1 Needs to Replicate [he will have an ip of 10.10.10.105] Store 1, Computer 2 [The Delivery Pc]. he will have an ip of 192.168.1.105 Store 1, Computer 3 Will access the File Server by having an ip of 192.168.100.105. Now the Risk involved with this is we have no Real Security, For Example. A Malicious user can easily change his ip address to 192.168.0.105 For Example and Get on our Head Office Internal Network. Which We don't Want. So i would like to Setup, Install And Configure a FreeBSD Based Firewall, that will have 4 Network Cards, and will be placed between Our Head Office Switch, and out Fibre Switch [Wan]. But AFAIK, By Placing all these network cards in the Same Machine, FreeBSD Will Bridge All Those Networks. How Can i keep the networks Separate, and Secure the Servers by Firewalling by ip addressing? I would appreciate Advice / Suggestions / Anything That will give me a better clue on how to secure my network. Yours Sincerely, Stephan Weaver This is probably not Real Helpful(tm), but maybe we can get the ball rolling here (so I've included your entire post) --- I'm looking at m0n0wall (http://m0n0.ch/wall) to do a little of this on a smaller scale --- basically just keeping 2 LAN's on the same wire seperate from one another, and limiting access to the big bad Net via a captive portal. Not sure if it would be any help to you, however I'm a big fan of m0n0wall! The thing can do just about anything and it's so easy to setup and maintain it. This problem should be a simple fix... Treat your connections to the stores as if it where a connection the public Internet! If I wanted to connect my LAN/Servers to the Internet then I would setup a firewall (m0n0wall) that has a deny all policy. After I've done that I would setup some pass rules like, store server with the IP address of xyz can access HQ server that has the IP address of xyz only on port xyz. If you want you could setup a DMZ and put your HQ servers there. All WANs, MANs, 802.11x, Ethernet over AC power lines, etc. should always be treated like the public Internet. m0n0wall can do everything you need... Have you thought about site to site VPNs using the Internet to connect the stores?... what kind of bandwidth do you need? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Networking with FreeBSD
From: Chuck Swiger [EMAIL PROTECTED] To: Stephan Weaver [EMAIL PROTECTED] CC: freebsd-questions@freebsd.org Subject: Re: Networking with FreeBSD Date: Tue, 02 Aug 2005 14:26:07 -0400 Stephan Weaver wrote: [ ... ] Thank You So Very Much for your quick response. You're welcome. I am familar with firewalling, but i never done something like this. Mabee you can give me an actual Example from my reference. Using my networks ect. Sure, if I had lots of free time and nothing else to do, I could probably write up a security policy, firewall rules, along with pretty network topology diagrams and so forth. But I was up 'til 2AM doing pretty much just that for a client yesterday (*), and I'd rather not spend that much effort again today without a good cause, or at least more beer. :-) There is an expectation on the freebsd lists that you spend your own time to learn about the tasks you want to accomplish before asking other people to repeat what the documentation says for your own specific use case. (Read the docs. Try stuff out. Ask questions which show what you've done and what the specific error message or problem you have is.) What i want to do is seperate the network's on the same wire. Hmm. Why do you want to put separate subnets on the same wire? (What does that mean to you, anyway? Using the same external ISP connection? All boxes all on the same ethernet hub? Something else? Consider IPsec. :-) -- -Chuck (*): Client is in Denmark. They wanted stuff urgently by this morning their time, after getting me something to respond to yesterday at 4PM my time. Bleh, this global outsourcing thing really is overrated What i want to do in a nutshell, Connect all stores together via fibre, and protect my HeadOffice Lan, which will now be connected to all the stores. And Have some sort of security. _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Networking with FreeBSD
On 8/2/05, Stephan Weaver [EMAIL PROTECTED] wrote: From: Chuck Swiger [EMAIL PROTECTED] To: Stephan Weaver [EMAIL PROTECTED] CC: freebsd-questions@freebsd.org Subject: Re: Networking with FreeBSD Date: Tue, 02 Aug 2005 14:26:07 -0400 Stephan Weaver wrote: [ ... ] Thank You So Very Much for your quick response. You're welcome. I am familar with firewalling, but i never done something like this. Mabee you can give me an actual Example from my reference. Using my networks ect. Sure, if I had lots of free time and nothing else to do, I could probably write up a security policy, firewall rules, along with pretty network topology diagrams and so forth. But I was up 'til 2AM doing pretty much just that for a client yesterday (*), and I'd rather not spend that much effort again today without a good cause, or at least more beer. :-) There is an expectation on the freebsd lists that you spend your own time to learn about the tasks you want to accomplish before asking other people to repeat what the documentation says for your own specific use case. (Read the docs. Try stuff out. Ask questions which show what you've done and what the specific error message or problem you have is.) What i want to do is seperate the network's on the same wire. Hmm. Why do you want to put separate subnets on the same wire? (What does that mean to you, anyway? Using the same external ISP connection? All boxes all on the same ethernet hub? Something else? Consider IPsec. :-) -- -Chuck (*): Client is in Denmark. They wanted stuff urgently by this morning their time, after getting me something to respond to yesterday at 4PM my time. Bleh, this global outsourcing thing really is overrated What i want to do in a nutshell, Connect all stores together via fibre, and protect my HeadOffice Lan, which will now be connected to all the stores. And Have some sort of security. What fibre? how far are the stores? fibre networking gear? you have fibre going all the way to your stores from HQ? Also, why do you have pixel, httpd, and samba servers on different LANs? Internet | | |WANs 1-4, 192.168.2/24, 192.168.3/24, 192.168.4/24, 192.168.5/24 Firewall -- DMZ 192.168.1/24 - Pixel, httpd, samba | | HQ LAN 192.168.0/24 OR: Internet | | |-WAN, 192.168.2/24 Firewall --- DMZ, 192.168.1/24 - Pixel, httpd | |--- Samba | HQ LAN 192.168.0/24 OR: Internet | | |---WAN(s) Firewall | | HQ LAN Etc. We need more info to help you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SMP and networking under FreeBSD 5.3
Hello, ps: root542 0.0 0.7 1320 812 ?? Ss Tue09AM 2:22.10 /sbin/natd -dynamic -d -log_ipfw_denied -log_denied -dynamic -n dc0 ifconfig: pccard_ifconfig=NO ifconfig_xl0=inet 192.168.0.15 netmask 255.255.255.0 ifconfig_dc0=DHCP So FreeBSD 5.3 isn't production? I had read somewhere that 5.2.1 wasn't production and that 5.3 was supposed to be production. I'll look into upgrading to 5.4, it will take a bit of time to do that though. Joe --- Alex Zbyslaw [EMAIL PROTECTED] wrote: Joe wrote: Okay, I've been looking and looking for duplicate natd's. I have the /etc/rc.conf which has natd stuff below, and the only other place I see it is in ipfw. I was able to change my rc and use /etc/rc.d/natd start and that works. Which is better as it does not require me to reload my firewall rules. I still don't know why natd refuses to start the first time when called from ipfw. If I understand the boot procedure correctly, natd ought to be started as part of the /etc/rc.d/ipfw and that just calls /etc/rc.d/natd start which is what you are typing later from the command line with success, so why it fails at boot, I really don't know at this point. The cannot bind to divert socket error I thought could happen if a) you weren't root (seems unlikely from bootup) or b) something had already bound the socket. After your machine boots, what does ps uagxww | egrep natd show? Google also found this: - In FreeBSD, IPDIVERT must be enabled at compile time. I guess your kernel has this option, or natd would never have worked. what ifconfig lines do you have in /etc.rc.conf egrep ifconfig /etc/rc.conf I have no rc.conf.local Not too surprising. It could be used under 4.X as a second level to rc.conf, but exists nowadays for backwards compatibility and AFAIK isn't created by anything. As a more drastic attempt at a solution, could you try upgrading to 5.4? It has numerous improvements over 5.3, which was never a production release. Maybe some ordering problems was fixed. --Alex Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football http://football.fantasysports.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SMP and networking under FreeBSD 5.3
