Re: IP alias/routing question
David Allen wrote: On Fri, Jul 25, 2008 at 10:12 AM, Matthew Seaman [EMAIL PROTECTED] wrote: Chris Pratt wrote: Carefully not answering the 'why do these packets come from the wrong address' question, Deliberately addressing the question of 'why do these packets come from the wrong address' question which Mr. Seaman avoided ...heh, heh heh. Good job with the wording guys. I smiled brightly when I went through this ;) Since I've replied but clipped out any further context, I'll add a bit... I agree with David in that this is purely a routing issue. What (IMHO) it comes down to is 'source address selection'. I've been more focused in this scope within IPv6, but it is apparently a problem as well with IPv4, in a different manner. Perhaps this will become more of an issue as more people get used to the understanding that having multiple addresses per interface is the design goal, not an alias workaround. At one point I was advised that there is the ability to use multiple route tables within -current. If the box is being designed for only one application, could you try the new implementation of routing as opposed to making the application fit? Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IP alias/routing question
This strikes me as a noob question but in 10 years of freebsd, I've never wrapped my brain around it and it seems to be causing me problems this time. I have many aliases on many servers. Some services listening on an alias address seem to return the packets out the alias address as shown in netstat -i in the Opkt column. Others seem to return packets back out the first address specified on the system. This has not bothered me before because it seems to work and I figured I was just confused on how netstat shows the In and Out packet counts. I assumed that local lan traffic would be listed on the appropriate line and anything headed out the WAN would go to default gateway thus appear on the line with the initial address. I've noticed it on ssh often, connect in on a second or third IP yet the packets show as going out through the first configured IP in netstat. I'm now setting up a bind server in which the third alias is the address for incoming DNS queries. It appears it's responding but even though the queries come in on the third alias, they go out through the primary address or more specifically, the packet count is incremented in the Opkts total for the IP address first attached to the interface via ifconfig (without an alias). My problem appears to be that the packets really are coming from the first IP as the source and are getting blocked by my firewall as they should (the first address is not supposed to be answering DNS queries). Am I conceptualizing what I'm seeing incorrectly and have a different config error, or is it true that some services respond with a different source IP other than the what they came in on if multiple aliases are specified on a single interface and wire. In other words, is the Opkt count on the IP irrelevant to the addressing of the packet? Please let me know if this should instead go to FreeBSD-Net. Supporting info: here is an example of the netstat, in this example, dns is listening on 192.168.0.18, the first interface ifconfig'd is 0.12. If I read it correctly, it goes out the default gateway which is somehow tied to the 0.12. This machine is not a gateway, has no FWDs in ipfw, and isn't running natd. $ netstat -i NameMtu Network Address Ipkts IerrsOpkts Oerrs Coll rl01500 Link#1 00:10:b5:76:ce:20 631 0 1 0 0 rl01500 192.168.252.0 192.168.252.11 0 - 0 - - rl11500 Link#2 00:14:2a:02:bd:6422628 0 7833 0 0 rl11500 192.168.0.0 192.168.0.12 11 - 7450 - - rl11500 192.168.0.11 192.168.0.11 1482 - 278 - - rl11500 192.168.0.18 192.168.0.18 1243 -0 - - ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP alias/routing question
Chris Pratt wrote: I'm now setting up a bind server in which the third alias is the address for incoming DNS queries. It appears it's responding but even though the queries come in on the third alias, they go out through the primary address or more specifically, the packet count is incremented in the Opkts total for the IP address first attached to the interface via ifconfig (without an alias). My problem appears to be that the packets really are coming from the first IP as the source and are getting blocked by my firewall as they should (the first address is not supposed to be answering DNS queries). Carefully not answering the 'why do these packets come from the wrong address' question, but just pointing out that BIND is actually rather more configurable in this respect than most software. You can control what IPs