Re: IP alias/routing question

2008-07-26 Thread Steve Bertrand 

David Allen wrote:

On Fri, Jul 25, 2008 at 10:12 AM, Matthew Seaman
[EMAIL PROTECTED] wrote:

Chris Pratt wrote:



Carefully not answering the 'why do these packets come from the
wrong address' question,



Deliberately addressing the question of 'why do these packets come
from the wrong address' question which Mr. Seaman avoided 


...heh, heh heh. Good job with the wording guys. I smiled brightly when 
I went through this ;)


Since I've replied but clipped out any further context, I'll add a 
bit... I agree with David in that this is purely a routing issue.


What (IMHO) it comes down to is 'source address selection'.

I've been more focused in this scope within IPv6, but it is apparently a 
problem as well with IPv4, in a different manner.


Perhaps this will become more of an issue as more people get used to the 
understanding that having multiple addresses per interface is the design 
goal, not an alias workaround.


At one point I was advised that there is the ability to use multiple 
route tables within -current. If the box is being designed for only one 
application, could you try the new implementation of routing as opposed 
to making the application fit?


Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

IP alias/routing question

2008-07-25 Thread Chris Pratt 

This strikes me as a noob question but in 10 years of
freebsd, I've never wrapped my brain around it and
it seems to be causing me problems this time.

I have many aliases on many servers. Some services
listening on an alias address seem to return the packets
out the alias address as shown in netstat -i in the Opkt
column. Others seem to return packets back out the first
address specified on the system. This has not bothered
me before because it seems to work and I figured I was
just confused on how netstat shows the In and Out
packet counts. I assumed that local lan traffic would be
listed on the appropriate line and anything headed
out the WAN would go to default gateway thus appear
on the line with the initial address. I've noticed it on ssh
often, connect in on a second or third IP yet the
packets show as going out through the first configured
IP in netstat.

I'm now setting up a bind server in which the third alias
is the address for incoming DNS queries. It appears
it's responding but even though the queries come in
on the third alias, they go out through the primary
address or more specifically, the packet count is
incremented in the Opkts total for the IP address first
attached to the interface via ifconfig (without an alias).
My problem appears to be that the packets really are
coming from the first IP as the source and are getting
blocked by my firewall as they should (the first address
is not supposed to be answering DNS queries).

Am I conceptualizing what I'm seeing incorrectly and
have a different config error, or is it true that some
services respond with a different source IP other than
the what they came in on if multiple aliases are
specified on a single interface and wire. In other
words, is the Opkt count on the IP irrelevant to the
addressing of the packet?

Please let me know if this should instead go to
FreeBSD-Net.

Supporting info: here is an example of the netstat,
in this example, dns is listening on 192.168.0.18, the
first interface ifconfig'd is 0.12. If I read it correctly,
it goes out the default gateway which is somehow
tied to the 0.12.

This machine is not a gateway, has no FWDs in
ipfw, and isn't running natd.

$ netstat -i
NameMtu Network   Address  Ipkts IerrsOpkts  
Oerrs  Coll
rl01500 Link#1  00:10:b5:76:ce:20  631 0 
1 0 0
rl01500 192.168.252.0 192.168.252.11   0 - 
0 - -
rl11500 Link#2  00:14:2a:02:bd:6422628 0  
7833 0 0
rl11500 192.168.0.0  192.168.0.12   11 - 7450  
- -
rl11500 192.168.0.11 192.168.0.11 1482 -  278  
- -
rl11500 192.168.0.18 192.168.0.18 1243 -0  
- -


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IP alias/routing question

2008-07-25 Thread Matthew Seaman 

Chris Pratt wrote:


I'm now setting up a bind server in which the third alias
is the address for incoming DNS queries. It appears
it's responding but even though the queries come in
on the third alias, they go out through the primary
address or more specifically, the packet count is
incremented in the Opkts total for the IP address first
attached to the interface via ifconfig (without an alias).
My problem appears to be that the packets really are
coming from the first IP as the source and are getting
blocked by my firewall as they should (the first address
is not supposed to be answering DNS queries).


Carefully not answering the 'why do these packets come from the
wrong address' question, but just pointing out that BIND is
actually rather more configurable in this respect than most
software.