Joe wrote: Hello, ps: root542 0.0 0.7 1320 812 ?? Ss Tue09AM 2:22.10 /sbin/natd -dynamic -d -log_ipfw_denied -log_denied -dynamic -n dc0 Is this just after a reboot? If so, it does show that natd is running, so I'm not sure why you're getting the message you were getting. ifconfig: pccard_ifconfig=NO ifconfig_xl0=inet 192.168.0.15 netmask 255.255.255.0 ifconfig_dc0=DHCP That looks right. So FreeBSD 5.3 isn't production? I had read somewhere that 5.2.1 wasn't production and that 5.3 was supposed to be production. I'm not sure if I'm getting the terminology quite right, but I believe 5.4 was the first -STABLE release. Up until then 4.X was still the recommended release to use unless you required 5.X for particular hardware and were prepared to accept that it might not be quite production ready. My memory, when I was tracking this stuff, was that a lot of improvements went into 5.4. (I'm sure a lot went into 5.3 as well, but I'm reasonably sure it was not made the -STABLE or recommended branch or whatever). I'll look into upgrading to 5.4, it will take a bit of time to do that though. I don't think it's as bad as you might think -- my experience is that upgrades within a major release number (4.X, or 5.X) have been very easy. The compiling can take time, but I just try to make it coincide with a good movie on the telly, or a sunny afternoon in the garden. The bit I don't like is mergemaster, just because it's fiddly and hands on and requires lots of concentration. (Mergemaster is a great deal better than anything which preceded it, which if you go back far enough was nothing at all. It's not so much mergemaster that I dislike as just staring at the diffs trying to decipher how the OS-related changes affect my own changes). The handbook has a great section on upgrading. I'd recommend printing it off, especially if upgrading isn't something you have done often. Please note, I'm not saying that upgrading will fix your problem, but it might and 5.4 ought to be better than 5.3. Since no-one else has yet chimed in with any help, it might be worth posting a brand new message (with a more descriptive subject line) and just summarise the relevant bits of config and the natd error you are getting. (Summarise your natd_* config variables, ifconfig_* variables, OS version and an excerpt from your firewall showing any divert rules. That ought to be enough). One final thought. Did you start with a fresh install of 5.3? Did you upgrade from 4.X? If the latter, then make sure that you don't have any stray config/boot script files lying about. The easiest way to do that would be to run mergemaster (I like -s -v as options). You can always say no to everything, but you should study the list of files in /etc which are not in CVS and make sure that you recognize them all. If there are some you don't recognize which sound like they might be network/natd/firewall related, then they may be causing your problem. --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SMP and networking under FreeBSD 5.3
Okay, I've been looking and looking for duplicate natd's. I have the /etc/rc.conf which has natd stuff below, and the only other place I see it is in ipfw. I was able to change my rc and use /etc/rc.d/natd start and that works. Which is better as it does not require me to reload my firewall rules. I still don't know why natd refuses to start the first time when called from ipfw. I have no rc.conf.local Joe --- Alex Zbyslaw [EMAIL PROTECTED] wrote: Joe wrote: Okay, back on topic. I've changed my rules in ipfw, and no longer get the hostname .. messages. Now natd does not start and it complains 'unable to bind divert socket, and then cant assign requested address'. I'm using: natd_enable=YES natd_interface=dc0 natd_flags=-dynamic -d -log_ipfw_denied -log_denied These are my parameters below which definitely work -- or you wouldn't be seeing this email :) I can't see anything obviously wrong with yours; what I would suggest is to start with just -dynamic since that's the only one that's *required* for this setup to work and see how that does. I can't find your original rules: I assume that a) dc0 *is* your external interface (typos are a common source of errors, though I don't think that's the case here) b) you have an ifconfig_dc0=DHCP line in /etc/rc.conf. natd_enable=YES # Natd packet translation natd_flags=-log -log_denied -dynamic natd_interface=sis0 ifconfig_sis0=DHCP# External network At startup I get a message like: Jun 18 10:38:58 natd[701]: Aliasing to 0.0.0.0, mtu 1500 bytes just after the firewall rules start up. The divert rule in my firewall says: ipfw add divert natd all from any to any via ${natd_interface} If you have static rules rather than a script then you need ${natd_interface} to be replaced directly with dc0. The other things to check, I guess, are that those are the *only* natd lines you have: egrep natd /etc/rc.conf /etc.rc.conf.local --Alex __ Discover Yahoo! Find restaurants, movies, travel and more fun for the weekend. Check it out! http://discover.yahoo.com/weekend.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SMP and networking under FreeBSD 5.3
Joe wrote: Okay, back on topic. I've changed my rules in ipfw, and no longer get the hostname .. messages. Now natd does not start and it complains 'unable to bind divert socket, and then cant assign requested address'. I'm using: natd_enable=YES natd_interface=dc0 natd_flags=-dynamic -d -log_ipfw_denied -log_denied These are my parameters below which definitely work -- or you wouldn't be seeing this email :) I can't see anything obviously wrong with yours; what I would suggest is to start with just -dynamic since that's the only one that's *required* for this setup to work and see how that does. I can't find your original rules: I assume that a) dc0 *is* your external interface (typos are a common source of errors, though I don't think that's the case here) b) you have an ifconfig_dc0=DHCP line in /etc/rc.conf. natd_enable=YES # Natd packet translation natd_flags=-log -log_denied -dynamic natd_interface=sis0 ifconfig_sis0=DHCP# External network At startup I get a message like: Jun 18 10:38:58 natd[701]: Aliasing to 0.0.0.0, mtu 1500 bytes just after the firewall rules start up. The divert rule in my firewall says: ipfw add divert natd all from any to any via ${natd_interface} If you have static rules rather than a script then you need ${natd_interface} to be replaced directly with dc0. The other things to check, I guess, are that those are the *only* natd lines you have: egrep natd /etc/rc.conf /etc.rc.conf.local --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SMP and networking under FreeBSD 5.3
Okay, back on topic. I've changed my rules in ipfw, and no longer get the hostname .. messages. Now natd does not start and it complains 'unable to bind divert socket, and then cant assign requested address'. I'm using: natd_enable=YES natd_interface=dc0 natd_flags=-dynamic -d -log_ipfw_denied -log_denied Rules get set, natd does not start. Interesting thing is that if I restart ipfw at the end of /etc/rc ( /etc/rc.d/ipfw start ) natd starts. Hmm, I'm confused on this one. Joe --- Alex Zbyslaw [EMAIL PROTECTED] wrote: Joe wrote: Thanks Alex, Below are my rules. I have removed the IP addresses and replaced with x.x.x.x in most cases. Also some ports have been turned to y's instead of the actual port. I don't want to go into the details of your firewall; all I can offer is general advice for you to apply if you wish. There are plenty resources out there from the various man pages to the handbook. Firewalls can be trickier than they look and NAT makes them significantly more complicated to fathom correctly. I don't claim to be any kind of expert and everything I know started life being written by someone else :-) Any mistakes are most likely my own! I will say that it is worth making sure you understand your own firewall. At one point you suggested that you wanted to make your firewall script start later so that you had access to your IP address. I think you are on to a loser there because there is not particular time when DHCP finally gets the IP address. If your provider is down, it might take minutes, hours or