From owner-freebsd-net Sun Mar 26 8:48:12 2000 Delivered-To: freebsd-net@freebsd.org Received: from mb.dnsdata.com (cx64640-a.wwck1.ri.home.com [24.0.243.18]) by hub.freebsd.org (Postfix) with ESMTP id E4A9E37B918 for ; Sun, 26 Mar 2000 08:48:08 -0800 (PST) (envelope-from bsd-lists@dnsdata.com) Received: from bobfe.dnsdata.com (brussel.ids.nettv.net [155.212.5.2]) by mb.dnsdata.com (8.9.3/8.9.3) with ESMTP id LAA00846 for ; Sun, 26 Mar 2000 11:48:03 -0500 (EST) (envelope-from bsd-lists@dnsdata.com) Message-Id: <4.3.2.20000326112757.00b3ae00@dnsdata.com> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Sun, 26 Mar 2000 11:47:57 -0500 To: freebsd-net@FreeBSD.ORG From: Bob Fayne Subject: PPP/PPPOE and NAT Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've also been having a lot of trouble using NAT over a PPPoE connection. I'm using 3.4-RELEASE and noticed the problems right away. They still show up with the 0326-ppp. It seems like it's some sort of fragmentation issue. Most of my experience is with straight ethernet and not ppp. Anyway here's my ppp.conf... default: set device PPPoE:de0 set log Error Alert Warning Phase Chat IPCP CCP tun command set dial set timeout 60 set ifaddr 0.0.0.0 set cd 5 enable dns accept PAP set speed sync add 0 0 HISADDR enable lqr set redial 0 0 nat enable yes nat log yes set mru 1492 set mtu 1492 Bell: set authname xxxxxx set authkey yyyyyy I issue the command "ppp -ddial -nat Bell" as root and it connects just fine. Speed looks fine, pages load quickly, etc. But when I use Windows98 clients with the NAT, it doesn't go so well. The symptoms range from pretty much none with some pages (www.ibm.com), to missing banners(www.intellicast.com) to nothing at all with most pages. I used www.hp.com as a test. I did some tcpdumps to try and see where the break is. This is what I get when I try to load a page using the dsl connection: 08:19:00.716742 111.111.1.1.1105 > 192.151.11.32.80: S 1471379:1471379(0) win 8192 (DF) 08:19:00.813355 192.151.11.32.80 > 111.111.1.1.1105: S 31360000:31360000(0) ack 1471380 win 32768 (DF) 08:19:00.813802 111.111.1.1.1105 > 192.151.11.32.80: . ack 1 win 8760 (DF) 08:19:00.817677 111.111.1.1.1105 > 192.151.11.32.80: P 1:354(353) ack 1 win 8760 (DF) 08:19:03.723892 111.111.1.1.1105 > 192.151.11.32.80: P 1:354(353) ack 1 win 8760 (DF) 08:19:03.870080 192.151.11.32.80 > 111.111.1.1.1105: . ack 354 win 32768 (DF) When I change the default route on this box to be the cable interface, this is what I get: 07:43:47.122168 111.111.1.1.1037 > 192.151.11.32.80: S 629054:629054(0) win 8192 (DF) 07:43:50.027428 111.111.1.1.1037 > 192.151.11.32.80: S 629054:629054(0) win 8192 (DF) 07:43:50.107253 192.151.11.32.80 > 111.111.1.1.1037: S 88448000:88448000(0) ack 629055 win 32768 (DF) 07:43:50.107411 111.111.1.1.1037 > 192.151.11.32.80: . ack 1 win 8760 (DF) 07:43:50.110678 111.111.1.1.1037 > 192.151.11.32.80: P 1:354(353) ack 1 win 8760 (DF) 07:43:50.193727 192.151.11.32.80 > 111.111.1.1.1037: . ack 354 win 32768 (DF) 07:43:50.201616 192.151.11.32.80 > 111.111.1.1.1037: . 1:1461(1460) ack 354 win 32768 (DF) 07:43:50.202799 192.151.11.32.80 > 111.111.1.1.1037: . 1461:2921(1460) ack 354 win 32768 (DF) 07:43:50.203198 111.111.1.1.1037 > 192.151.11.32.80: . ack 2921 win 8760 (DF) 07:43:50.284190 192.151.11.32.80 > 111.111.1.1.1037: . 2921:4381(1460) ack 354 win 32768 (DF) 07:43:50.285364 192.151.11.32.80 > 111.111.1.1.1037: . 4381:5841(1460) ack 354 win 32768 (DF) 07:43:50.285781 111.111.1.1.1037 > 192.151.11.32.80: . ack 5841 win 8760 (DF) 07:43:50.286605 192.151.11.32.80 > 111.111.1.1.1037: . 5841:7301(1460) ack 354 win 32768 (DF) 07:43:50.364794 192.151.11.32.80 > 111.111.1.1.1037: . 