You can control what IPs BIND will communicate on for various
purposes using the following statements in the options { } section
of named.conf:

   listen-on {
   127.0.0.1;
   12.34.56.78;
   };
   listen-on-v6 {
   ::1;
   1234:5678:9abc:def0::1;
   };
   query-source   address 12.34.56.78 port *;
   query-source-v6address 1234:5678:9abc:def0::1 port *;
   transfer-source12.34.56.78 port *;
   transfer-source-v6 1234:5678:9abc:def0::1 port *;
   notify-source  812.34.56.78 port *;
   notify-source-v6   1234:5678:9abc:def0::1 port *;

Note the 'port *' stuff -- due to the recent security problem with
the DNS protocol publicised by Dan Kaminsky, it is imperative that
the /source/ port on DNS traffic is allowed to be randomised.  See

http://www.kb.cert.org/vuls/id/800113 
http://security.freebsd.org/advisories/FreeBSD-SA-08:06.bind.asc


and  make sure you install a patched version of BIND.

Cheers,

Matthew

--
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
 Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature

Re: IP alias/routing question

2008-07-25 Thread Chris Pratt 


On Jul 25, 2008, at 10:12 AM, Matthew Seaman wrote:


Chris Pratt wrote:


I'm now setting up a bind server in which the third alias
is the address for incoming DNS queries. It appears
it's responding but even though the queries come in
on the third alias, they go out through the primary
address or more specifically, the packet count is
incremented in the Opkts total for the IP address first
attached to the interface via ifconfig (without an alias).
My problem appears to be that the packets really are
coming from the first IP as the source and are getting
blocked by my firewall as they should (the first address
is not supposed to be answering DNS queries).


Carefully not answering the 'why do these packets come from the
wrong address' question, but just pointing out that BIND is
actually rather more configurable in this respect than most
software.

You can control what IPs BIND will communicate on for various
purposes using the following statements in the options { } section
of named.conf:

   listen-on {
   127.0.0.1;
   12.34.56.78;
   };
   listen-on-v6 {
   ::1;
   1234:5678:9abc:def0::1;
   };
   query-source   address 12.34.56.78 port *;
   query-source-v6address 1234:5678:9abc:def0::1 port *;
   transfer-source12.34.56.78 port *;
   transfer-source-v6 1234:5678:9abc:def0::1 port *;
   notify-source  812.34.56.78 port *;
   notify-source-v6   1234:5678:9abc:def0::1 port *;


I am not using those latter three but only the listen-on.
I will experiment. I am still curious if what I see with
bind, ssh and some others is actually returning on the
first address or if netstat just makes it look that way
because of the default gateway.


Note the 'port *' stuff -- due to the recent security problem with
the DNS protocol publicised by Dan Kaminsky, it is imperative that
the /source/ port on DNS traffic is allowed to be randomised.  See



This is good to know. I assumed going to the current
patched cvs was enough.

Thank you very much.

http://www.kb.cert.org/vuls/id/800113 http://security.freebsd.org/ 
advisories/FreeBSD-SA-08:06.bind.asc


and  make sure you install a patched version of BIND.

Cheers,

Matthew

--
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
 Kent, CT11 9PW



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IP alias/routing question

2008-07-25 Thread David Allen 
On Fri, Jul 25, 2008 at 10:12 AM, Matthew Seaman
[EMAIL PROTECTED] wrote:
 Chris Pratt wrote:

 I'm now setting up a bind server in which the third alias
 is the address for incoming DNS queries. It appears
 it's responding but even though the queries come in
 on the third alias, they go out through the primary
 address or more specifically, the packet count is
 incremented in the Opkts total for the IP address first
 attached to the interface via ifconfig (without an alias).
 My problem appears to be that the packets really are
 coming from the first IP as the source and are getting
 blocked by my firewall as they should (the first address
 is not supposed to be answering DNS queries).

 Carefully not answering the 'why do these packets come from the
 wrong address' question, but just pointing out that BIND is
 actually rather more configurable in this respect than most
 software.

Deliberately addressing the question of 'why do these packets come
from the wrong address' question which Mr. Seaman avoided (hello
again, Mathew!), I'll add my two cents.

Run netstat -rnfinet and examine what's in the 'Netif' column.  If
there was some inter-host traffic, you'll see a host entry for each of
your aliases with a value of 'lo0'.  Correlate all the entries in the
routing table and you'll be able to determine what exits where.