BIND will communicate on for various purposes using the following statements in the options { } section of named.conf: listen-on { 127.0.0.1; 12.34.56.78; }; listen-on-v6 { ::1; 1234:5678:9abc:def0::1; }; query-source address 12.34.56.78 port *; query-source-v6address 1234:5678:9abc:def0::1 port *; transfer-source12.34.56.78 port *; transfer-source-v6 1234:5678:9abc:def0::1 port *; notify-source 812.34.56.78 port *; notify-source-v6 1234:5678:9abc:def0::1 port *; Note the 'port *' stuff -- due to the recent security problem with the DNS protocol publicised by Dan Kaminsky, it is imperative that the /source/ port on DNS traffic is allowed to be randomised. See http://www.kb.cert.org/vuls/id/800113 http://security.freebsd.org/advisories/FreeBSD-SA-08:06.bind.asc and make sure you install a patched version of BIND. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: IP alias/routing question
On Jul 25, 2008, at 10:12 AM, Matthew Seaman wrote: Chris Pratt wrote: I'm now setting up a bind server in which the third alias is the address for incoming DNS queries. It appears it's responding but even though the queries come in on the third alias, they go out through the primary address or more specifically, the packet count is incremented in the Opkts total for the IP address first attached to the interface via ifconfig (without an alias). My problem appears to be that the packets really are coming from the first IP as the source and are getting blocked by my firewall as they should (the first address is not supposed to be answering DNS queries). Carefully not answering the 'why do these packets come from the wrong address' question, but just pointing out that BIND is actually rather more configurable in this respect than most software. You can control what IPs BIND will communicate on for various purposes using the following statements in the options { } section of named.conf: listen-on { 127.0.0.1; 12.34.56.78; }; listen-on-v6 { ::1; 1234:5678:9abc:def0::1; }; query-source address 12.34.56.78 port *; query-source-v6address 1234:5678:9abc:def0::1 port *; transfer-source12.34.56.78 port *; transfer-source-v6 1234:5678:9abc:def0::1 port *; notify-source 812.34.56.78 port *; notify-source-v6 1234:5678:9abc:def0::1 port *; I am not using those latter three but only the listen-on. I will experiment. I am still curious if what I see with bind, ssh and some others is actually returning on the first address or if netstat just makes it look that way because of the default gateway. Note the 'port *' stuff -- due to the recent security problem with the DNS protocol publicised by Dan Kaminsky, it is imperative that the /source/ port on DNS traffic is allowed to be randomised. See This is good to know. I assumed going to the current patched cvs was enough. Thank you very much. http://www.kb.cert.org/vuls/id/800113 http://security.freebsd.org/ advisories/FreeBSD-SA-08:06.bind.asc and make sure you install a patched version of BIND. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP alias/routing question
On Fri, Jul 25, 2008 at 10:12 AM, Matthew Seaman [EMAIL PROTECTED] wrote: Chris Pratt wrote: I'm now setting up a bind server in which the third alias is the address for incoming DNS queries. It appears it's responding but even though the queries come in on the third alias, they go out through the primary address or more specifically, the packet count is incremented in the Opkts total for the IP address first attached to the interface via ifconfig (without an alias). My problem appears to be that the packets really are coming from the first IP as the source and are getting blocked by my firewall as they should (the first address is not supposed to be answering DNS queries). Carefully not answering the 'why do these packets come from the wrong address' question, but just pointing out that BIND is actually rather more configurable in this respect than most software. Deliberately addressing the question of 'why do these packets come from the wrong address' question which Mr. Seaman avoided (hello again, Mathew!), I'll add my two cents. Run netstat -rnfinet and examine what's in the 'Netif' column. If there was some inter-host traffic, you'll see a host entry for each of your aliases with a value of 'lo0'. Correlate all the entries in the routing table and you'll be able to determine what exits where. I'm not sure why this question doesn't come up more frequently as it can be problematic, especially in regards to jails (which are implemented using IP aliasing). I started a discussion some weeks ago on the subject that you may find interesting. To recap briefly, if a jail host sends traffic to a jail, the traffic will transit the lo0 