even days. You could keep polling in some way to see if you had an IP address and not running your rules script until you did, but it would seem better to just write rules which work even without the IP address. Plus, that would also not work if you ever had a second external interface (e.g. an old-fashioned modem) which needed firewalling irrespective of the status of your ethernet interface. Although a firewall often need to know the actual addresses of hosts other than itself there is, as far as I can figure out, no logical reason for it to need to know it's own IP address if you have the me construct. (If, like my machine, your firewall is just another computer on a small network that is allowed to do exactly the same things as any other host on that network, then it needn't even use me. This makes life much easier because it interferes less with NAT). If you have me then you can always distinguish between your firewall and the rest of your network. Take the non-NAT case first: allow all from me to any out xmit ext_if allow all from any to me in recv ext_if These rules could only be triggered by packets addressed directly to your firewall. If you follow it with e.g. deny all from any to any out via ext_if deny all from any to any in via ext_if then you close off your internal network. NAT makes things more complicated, because before or after NATing (depending on the direction) packets from your network can look like they originate on your machine or are destined for it. E.g. allow all from me to any out xmit ext_if must come before the NAT rule because after NAT-ing all your internal packets are going out ext_if. whereas allow all from any to me in recv ext_if must come after the NAT rule to be sure that it is actually your firewall which is the recipient. If all you have is a small network, then there may be no reason to differentiate your firewall from any other machine. In this case, it is perfectly sufficient to write rules based on the ext_if alone. So I have rules like: # Allow connections initiated from internal network ipfw add allow tcp from any to any out xmit ext_if setup # Allow TCP through if setup succeeded ipfw add pass tcp from any to any via ext_if established The only IP addresses in my whole firewall are the limited number of hosts which can initiate some kind of connection into my network e.g. ipfw add allow tcp from x.x.x.x to any ssh setup (x.x.x.x not because I need to hide the IP but because I can't be bothered to find it in the firewall script :-)) NB that rule says any for recipient because it was written before me existed. But since my network is NATed, it would always be a packet header for my firewall and could only get elsewhere if I explicitly forwarded it. There's no mention of the interface because a prior rule has already allowed internal connections which would match. Looking at it now, I might get picky and put an interface spec in there just to be completist. It's often said that there is no security in obscurity, and while I don't always agree, I do think that if you actually have to hide the IPs in your firewall for it be secure, then it isn't secure. Since my firewall never
Re: SMP and networking under FreeBSD 5.3
Joe wrote: I'm not sure why I get the hostname ``or'' unknown message though. If you still get it once you take away your ifconfig stuff then you'll know that it was responsible. You haven't posted the actual lines you use, so no-one is going to be able to figure out what might be happening. Where you currently have variable=`ifconfig interface | stuff` or whatever, put echo $variable after it and you will see if you got it right or not. From what you've said I think your stuff works fine when there is an ip address and produces some junk when there isn't and you then feed that junk to an ipfw rule which gives you the error. --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SMP and networking under FreeBSD 5.3
Thanks Alex, Below are my rules. I have removed the IP addresses and replaced with x.x.x.x in most cases. Also some ports have been turned to y's instead of the actual port. Some of these rules are probably not needed, but it works, or at least it seems to be working. In looking at the rules, 8 rules are not processed, I get 8 of the messages below, and 8 rules rely on the E_IPADDR to be set ( The allowTcpConnectionOut shell function sets 3 rules ). Since E_IPADDR is always used when referering to the FULL_LAN which includes the interal interface, I'm just going to switch to using 'me' instead. Is it better to use 'me' or an ip address? Joe #! /bin/sh # ipfw rules # ## # set up the ipf command ipfw_cmd=/sbin/ipfw -q # ## # globals ## GREP=/usr/bin/grep E_IPADDR=`/sbin/ifconfig dc0 | $GREP -v inet6|$GREP inet | awk '{print $2}'` I_IPADDR=x.x.x.0 # x.x.x has been removed for this email DNS_LOOKUPS=`$GREP nameserver /etc/resolv.conf|awk '{print $2}' ` INTERNET_IFACE=dc0 LAN_IFACE=xl0 FULL_LAN={ $E_IPADDR or $I_IPADDR/24 } DNS_SERVER=x.x.x.x # I've removed this for this email ## # ## # function for allowing tcp connections # takes from to and interface ### tcpAddAllow=$ipfw_cmd add allow tcp from setup=setup keep-state ### allowTcpEst() { FROM=$1 TOWHO=$2 INTERFACE=$3 $tcpAddAllow $FROM to $TOWHO via $INTERFACE established $tcpAddAllow $TOWHO to $FROM via $INTERFACE established } ### allowTcpConnectionOut() { FROM=$1 TOWHO=$2 INTERFACE=$3 $tcpAddAllow $FROM to $TOWHO out xmit $INTERFACE $setup allowTcpEst $FROM $TOWHO $INTERFACE } ### allowTcpConnectionIn() { FROM=$1 TOWHO=$2 INTERFACE=$3 $tcpAddAllow $FROM to $TOWHO in recv $INTERFACE $setup allowTcpEst $FROM $TOWHO $INTERFACE } ## # flush all the rules $ipfw_cmd -f flush # ## # allow from loop back #$ipfw_cmd set enable 0 #$ipfw_cmd set enable 1 $ipfw_cmd add allow all from any to any via lo0 $ipfw_cmd add deny all from 127.0.0.1 to 127.0.0.1 $ipfw_cmd add deny all from any to 127.0.0.0/8 $ipfw_cmd add deny ip from 127.0.0.0/8 to any # ## # from the dsl modem / router , once again masked, they are fixed IP's here $ipfw_cmd add allow udp from x.x.x.x y to x.x.255.255 y via $INTERNET_IFACE # ## # deny this shit worm and MS crap and SYN in $ipfw_cmd add deny tcp from any to any in recv $INTERNET_IFACE setup $ipfw_cmd add deny ip from any to any 0-19,135-139,445,1214,1434 in recv $INTERNET_IFACE # ## # need to divert all packets to get them where we want them $ipfw_cmd add divert natd all from any to any via $INTERNET_IFACE # $ipfw_cmd add check-state # ## # this is the dc0 interface ### # tcp ### allowTcpConnectionOut $FULL_LAN any $INTERNET_IFACE # # for passive ftp (port 20) x-fers eek! does MS need this? #$ipfw_cmd add allow log tcp from any 20 to any in recv $INTERNET_IFACE # ### # this is udp DNS and NTP ### $ipfw_cmd add allow udp from $FULL_LAN to any 53 out xmit $INTERNET_IFACE keep-state # # ntp $ipfw_cmd add allow udp from $FULL_LAN to any 123 out xmit $INTERNET_IFACE keep-state # # this is apple talk shit we dont want $ipfw_cmd add deny udp from any to any 192 # # this is our new netgear router port crap we dont want, as well as MS $ipfw_cmd add deny udp from any to any 137 # # the rest of UDP that should not have anything in it $ipfw_cmd add allow log udp from any to any out xmit $INTERNET_IFACE keep-state # ### # this is icmp out ### $ipfw_cmd add allow icmp from $FULL_LAN to any out xmit $INTERNET_IFACE keep-state # ### # icmp from router to any ### # this is masked for internat email $ipfw_cmd add allow icmp from x.x.0.254 to $FULL_LAN icmptypes 3,4 # ### # for big joe to access mindspring ? # and yahoo and some other places that like to ping ?? ### $ipfw_cmd add allow log icmp from any to any in recv $INTERNET_IFACE
Re: SMP and networking under FreeBSD 5.3