7301:8761(1460) ack 354 win 32768 (DF) 07:43:50.365226 111.111.1.1.1037 > 192.151.11.32.80: . ack 8761 win 8760 (DF) 07:43:50.365996 192.151.11.32.80 > 111.111.1.1.1037: . 8761:10221(1460) ack 354 win 32768 (DF) 07:43:50.367277 192.151.11.32.80 > 111.111.1.1.1037: . 10221:11681(1460) ack 354 win 32768 (DF) 07:43:50.367667 111.111.1.1.1037 > 192.151.11.32.80: . ack 11681 win 8760 (DF) 07:43:50.399393 111.111.1.1.1038 > 192.151.11.32.80: S 632332:632332(0) win 8192 (DF) 07:43:50.400059 111.111.1.1.1039 > 192.151.11.32.80: S 632332:632332(0) win 8192 (DF) 07:43:50.400670 111.111.1.1.1040 > 192.151.11.32.80: S 632333:632333(0) win 8192 (DF) 07:43:50.444329 192.151.11.32.80 > 111.111.1.1.1037: . 11681:13141(1460) ack 354 win 32768 (DF) 07:43:50.445530 192.151.11.32.80 > 111.111.1.1.1037: . 13141:14601(1460) ack 354 win 32768 (DF) 07:43:50.445944 111.111.1.1.1037 > 192.151.11.32.80: . ack 14601 win 8760 (DF) 07:43:50.446788 192.151.11.32.80 > 111.111.1.1.1037: . 14601:16061(1460) ack 354 win 32768 (DF) Any help in getting this working will be appreciated. :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun Mar 26 9: 2:35 2000 Delivered-To: freebsd-net@freebsd.org Received: from mb.dnsdata.com (cx64640-a.wwck1.ri.home.com [24.0.243.18]) by hub.freebsd.org (Postfix) with ESMTP id 8E6EB37B918 for ; Sun, 26 Mar 2000 09:02:32 -0800 (PST) (envelope-from bsd-lists@dnsdata.com) Received: from bobfe.dnsdata.com (brussel.ids.nettv.net [155.212.5.2]) by mb.dnsdata.com (8.9.3/8.9.3) with ESMTP id MAA00878 for ; Sun, 26 Mar 2000 12:02:31 -0500 (EST) (envelope-from bsd-lists@dnsdata.com) Message-Id: <4.3.2.20000326115650.00b3b370@dnsdata.com> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Sun, 26 Mar 2000 12:02:27 -0500 To: freebsd-net@FreeBSD.ORG From: Bob Fayne Subject: Re: kernel message and default gateway In-Reply-To: <20000324013835.24625.qmail@hotmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This means that the MAC address changed. It could be a couple of things: Most likely someone just swapped out the router or a network card. Or there was a misconfiguration of an ip address. In that case you should have seen it switch back when the offending system was removed. It is possible that someone was/is doing something bad, but you would need more information than that to go on. :) At 01:38 AM 3/24/2000, hotkaveh@hotmail.com wrote: >/kernel >arp: 10.252.35.254 moved from 00:20:18:8e:20:4b to 00:90:92:7f:dc:00 on vr0 > >what does this exactly mean ? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun Mar 26 9:48:50 2000 Delivered-To: freebsd-net@freebsd.org Received: from tomts2-srv.bellnexxia.net (tomts2.bellnexxia.net [209.226.175.140]) by hub.freebsd.org (Postfix) with ESMTP id 7E91E37B99F for ; Sun, 26 Mar 2000 09:48:45 -0800 (PST) (envelope-from mwozniak@netcom.ca) Received: from mwozniak.uniservers.com ([216.209.33.66]) by tomts2-srv.bellnexxia.net (InterMail vM.4.01.02.17 201-229-119) with SMTP id <20000326174843.DKRO911.tomts2-srv.bellnexxia.net@mwozniak.uniservers.com> for ; Sun, 26 Mar 2000 12:48:43 -0500 Reply-To: From: "Michael Wozniak" To: Subject: RE: PPP/PPPOE and NAT Date: Sun, 26 Mar 2000 12:41:25 -0500 Message-ID: <001101bf974a$86b13e00$0a80a8c0@mwozniak.uniservers.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Importance: Normal In-Reply-To: <4.3.2.20000326112757.00b3ae00@dnsdata.com> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Bob, What you have created/encountered is a called a "Black Hole" router. 