interface, exit the jail's interface using the jail's IP address, and connect to the jail on its IP address. The end result? Traffic with identical source and destination IP addresses! Using your numbers, if named was running in a jail (192.168.0.18) and a query was made on the host (192.168.0.12), instead of seeing 192.168.0.12.3450 - 192.168.0.18.53 192.168.0.18.53 - 192.168.0.12.3450 you'd see the following on lo0: 192.168.0.18.3450 - 192.168.0.18.53 192.168.0.18.53 - 192.168.0.18.3450 You're not using jails, but what I'm describing isn't a jail issue, or a general IP aliasing issue, but a routing issue. Modifying the routing table is, of course, possible. But the results, I've found, are less than satisfactory. If you force traffic out an actual interface, the return traffic will probably still have to occur over loopback and you're back to where you started, but with some new problems. Note also that the above seems to apply irrespective of the number of network cards or networks. Tthe moral of the story? Configure named appropriately, and don't ask any more questions. ;-) On the other hand, if you insist on thinking immoral thoughts as I do, and find a more thorough explanation of any of the above, please do let me know. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP alias/routing question
On Jul 25, 2008, at 4:05 PM, David Allen wrote: On Fri, Jul 25, 2008 at 10:12 AM, Matthew Seaman [EMAIL PROTECTED] wrote: Chris Pratt wrote: I'm now setting up a bind server in which the third alias is the address for incoming DNS queries. It appears it's responding but even though the queries come in on the third alias, they go out through the primary address or more specifically, the packet count is incremented in the Opkts total for the IP address first attached to the interface via ifconfig (without an alias). My problem appears to be that the packets really are coming from the first IP as the source and are getting blocked by my firewall as they should (the first address is not supposed to be answering DNS queries). Carefully not answering the 'why do these packets come from the wrong address' question, but just pointing out that BIND is actually rather more configurable in this respect than most software. Deliberately addressing the question of 'why do these packets come from the wrong address' question which Mr. Seaman avoided (hello again, Mathew!), I'll add my two cents. Run netstat -rnfinet and examine what's in the 'Netif' column. If there was some inter-host traffic, you'll see a host entry for each of your aliases with a value of 'lo0'. Correlate all the entries in the routing table and you'll be able to determine what exits where. I'm not sure why this question doesn't come up more frequently as it can be problematic, especially in regards to jails (which are implemented using IP aliasing). I started a discussion some weeks ago on the subject that you may find interesting. To recap briefly, if a jail host sends traffic to a jail, the traffic will transit the lo0 interface, exit the jail's interface using the jail's IP address, and connect to the jail on its IP address. The end result? Traffic with identical source and destination IP addresses! Using your numbers, if named was running in a jail (192.168.0.18) and a query was made on the host (192.168.0.12), instead of seeing 192.168.0.12.3450 - 192.168.0.18.53 192.168.0.18.53 - 192.168.0.12.3450 you'd see the following on lo0: 192.168.0.18.3450 - 192.168.0.18.53 192.168.0.18.53 - 192.168.0.18.3450 You're not using jails, but what I'm describing isn't a jail issue, or a general IP aliasing issue, but a routing issue. Modifying the routing table is, of course, possible. But the results, I've found, are less than satisfactory. If you force traffic out an actual interface, the return traffic will probably still have to occur over loopback and you're back to where you started, but with some new problems. Note also that the above seems to apply irrespective of the number of network cards or networks. Tthe moral of the story? Configure named appropriately, and don't ask any more questions. ;-) On the other hand, if you insist on thinking immoral thoughts as I do, and find a more thorough explanation of any of the above, please do let me know. Thanks for the very detailed explanation. I'm hot on the named configuration so that should quiet the questions. But ;-), how about the multiple route table implementation recently introduced in HEAD. Perhaps there is a solution there in the future! I stay with the current RELEASE so I haven't even researched, just watched the talk. Thanks again to both you and Matthew, Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]