Joe wrote: Thanks Alex, Below are my rules. I have removed the IP addresses and replaced with x.x.x.x in most cases. Also some ports have been turned to y's instead of the actual port. I don't want to go into the details of your firewall; all I can offer is general advice for you to apply if you wish. There are plenty resources out there from the various man pages to the handbook. Firewalls can be trickier than they look and NAT makes them significantly more complicated to fathom correctly. I don't claim to be any kind of expert and everything I know started life being written by someone else :-) Any mistakes are most likely my own! I will say that it is worth making sure you understand your own firewall. At one point you suggested that you wanted to make your firewall script start later so that you had access to your IP address. I think you are on to a loser there because there is not particular time when DHCP finally gets the IP address. If your provider is down, it might take minutes, hours or even days. You could keep polling in some way to see if you had an IP address and not running your rules script until you did, but it would seem better to just write rules which work even without the IP address. Plus, that would also not work if you ever had a second external interface (e.g. an old-fashioned modem) which needed firewalling irrespective of the status of your ethernet interface. Although a firewall often need to know the actual addresses of hosts other than itself there is, as far as I can figure out, no logical reason for it to need to know it's own IP address if you have the me construct. (If, like my machine, your firewall is just another computer on a small network that is allowed to do exactly the same things as any other host on that network, then it needn't even use me. This makes life much easier because it interferes less with NAT). If you have me then you can always distinguish between your firewall and the rest of your network. Take the non-NAT case first: allow all from me to any out xmit ext_if allow all from any to me in recv ext_if These rules could only be triggered by packets addressed directly to your firewall. If you follow it with e.g. deny all from any to any out via ext_if deny all from any to any in via ext_if then you close off your internal network. NAT makes things more complicated, because before or after NATing (depending on the direction) packets from your network can look like they originate on your machine or are destined for it. E.g. allow all from me to any out xmit ext_if must come before the NAT rule because after NAT-ing all your internal packets are going out ext_if. whereas allow all from any to me in recv ext_if must come after the NAT rule to be sure that it is actually your firewall which is the recipient. If all you have is a small network, then there may be no reason to differentiate your firewall from any other machine. In this case, it is perfectly sufficient to write rules based on the ext_if alone. So I have rules like: # Allow connections initiated from internal network ipfw add allow tcp from any to any out xmit ext_if setup # Allow TCP through if setup succeeded ipfw add pass tcp from any to any via ext_if established The only IP addresses in my whole firewall are the limited number of hosts which can initiate some kind of connection into my network e.g. ipfw add allow tcp from x.x.x.x to any ssh setup (x.x.x.x not because I need to hide the IP but because I can't be bothered to find it in the firewall script :-)) NB that rule says any for recipient because it was written before me existed. But since my network is NATed, it would always be a packet header for my firewall and could only get elsewhere if I explicitly forwarded it. There's no mention of the interface because a prior rule has already allowed internal connections which would match. Looking at it now, I might get picky and put an interface spec in there just to be completist. It's often said that there is no security in obscurity, and while I don't always agree, I do think that if you actually have to hide the IPs in your firewall for it be secure, then it isn't secure. Since my firewall never mentions my IP address, I can publish the whole thing and even if it has flaws it won't help since you don't know where I am :-) A bit long-winded, but I hope it helps, --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SMP and networking under FreeBSD 5.3
I'm still learning the firewall thing. I didn't understand the 'me' clause until recently. I'm using it on my UP box. My router actually runs off a cdrom. Its hard to make changes to it :-). Its an SMP box. It wouldn't help telling you my ip addresses anyway, because my system is internet IP - nat(dsl modem) - nat(lan). I have no idea what my real ip address is on the internet. In any case, thanks for the advice. I've been thinking of redoing these rules for 2 years now. So how would your rules look if nat were in the picture? Thanks, Joe --- Alex Zbyslaw [EMAIL PROTECTED] wrote: Joe wrote: Thanks Alex, Below are my rules. I have removed the IP addresses and replaced with x.x.x.x in most cases. Also some ports have been turned to y's instead of the actual port. I don't want to go into the details of your firewall; all I can offer is general advice for you to apply if you wish. There are plenty resources out there from the various man pages to the handbook. Firewalls can be trickier than they look and NAT makes them significantly more complicated to fathom correctly. I don't claim to be any kind of expert and everything I know started life being written by someone else :-) Any mistakes are most likely my own! I will say that it is worth making sure you understand your own firewall. At one point you suggested that you wanted to make your firewall script start later so that you had access to your IP address. I think you are on to a loser there because there is not particular time when DHCP finally gets the IP address. If your provider is down, it might take minutes, hours or even days. You could keep polling in some way to see if you had an IP address and not running your rules script until you did, but it would seem better to just write rules which work even without the IP address. Plus, that would also not work if you ever had a second external interface (e.g. an old-fashioned modem) which needed firewalling irrespective of the status of your ethernet interface. Although a firewall often need to know the actual addresses of hosts other than itself there is, as far as I can figure out, no logical reason for it to need to know it's own IP address if you have the me construct. (If, like my machine, your firewall is just another computer on a small network that is allowed to do exactly the same things as any other host on that network, then it needn't even use me. This makes life much easier because it interferes less with NAT). If you have me then you can always distinguish between your firewall and the rest of your network. Take the non-NAT case first: allow all from me to any out xmit ext_if allow all from any to me in recv ext_if These rules could only be triggered by packets addressed directly to your firewall. If you follow it with e.g. deny all from any to any out via ext_if deny all from any to any in via ext_if then you close off your internal network. NAT makes things more complicated, because before or after NATing (depending on the direction) packets from your network can look like they originate on your machine or are destined for it. E.g. allow all from me to any out xmit ext_if must come before the NAT rule because after NAT-ing all your internal packets are going out ext_if. whereas allow all from any to me in recv ext_if must come after the NAT rule to be sure that it is actually your firewall which is the recipient. If all you have is a small network, then there may be no reason to differentiate your firewall from any other machine. In this case, it is perfectly sufficient to write rules based on the ext_if alone. So I have rules like: # Allow connections initiated from internal network ipfw add allow tcp from any to any out xmit ext_if setup # Allow TCP through if setup succeeded ipfw add pass tcp from any to any via ext_if established The only IP addresses in my whole firewall are the limited number of hosts which can initiate some kind of connection into my network e.g. ipfw add allow tcp from x.x.x.x to any ssh setup (x.x.x.x not because I need to hide the IP but because I can't be bothered to find it in the firewall script :-)) NB that rule says any for recipient because it was written before me existed. But since my network is NATed, it would always be a packet header for my firewall and could only get elsewhere if I explicitly forwarded it. There's no mention of the interface because a prior rule has already allowed internal connections which would match. Looking at it now, I might get picky and put an interface spec in there just to be completist. It's often said that there is no security in obscurity, and while I don't always agree, I do think that if you actually have to hide the IPs in your firewall for
Re: SMP and networking under FreeBSD 5.3