I'm not sure why this question doesn't come up more frequently as it
can be problematic, especially in regards to jails (which are
implemented using IP aliasing).  I started a discussion some weeks ago
on the subject that you may find interesting.  To recap briefly, if a
jail host sends traffic to a jail, the traffic will transit the lo0
interface, exit the jail's interface using the jail's IP address, and
connect to the jail on its IP address.  The end result?  Traffic with
identical source and destination IP addresses!

Using your numbers, if named was running in a jail (192.168.0.18) and
a query was made on the host (192.168.0.12), instead of seeing

192.168.0.12.3450 - 192.168.0.18.53
192.168.0.18.53 - 192.168.0.12.3450

you'd see the following on lo0:

192.168.0.18.3450 - 192.168.0.18.53
192.168.0.18.53 - 192.168.0.18.3450

You're not using jails, but what I'm describing isn't a jail issue, or
a general IP aliasing issue, but a routing issue.  Modifying the
routing table is, of course, possible.  But the results, I've found,
are less than satisfactory.  If you force traffic out an actual
interface, the return traffic will probably still have to occur over
loopback and you're back to where you started, but with some new
problems.   Note also that the above seems to apply irrespective of
the number of network cards or networks.

Tthe moral of the story?  Configure named appropriately, and don't ask
any more questions. ;-)  On the other hand, if you insist on thinking
immoral thoughts as I do, and find a more thorough explanation of any
of the above, please do let me know.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IP alias/routing question

2008-07-25 Thread Chris Pratt 


On Jul 25, 2008, at 4:05 PM, David Allen wrote:


On Fri, Jul 25, 2008 at 10:12 AM, Matthew Seaman
[EMAIL PROTECTED] wrote:

Chris Pratt wrote:


I'm now setting up a bind server in which the third alias
is the address for incoming DNS queries. It appears
it's responding but even though the queries come in
on the third alias, they go out through the primary
address or more specifically, the packet count is
incremented in the Opkts total for the IP address first
attached to the interface via ifconfig (without an alias).
My problem appears to be that the packets really are
coming from the first IP as the source and are getting
blocked by my firewall as they should (the first address
is not supposed to be answering DNS queries).


Carefully not answering the 'why do these packets come from the
wrong address' question, but just pointing out that BIND is
actually rather more configurable in this respect than most
software.


Deliberately addressing the question of 'why do these packets come
from the wrong address' question which Mr. Seaman avoided (hello
again, Mathew!), I'll add my two cents.

Run netstat -rnfinet and examine what's in the 'Netif' column.  If
there was some inter-host traffic, you'll see a host entry for each of
your aliases with a value of 'lo0'.  Correlate all the entries in the
routing table and you'll be able to determine what exits where.

I'm not sure why this question doesn't come up more frequently as it
can be problematic, especially in regards to jails (which are
implemented using IP aliasing).  I started a discussion some weeks ago
on the subject that you may find interesting.  To recap briefly, if a
jail host sends traffic to a jail, the traffic will transit the lo0
interface, exit the jail's interface using the jail's IP address, and
connect to the jail on its IP address.  The end result?  Traffic with
identical source and destination IP addresses!

Using your numbers, if named was running in a jail (192.168.0.18) and
a query was made on the host (192.168.0.12), instead of seeing

192.168.0.12.3450 - 192.168.0.18.53
192.168.0.18.53 - 192.168.0.12.3450

you'd see the following on lo0:

192.168.0.18.3450 - 192.168.0.18.53
192.168.0.18.53 - 192.168.0.18.3450

You're not using jails, but what I'm describing isn't a jail issue, or
a general IP aliasing issue, but a routing issue.  Modifying the
routing table is, of course, possible.  But the results, I've found,
are less than satisfactory.  If you force traffic out an actual
interface, the return traffic will probably still have to occur over
loopback and you're back to where you started, but with some new
problems.   Note also that the above seems to apply irrespective of
the number of network cards or networks.

Tthe moral of the story?  Configure named appropriately, and don't ask
any more questions. ;-)  On the other hand, if you insist on thinking
immoral thoughts as I do, and find a more thorough explanation of any
of the above, please do let me know.


Thanks for the very detailed explanation. I'm hot on the named
configuration so that should quiet the questions. But ;-), how about the
multiple route table implementation recently introduced in HEAD.
Perhaps there is a solution there in the future! I stay with the current
RELEASE so I haven't even researched, just watched the talk.

Thanks again to both you and Matthew,
Chris
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]