Re: Correct way to configure an IP range for firewall
On Wed, Sep 9, 2009 at 3:03 PM, Matthew Seamanm.sea...@infracaninophile.co.uk wrote: Maxim Khitrov wrote: Am I correct in assuming that I just need to add four ifconfig_vr0_alias[0-3] lines to rc.conf? What happens if in the future we get a much bigger IP block, is there a more efficient way of accomplishing the same thing? I don't actually want the firewall to consider itself the final destination for any of the additional IPs, it just needs to pass them to pf for nat and filtering. Assuming your assigned network is 192.0.2.24/29: ipv4_addrs_vr0=192.0.2.25-30 See rc.conf(5) for details. Cheers, Matthew Thanks! I looked through /etc/defaults/rc.conf and somehow missed ipv4_addrs. So if I understand the man page correctly, a single ipv4_addrs_vr0=x.x.x.9-13/29 line can replace both the aliases and the one ifconfig_vr0 line. Is that correct? I'm not certain because the man page states that an ifconfig_interface variable is also assumed to exist for each value of interface, but everything seems to be working fine without it. - Max ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Correct way to configure an IP range for firewall
Maxim Khitrov wrote: On Wed, Sep 9, 2009 at 3:03 PM, Matthew Seamanm.sea...@infracaninophile.co.uk wrote: Maxim Khitrov wrote: Am I correct in assuming that I just need to add four ifconfig_vr0_alias[0-3] lines to rc.conf? What happens if in the future we get a much bigger IP block, is there a more efficient way of accomplishing the same thing? I don't actually want the firewall to consider itself the final destination for any of the additional IPs, it just needs to pass them to pf for nat and filtering. Assuming your assigned network is 192.0.2.24/29: ipv4_addrs_vr0=192.0.2.25-30 See rc.conf(5) for details. Cheers, Matthew Thanks! I looked through /etc/defaults/rc.conf and somehow missed ipv4_addrs. So if I understand the man page correctly, a single ipv4_addrs_vr0=x.x.x.9-13/29 line can replace both the aliases and the one ifconfig_vr0 line. Is that correct? I'm not certain because the man page states that an ifconfig_interface variable is also assumed to exist for each value of interface, but everything seems to be working fine without it. Correct. However, the only things you can set with ipv4_addrs_ifX are IP numbers and netmasks. If you want to use DHCP or WPA or to fix the port to a particular duplex setting or to toggle various other controller specific settings, then the ifconfig_ifX{,_aliasY} variables are your friends. You can combine both variable forms for configuring the same interface, although this works best if you do all alias IP setup using ipv4_addrs_ifX and just use ifconfig_ifX to set general properties on the interface. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: Correct way to configure an IP range for firewall
Maxim Khitrov wrote: Am I correct in assuming that I just need to add four ifconfig_vr0_alias[0-3] lines to rc.conf? What happens if in the future we get a much bigger IP block, is there a more efficient way of accomplishing the same thing? I don't actually want the firewall to consider itself the final destination for any of the additional IPs, it just needs to pass them to pf for nat and filtering. Assuming your assigned network is 192.0.2.24/29: ipv4_addrs_vr0=192.0.2.25-30 See rc.conf(5) for details. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: Correct way to configure an IP range for firewall
Maxim Khitrov wrote: Hello all, A quick question - I have a /29 block of IPs that needs to be handled by a firewall I'm setting up. Two addresses are lost to broadcast and network, one is the ISP gateway, so we end up with 5 usable IPs that can be assigned to the external interface. The question is how to do this correctly? I want only one of the addresses assigned to the firewall itself, another will be used as the public nat address for all hosts on the lan. Remaining three addresses will be used as bidirectional nat for servers. Am I correct in assuming that I just need to add four ifconfig_vr0_alias[0-3] lines to rc.conf? What happens if in the future we get a much bigger IP block, is there a more efficient way of accomplishing the same thing? I don't actually want the firewall to consider itself the final destination for any of the additional IPs, it just needs to pass them to pf for nat and filtering. - Max ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Aloha Max, What you have sounds like an ATM ( Asynchronous Transfer Mode ) circuit. I have one here that is for three servers a desktop and one spare IP. I got the setup from Michael Paoli at cal.berkely.edu in California. With setup I had to put firewalls (PF) on the three servers facing the internet and the desktop as well. There are 2 references I used for this firewall setup. Absolute FerrBSD - M. Lucas Pg. 273 and bsdly.bet Peter Hansteen. Both are on this list. If you would like to see the three sheets on how I set this up I can fax them to you or email. The setup for more IP's should be scalable but the IP's and default route would change I would think. You could keep using /29 ATM blocks and increase in increments with different IP's most likely with out changing the first ones. ~Al Plant - Honolulu, Hawaii - Phone: 808-284-2740 + http://hawaiidakine.com + http://freebsdinfo.org + + http://aloha50.net - Supporting - FreeBSD 6.* - 7.* - 8.* + email: n...@hdk5.net All that's really worth doing is what we do for others.- Lewis Carrol ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org