Joe wrote: Hey thanks, it seems that ipfw complains during boot with a message: hostname ``or'' unknown which I have no idea where that is coming from yet, but will look. Then natd doesn't get started. If I run /etc/rc.d/ipfw start then the router is up and natd gets started. For now, I'll probably just add it to rc at the end. I think it has something to do with the order things get run. My firewall script is for a dhcp interface. Since I don't know the IP, I use ifconfig dc0 | grep -v inet6 | grep inet | awk ... to get the IP address for some of the rules. I'm wondering if this is failing and causing the message above. Is there a 'recommended' way to create a rule for ipfw on a dhcp interface using its IP address? You don't need any of your awk/grep palaver. Your ipfw rules should probably be specifying the interface not ip addresses. Natd with -dynamic will do the right thing when dhcp picks up its actual ip address. from man natd -dynamicIf the -n or -interface option is used, natd will monitor the routing socket for alterations to the interface passed. If the interface's IP address is changed, natd will dynamically alter its concept of the alias address. I have, for example: /etc/rc.conf: ifconfig_sis0=DHCP# External network /etc/rc.firewall script ipfw add divert natd all from any to any via sis0 and it all works just fine even though natd starts off saying that it sees an IP address of 0.0.0.0 Your error message is very likely down to your ifconfig | stuff command which may well run when there is no ip address configured. It'll work fine when you run it once the ip address is configured, but probably not before when the script actually runs. Why do you think your firewall rules need to know the IP address? If you do need it then ipfw2 (5.X only?) has me. From man ipfw me matches any IP address configured on an interface in the system. The address list is evaluated at the time the packet is analyzed. If you have that after your natd rule, though, it will (I think) just match everything so the interface name is good enough. e.g. from any to any via sis0 --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SMP and networking under FreeBSD 5.3
Actually it is not my divert rule that I am using the ip address. In fact my rc.conf has the 'right stuff' for natd, as the same ipfw rules worked in 5.2 and 5.1. Same rc.conf stuff for natd too. The ifconfig stuff is for other rules like: ipfw add allow tcp from $EXT_IPADDR to any out xmit dc0 setup keep-state I use ifconfig stuff to get EXT_IPADDR for the above rule. I suppose I could use 'me' as I usually am referring to both interfaces. I'll probably change to use me and see how that goes. I'm not sure why I get the hostname ``or'' unknown message though. Joe --- Alex Zbyslaw [EMAIL PROTECTED] wrote: Joe wrote: Hey thanks, it seems that ipfw complains during boot with a message: hostname ``or'' unknown which I have no idea where that is coming from yet, but will look. Then natd doesn't get started. If I run /etc/rc.d/ipfw start then the router is up and natd gets started. For now, I'll probably just add it to rc at the end. I think it has something to do with the order things get run. My firewall script is for a dhcp interface. Since I don't know the IP, I use ifconfig dc0 | grep -v inet6 | grep inet | awk ... to get the IP address for some of the rules. I'm wondering if this is failing and causing the message above. Is there a 'recommended' way to create a rule for ipfw on a dhcp interface using its IP address? You don't need any of your awk/grep palaver. Your ipfw rules should probably be specifying the interface not ip addresses. Natd with -dynamic will do the right thing when dhcp picks up its actual ip address. from man natd -dynamicIf the -n or -interface option is used, natd will monitor the routing socket for alterations to the interface passed. If the interface's IP address is changed, natd will dynamically alter its concept of the alias address. I have, for example: /etc/rc.conf: ifconfig_sis0=DHCP# External network /etc/rc.firewall script ipfw add divert natd all from any to any via sis0 and it all works just fine even though natd starts off saying that it sees an IP address of 0.0.0.0 Your error message is very likely down to your ifconfig | stuff command which may well run when there is no ip address configured. It'll work fine when you run it once the ip address is configured, but probably not before when the script actually runs. Why do you think your firewall rules need to know the IP address? If you do need it then ipfw2 (5.X only?) has me. From man ipfw me matches any IP address configured on an interface in the system. The address list is evaluated at the time the packet is analyzed. If you have that after your natd rule, though, it will (I think) just match everything so the interface name is good enough. e.g. from any to any via sis0 --Alex __ Discover Yahoo! Get on-the-go sports scores, stock quotes, news and more. Check it out! http://discover.yahoo.com/mobile.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SMP and networking under FreeBSD 5.3
On Tue, Jun 14, 2005 at 09:15:01AM -0700, Joe wrote: Hello, Not sure if this is the place to ask this. But this is a freebsd question. I've been running FreeBSD since about 4.6. I have 2 machines running FreeBSD. One is used as a router, its an SMP machine, and the other is used to build the source code. I'm having a problem with the SMP machine. When the machine boots, dmesg shows two messages, that the UP does not show. WARNING: debug.mpsafenet forced to 0 as ipsec requires Giant WARNING: MPSAFE network stack disabled, expect reduced performance. In v52a I did not get these messages. After doing some research, I understand that this has to do with the kernel locking. It seems that now my networking is not working on the SMP machine. I know others have asked about this, and saw the release notes, about setting debug.mpsafenet=0, but my networking is still not working right. This does not indicate a bug. Rather, the situation is *exactly the same as it was in every previous version of FreeBSD* -- there was just not point in mentioning the condition specifically because it applied to every system. If you remove IPSEC from your kernel (e.g. use FAST_IPSEC instead), you will be able to benefit from improved SMP performance relative to previous versions (actually, you should upgrade to 5.4 which has much better performance than 5.3). Also /dev/kmem and /dev/mem are missing so netstat -ar does not work either. You probably omitted them from your kernel. Kris pgpa0QcRQudz8.pgp Description: PGP signature
SMP and networking under FreeBSD 5.3
Hello, Not sure if this is the place to ask this. But this is a freebsd question. I've been running FreeBSD since about 4.6. I have 2 machines running FreeBSD. One is used as a router, its an SMP machine, and the other is used to build the source code. I'm having a problem with the SMP machine. When the machine boots, dmesg shows two messages, that the UP does not show. WARNING: debug.mpsafenet forced to 0 as ipsec requires Giant WARNING: MPSAFE network stack disabled, expect reduced performance. In v52a I did not get these messages. After doing some research, I understand that this has to do with the kernel locking. It seems that now my networking is not working on the SMP machine. I know others have asked about this, and saw the release notes, about setting debug.mpsafenet=0, but my networking is still not working right. Also /dev/kmem and /dev/mem are missing so netstat -ar does not work either. Where do I start to find a solution to this? Thanks, Joe __ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SMP and networking under FreeBSD 5.3
On 6/14/05, Joe [EMAIL PROTECTED] wrote: Hello, Not sure if this is the place to ask this. But this is a freebsd question. I've been running FreeBSD since about 4.6. I have 2 machines running FreeBSD. One is used as a router, its an SMP machine, and the other is used to build the source code. I'm having a problem with the SMP machine. When the machine boots, dmesg shows two messages, that the UP does not show. WARNING: debug.mpsafenet forced to 0 as ipsec requires Giant WARNING: MPSAFE network stack disabled, expect reduced performance. In v52a I did not get these messages. After doing some research, I understand that this has to do with the kernel locking. It seems that now my networking is not working on the SMP machine. I know others have asked about this, and saw the release notes, about setting debug.mpsafenet=0, but my networking is still not working right. Also /dev/kmem and /dev/mem are missing so netstat -ar does not work either. Where do I start to find a solution to this? Does FreeBSD 5.4 exhibit the same behavior? -- Dmitry We live less by imagination than despite it - Rockwell Kent, N by E ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SMP and networking under FreeBSD 5.3
I haven't tried 5.4 yet. To build a 5.4 could take a couple of days on these old machines. Joe --- Dmitry Mityugov [EMAIL PROTECTED] wrote: On 6/14/05, Joe [EMAIL PROTECTED] wrote: Hello, Not sure if this is the place to ask this. But this is a freebsd question. I've been running FreeBSD since about 4.6. I have 2 machines running FreeBSD. One is used as a router, its an SMP machine, and the other is used to build the source code. I'm having a problem with the SMP machine. When the machine boots, dmesg shows two messages, that the UP does not show. WARNING: debug.mpsafenet forced to 0 as ipsec requires Giant WARNING: MPSAFE network stack disabled, expect reduced performance. In v52a I did not get these messages. After doing some research, I understand that this has to do with the kernel locking. It seems that now my networking is not working on the SMP machine. I know others have asked about this, and saw the release notes, about setting debug.mpsafenet=0, but my networking is still not working right. Also /dev/kmem and /dev/mem are missing so netstat -ar does not work either. Where do I start to find a solution to this? Does FreeBSD 5.4 exhibit the same behavior? -- Dmitry We live less by imagination than despite it - Rockwell Kent, N by E __ Discover Yahoo! Get on-the-go sports scores, stock quotes, news and more. Check it out! http://discover.yahoo.com/mobile.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SMP and networking under FreeBSD 5.3
Okay, I've figure it out. natd is not starting via rc.conf, or if it is, it dies. I can start it manually, and it works okay. Also it seems that for some reason some of my ipfw rules don't get set, so I have to rerun ipfw also to make things work. I'll just hack the rc scripts to get this machine up. Joe --- Dmitry Mityugov [EMAIL PROTECTED] wrote: On 6/14/05, Joe [EMAIL PROTECTED] wrote: Hello, Not sure if this is the place to ask this. But this is a freebsd question. I've been running FreeBSD since about 4.6. I have 2 machines running FreeBSD. One is used as a router, its an SMP machine, and the other is used to build the source code. I'm having a problem with the SMP machine. When the machine boots, dmesg shows two messages, that the UP does not show. WARNING: debug.mpsafenet forced to 0 as ipsec requires Giant WARNING: MPSAFE network stack disabled, expect reduced performance. In v52a I did not get these messages. After doing some research, I understand that this has to do with the kernel locking. It seems that now my networking is not working on the SMP machine. I know others have asked about this, and saw the release notes, about setting debug.mpsafenet=0, but my networking is still not working right. Also /dev/kmem and /dev/mem are missing so netstat -ar does not work either. Where do I start to find a solution to this? Does FreeBSD 5.4 exhibit the same behavior? -- Dmitry We live less by imagination than despite it - Rockwell Kent, N by E __ Discover Yahoo! Stay in touch with email, IM, photo sharing and more. Check it out! http://discover.yahoo.com/stayintouch.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SMP and networking under FreeBSD 5.3
Joe wrote: Okay, I've figure it out. natd is not starting via rc.conf, or if it is, it dies. I can start it manually, and it works okay. Also it seems that for some reason some of my ipfw rules don't get set, so I have to rerun ipfw also to make things work. I'll just hack the rc scripts to get this machine up. Joe --- Dmitry Mityugov [EMAIL PROTECTED] wrote: rc_debug=YES in rc.conf, then run 'dmesg -a | grep natd' and see if anything pops up. This should tell you everything that's goin on with natd at boot. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SMP and networking under FreeBSD 5.3
Hey thanks, it seems that ipfw complains during boot with a message: hostname ``or'' unknown which I have no idea where that is coming from yet, but will look. Then natd doesn't get started. If I run /etc/rc.d/ipfw start then the router is up and natd gets started. For now, I'll probably just add it to rc at the end. I think it has something to do with the order things get run. My firewall script is for a dhcp interface. Since I don't know the IP, I use ifconfig dc0 | grep -v inet6 | grep inet | awk ... to get the IP address for some of the rules. I'm wondering if this is failing and causing the message above. Is there a 'recommended' way to create a rule for ipfw on a dhcp interface using its IP address? Joe --- Jarrod Martin [EMAIL PROTECTED] wrote: Joe wrote: Okay, I've figure it out. natd is not starting via rc.conf, or if it is, it dies. I can start it manually, and it works okay. Also it seems that for some reason some of my ipfw rules don't get set, so I have to rerun ipfw also to make things work. I'll just hack the rc scripts to get this machine up. Joe --- Dmitry Mityugov [EMAIL PROTECTED] wrote: rc_debug=YES in rc.conf, then run 'dmesg -a | grep natd' and see if anything pops up. This should tell you everything that's goin on with natd at boot. __ Discover Yahoo! Use Yahoo! to plan a weekend, have fun online and more. Check it out! http://discover.yahoo.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Wireless Networking in FreeBSD 5.2.1
Hey all, I'm trying to get wifi working in freebsd 5.2.1. This card WAS working in 4.9 and 4.10, but I get an error similar to: Error: busy bit won't clean on wi0 Or something to that effect. If I boot the system without the card, I can see it and make lights blink, but it never associates to any networks (I have one). If I pull the card out, I get the above listed error. Is there something I'm missing in 5.x? Thanks. P.S. I have a linksys WPC11 ver 3 card. Eric. Found on Conan O'Brian: Children's books written by celebrities; By Mel Gibson: Jesus Christ and the Terrible, Horrible, No Good, Very Bad Day. - Keep your powder dry and your pecker hard and the world WILL turn. - Eric F Crist ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Newbie Issues (networking w/ FreeBSD)
On Jun 14, 2004, at 05:08, Jon Adams wrote: My network connectivity is ridiculously slow... I had OpenSSH timeout set to the default, 120 secs, and the messages file said the connections (on the same 100MBPs hub mind you) were timing out before authentication (password). I went in and doubled the timeout, and after a long wait (I didnt check the time) I could get a password prompt... at first I thought this was just a SSH problem, but it is the same if I use telnet (or any other network service). I have several devices on my Lan including 2 (eww) Windows XP laptops, and a PS2 and a XP workstation. I have 3 public IPs, (Speakeasy is the ISP) The laptops use a LinkSys 54G Wireless Hub and one public IP (its plugged into a NetGear 4 port hub), I split another IP with the Desktop and PS2, and the FreeBSD box will have its own IP, of course the final port is the uplink. There are absolutly no connectivity problems with the other machines. The FreeBSD box cannot connect to the dns servers (on three different networks) or much of anything else. Here is the really weird part, when I run an NMAP scan from inside the network and one from outside the network, the box is reachable (NMAP can see the ports and determine the OS), but nothing can connect to it (all connections time out). If you can ping devices by ip address, you have basic connectivity. Start with the local interface itself, then devices on the same physical network, then devices on other subnets of the local LAN. Any of these local devices should respond in single-digit milliseconds, with perhaps a drop of the first ping packet. If you get no route to host messages, or other total failure messages, check for correct/consistent subnet masking on all devices involved, or potential firewall blocking (if appropriate to configuration). If you get poor response (high dropped packet percentage, excessive delays), check for port speed/duplex matching problems or bad cabling. Assuming basic connectivity, many application timeout issues in Unix systems result from either forward or reverse name resolution failure. It can be frustrating to resolve, generally hard-coding the host and FQDN entries in the local hosts file and with the hostname utility is a good debugging step. KeS ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Newbie Issues (networking w/ FreeBSD).. Solved
Thanks for the response, turns out Speakeasy (ISP) had... ahem.. reprovisioned my IP Address when I made some changes to my service.. figured this out by putting rl0 on another IP with the same settings.. its all fixed now.. and the IPFW issue is resolved (thanks to the person who posted the kld) (doh)... Still havent figured out how i was able to NMAP it from outside my net... oh well.. it works now.. Thanks -- Jon Quoting Kevin Stevens [EMAIL PROTECTED]: On Jun 14, 2004, at 05:08, Jon Adams wrote: My network connectivity is ridiculously slow... I had OpenSSH timeout set to the default, 120 secs, and the messages file said the connections (on the same 100MBPs hub mind you) were timing out before authentication (password). I went in and doubled the timeout, and after a long wait (I didnt check the time) I could get a password prompt... at first I thought this was just a SSH problem, but it is the same if I use telnet (or any other network service). I have several devices on my Lan including 2 (eww) Windows XP laptops, and a PS2 and a XP workstation. I have 3 public IPs, (Speakeasy is the ISP) The laptops use a LinkSys 54G Wireless Hub and one public IP (its plugged into a NetGear 4 port hub), I split another IP with the Desktop and PS2, and the FreeBSD box will have its own IP, of course the final port is the uplink. There are absolutly no connectivity problems with the other machines. The FreeBSD box cannot connect to the dns servers (on three different networks) or much of anything else. Here is the really weird part, when I run an NMAP scan from inside the network and one from outside the network, the box is reachable (NMAP can see the ports and determine the OS), but nothing can connect to it (all connections time out). If you can ping devices by ip address, you have basic connectivity. Start with the local interface itself, then devices on the same physical network, then devices on other subnets of the local LAN. Any of these local devices should respond in single-digit milliseconds, with perhaps a drop of the first ping packet. If you get no route to host messages, or other total failure messages, check for correct/consistent subnet masking on all devices involved, or potential firewall blocking (if appropriate to configuration). If you get poor response (high dropped packet percentage, excessive delays), check for port speed/duplex matching problems or bad cabling. Assuming basic connectivity, many application timeout issues in Unix systems result from either forward or reverse name resolution failure. It can be frustrating to resolve, generally hard-coding the host and FQDN entries in the local hosts file and with the hostname utility is a good debugging step. KeS ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Newbie Issues (networking w/ FreeBSD)
Hi all, First a qualifier: I am FreeBSD noob, I have had exposure to it for about two years, but I just built my first FreeBSD box last nite... fresh install over an old (and extremely tweaked) Red Hat Linux box After much procrastination, I have finally made the change (been stuck on linux since 98). The (main) problem - My network connectivity is ridiculously slow... I had OpenSSH timeout set to the default, 120 secs, and the messages file said the connections (on the same 100MBPs hub mind you) were timing out before authentication (password). I went in and doubled the timeout, and after a long wait (I didnt check the time) I could get a password prompt... at first I thought this was just a SSH problem, but it is the same if I use telnet (or any other network service). I have several devices on my Lan including 2 (eww) Windows XP laptops, and a PS2 and a XP workstation. I have 3 public IPs, (Speakeasy is the ISP) The laptops use a LinkSys 54G Wireless Hub and one public IP (its plugged into a NetGear 4 port hub), I split another IP with the Desktop and PS2, and the FreeBSD box will have its own IP, of course the final port is the uplink. There are absolutly no connectivity problems with the other machines. The FreeBSD box cannot connect to the dns servers (on three different networks) or much of anything else. Here is the really weird part, when I run an NMAP scan from inside the network and one from outside the network, the box is reachable (NMAP can see the ports and determine the OS), but nothing can connect to it (all connections time out). Any suggestions would help: about the box FreeBSD version 5.1 Release CPU Celeron 733, 384 (3x128) MB Ram 30GB WD HD, 768 MB Swap, the rest in various partitions 12x4x40 CD Burner 48x CD Drive SiS 6326 Video RTL8139 chip network card (rl0) using static IP (I know I read about issues using this card and DHCP... but I am not using DHCP) I dont know if this is a side effect of the networking problem, but my Xwindows is incredible slow as well. This is with both KDE and Gnome. I havent seen any other weirdness whatsoever in the system logs. off the topic, if anybody could point me at how to build ipfw I would appreciate it, i have seen the basic tutorials via google, but have no idea where to get the kernel sources to do the install. -- Jonathan Keirre Adams PhD Candidate, Computer Information Systems Graduate School of Computer and Information Sciences Nova Southeastern University Web: http://www.scis.nova.edu/~jonaadam ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw (was Re: Newbie Issues (networking w/ FreeBSD))
off the topic, if anybody could point me at how to build ipfw I would appreciate it, i have seen the basic tutorials via google, but have no idea where to get the kernel sources to do the install. You don't need any additional stuff, it all comes with FreeBSD. Either you load the kernelmodule with kldload ipfw or you compile the code into your kernel by adding options IPFIREWALL to your kernel-configuration. Be warned though that IPFW defaults to deny any connection, so either begin with an open type of firewall or load a ruleset, otherwise you'll be cut off the network. It's all in de Handbook (as always), see http://www.freebsd.org/doc/en/books/handbook/firewalls.html, or /usr/share/doc/en/books/handbook/firewalls.html. GH ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Newbie Issues (networking w/ FreeBSD)
--- Jon Adams [EMAIL PROTECTED] wrote: snipped stuff The (main) problem - My network connectivity is ridiculously slow... I had OpenSSH timeout set to the default, 120 secs, and the messages file said the connections (on the same 100MBPs hub mind you) were timing out before authentication (password). I went in and doubled the timeout, and after a long wait (I didnt check the time) I could get a password prompt... at first I thought this was just a SSH problem, but it is the same if I use telnet (or any other network service). I have several devices on my Lan including 2 (eww) Windows XP laptops, and a PS2 and a XP workstation. I have 3 public IPs, (Speakeasy is the ISP) The laptops use a LinkSys 54G Wireless Hub and one public IP (its plugged into a NetGear 4 port hub), I split another IP with the Desktop and PS2, and the FreeBSD box will have its own IP, of course the final port is the uplink. There are absolutly no connectivity problems with the other machines. The FreeBSD box cannot connect to the dns servers (on three different networks) or much of anything else. Considering the only response you have received thus far has been regarding IPFW, I may as well give a ham-handed attempt. My first guess is /etc/rc.conf. Is there a defaultrouter=x.x.x.x line? If you do an ifconfig -a are you getting an IP actually assigned? Perhaps your resolv.conf is not right? Should be similar to: domain nosuchdomainhere.net nameserver 1.2.3.4 where there are two entries for nameserver that jive with the ISP assigned DNS servers. Considering that you are manually setting your rl0, (not using DHCP), perhaps these are missing? Have you tried using rl0=DHCP? Perhaps the chance of finding a problem, is less of a pain then if your ISP changes something on you. Good luck. snipped... I can think of one thing at a time __ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Networking w/ FreeBSD
Hi everyone.. I have two computers systems in my network. The first system is a headless FreeBSD 5.2.1 system. This system stores my mp3's, datafiles and runs mysql and apache. I recently, got rid of windows off my laptop and installed FreeBSD 5.2.1. When I had windows on the laptop, I was able to Map a Network drive to the headless system via Samba runing on the server. My question is this: How would I set something up to perform the same functionality, as when I had windows? I'm just not sure what needs to be installed on either system? Any ideas or comments would be great! Thanks, Bruce ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Networking w/ FreeBSD
On Jun 1, 2004, at 2:07 PM, [EMAIL PROTECTED] wrote: My question is this: How would I set something up to perform the same functionality, as when I had windows? I'm just not sure what needs to be installed on either system? Any ideas or comments would be great! FreeBSD supports mounting Samba/CIFS shares. See man mount_smbfs. -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Networking w/ FreeBSD
On Tue, 1 Jun 2004 [EMAIL PROTECTED] wrote: I have two computers systems in my network. The first system is a headless FreeBSD 5.2.1 system. This system stores my mp3's, datafiles and runs mysql and apache. I recently, got rid of windows off my laptop and installed FreeBSD 5.2.1. When I had windows on the laptop, I was able to Map a Network drive to the headless system via Samba runing on the server. My question is this: How would I set something up to perform the same functionality, as when I had windows? I'm just not sure what needs to be installed on either system? Any ideas or comments would be great! You can run the Samba client software on the laptop, or change the file sharing on the server to NFS. Or, of course, you could change both to some third sharing solution. Which depends on your assessment of the pros/cons of each; performance, interoperability (do you potentially have other machines that need to reach those resources?), security , etc. For the short term, running smbclient on the laptop is probably the quickest way to get your connectivity back with the fewest config changes, if that helps. KeS ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Networking w/ FreeBSD
[EMAIL PROTECTED] wrote: I have two computers systems in my network. The first system is a headless FreeBSD 5.2.1 system. This system stores my mp3's, datafiles and runs mysql and apache. I recently, got rid of windows off my laptop and installed FreeBSD 5.2.1. When I had windows on the laptop, I was able to Map a Network drive to the headless system via Samba runing on the server. My question is this: How would I set something up to perform the same functionality, as when I had windows? I'm just not sure what needs to be installed on either system? Any ideas or comments would be great! NFS (network file system). There is a chapter in the handbook with detailed setup instructions. http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/network-nfs.html Simon signature.asc Description: Digital signature
Re: Networking w/ FreeBSD
I just add an entry in /etc/fstab like this /sbin/mount_smbfs //[EMAIL PROTECTED]/interchk/mnt/interchk I use this command to mount my sophos em library share running on XP to my BSD 5.0 machine and then symbolically link the /mnt/interchk to the root of webserver for remote update via http. - Original Message - From: Kevin Stevens [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, June 01, 2004 2:14 PM Subject: Re: Networking w/ FreeBSD On Tue, 1 Jun 2004 [EMAIL PROTECTED] wrote: I have two computers systems in my network. The first system is a headless FreeBSD 5.2.1 system. This system stores my mp3's, datafiles and runs mysql and apache. I recently, got rid of windows off my laptop and installed FreeBSD 5.2.1. When I had windows on the laptop, I was able to Map a Network drive to the headless system via Samba runing on the server. My question is this: How would I set something up to perform the same functionality, as when I had windows? I'm just not sure what needs to be installed on either system? Any ideas or comments would be great! You can run the Samba client software on the laptop, or change the file sharing on the server to NFS. Or, of course, you could change both to some third sharing solution. Which depends on your assessment of the pros/cons of each; performance, interoperability (do you potentially have other machines that need to reach those resources?), security , etc. For the short term, running smbclient on the laptop is probably the quickest way to get your connectivity back with the fewest config changes, if that helps. KeS ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Recommendations for wireless networking and FreeBSD
Hey, Ive been using a 54g card on 5.1 current for a while know quite successfully for a while know. The card I am using is a Dlink with an atheros chip, this chip is only supported in current at this stage. If you are running 5.1-Current you can # man ath and it gives a list of card that use that driver I've just moved into an apartment in which drilling and running wires is taboo. Has anyone delved successfully into the realms of wireless networking their FreeBSD groups? My main server is running 4.8-STABLE, and I have a client machine running 5.1-RELEASE (which has been suspect to a lack of driver support for its onboard NIC in FBSD anyway), but I am not married to any of these releases and would up/downgrade if a solution was available. I'd also prefer a Wireless-G access point and adapter solution if possible, as opposed to the much slower B solutions available. Thanks ~John If you wanted 802.1g you would more that likely have to upgrade to 5.1-Current - Do you Yahoo!? Exclusive Video Premiere - Britney Spears ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Hope this helps David Lodeiro ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Recommendations for wireless networking and FreeBSD
I've just moved into an apartment in which drilling and running wires is taboo. Has anyone delved successfully into the realms of wireless networking their FreeBSD groups? My main server is running 4.8-STABLE, and I have a client machine running 5.1-RELEASE (which has been suspect to a lack of driver support for its onboard NIC in FBSD anyway), but I am not married to any of these releases and would up/downgrade if a solution was available. I'd also prefer a Wireless-G access point and adapter solution if possible, as opposed to the much slower B solutions available. Thanks ~John - Do you Yahoo!? Exclusive Video Premiere - Britney Spears ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Recommendations for wireless networking and FreeBSD
On Mon, Nov 03, 2003 at 10:14:19AM -0800, John DeStefano wrote: I've just moved into an apartment in which drilling and running wires is taboo. Has anyone delved successfully into the realms of wireless networking their FreeBSD groups? My main server is running 4.8-STABLE, and I have a client machine running 5.1-RELEASE (which has been suspect to a lack of driver support for its onboard NIC in FBSD anyway), but I am not married to any of these releases and would up/downgrade if a solution was available. I'd also prefer a Wireless-G access point and adapter solution if possible, as opposed to the much slower B solutions available. man 4 wi. there you can find a list of support cards. hth, toni -- Kann man etwas nicht verstehen, dann urteile man | toni at stderror dot at lieber gar nicht, als dass man verurteile. | Toni Schmidbauer -- Rudolf Steiner| pgp0.pgp Description: PGP signature
Re: Recommendations for wireless networking and FreeBSD
Toni Schmidbauer wrote: On Mon, Nov 03, 2003 at 10:14:19AM -0800, John DeStefano wrote: I've just moved into an apartment in which drilling and running wires is taboo. Has anyone delved successfully into the realms of wireless networking their FreeBSD groups? My main server is running 4.8-STABLE, and I have a client machine running 5.1-RELEASE (which has been suspect to a lack of driver support for its onboard NIC in FBSD anyway), but I am not married to any of these releases and would up/downgrade if a solution was available. I'd also prefer a Wireless-G access point and adapter solution if possible, as opposed to the much slower B solutions available. man 4 wi. there you can find a list of support cards. man 4 an has the straight dope on the aironet driver: I have been using it for awhile with FreeBSD 4.4 - 4.8. -- Paul Beard http://paulbeard.no-ip.org/movabletype/ whois -h whois.networksolutions.com ha=pb202 A formal parsing algorithm should not always be used. -- D. Gries ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]