98 is sending TCP packets with a requested segment size too big to fit into a PPPoE frame (MTU is 1500 by default for ethernet) AND have the "don't fragment" bit set (default of TCP) and the Telco router is not sending ICMP "must fragment" back to the www site you are trying to load. When the www server is sending you frames that don't fit into the PPPoE pipe the Telco router drops them on the floor and your page doesn't load (some pages/graphics do as they are smaller than a MSS.) This seems to be the default of most Telco PPPoE configurations (if only they knew how to program a router... sigh...) One fix is to use regedit on your 95/98 boxes to add the following registry entry... HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Class\NetTrans\0000\Max MTU It should be a string with a value "1450" (more accurately it should be "1464" to fit TCP packets into a PPPoE frame perfectly but the 1450 gives you a margin of error for other IP protocols you may encounter.) Refer to MS KB # "Q158474 - Windows TCPIP Registry Entries" and "Q120642 - TCPIP & NBT Configuration Parameters for Windows NT" for more information on changing Windoze MTU to work with a FreeBSD/NAT/PPPoE router. Mike > -----Original Message----- > From: owner-freebsd-net@FreeBSD.ORG > [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Bob Fayne > Sent: Sunday, March 26, 2000 11:48 AM > To: freebsd-net@FreeBSD.ORG > Subject: PPP/PPPOE and NAT > > > I've also been having a lot of trouble using NAT over a PPPoE > connection. > > I'm using 3.4-RELEASE and noticed the problems right away. > They still show > up with the 0326-ppp. It seems like it's some sort of > fragmentation issue. > Most of my experience is with straight ethernet and not ppp. > Anyway here's > my ppp.conf... > > > default: > set device PPPoE:de0 > set log Error Alert Warning Phase Chat IPCP CCP tun command > set dial > set timeout 60 > set ifaddr 0.0.0.0 > set cd 5 > enable dns > accept PAP > set speed sync > add 0 0 HISADDR > enable lqr > set redial 0 0 > nat enable yes > nat log yes > set mru 1492 > set mtu 1492 > > Bell: > set authname xxxxxx > set authkey yyyyyy > > > I issue the command "ppp -ddial -nat Bell" as root and it > connects just fine. > Speed looks fine, pages load quickly, etc. But when I use > Windows98 clients > with the NAT, it doesn't go so well. > > The symptoms range from pretty much none with some pages > (www.ibm.com), to > missing banners(www.intellicast.com) to nothing at all with > most pages. > I used www.hp.com as a test. > > I did some tcpdumps to try and see where the break is. This > is what I get > when I try to load a page using the dsl connection: > > 08:19:00.716742 111.111.1.1.1105 > 192.151.11.32.80: S > 1471379:1471379(0) > win 8192 (DF) > 08:19:00.813355 192.151.11.32.80 > 111.111.1.1.1105: S > 31360000:31360000(0) > ack 1471380 win 32768 (DF) > 08:19:00.813802 111.111.1.1.1105 > 192.151.11.32.80: . ack 1 > win 8760 (DF) > 08:19:00.817677 111.111.1.1.1105 > 192.151.11.32.80: P > 1:354(353) ack 1 win > 8760 (DF) > 08:19:03.723892 111.111.1.1.1105 > 192.151.11.32.80: P > 1:354(353) ack 1 win > 8760 (DF) > 08:19:03.870080 192.151.11.32.80 > 111.111.1.1.1105: . ack > 354 win 32768 (DF) > > When I change the default route on this box to be the cable > interface, this > is what I get: > > 07:43:47.122168 111.111.1.1.1037 > 192.151.11.32.80: S > 629054:629054(0) win > 8192 (DF) > 07:43:50.027428 111.111.1.1.1037 > 192.151.11.32.80: S > 629054:629054(0) win > 8192 (DF) > 07:43:50.107253 192.151.11.32.80 > 111.111.1.1.1037: S > 88448000:88448000(0) > ack 629055 win 32768 (DF) > 07:43:50.107411 111.111.1.1.1037 > 192.151.11.32.80: . ack 1 > win 8760 (DF) > 07:43:50.110678 111.111.1.1.1037 > 192.151.11.32.80: P > 1:354(353) ack 1 win > 8760 (DF) > 07:43:50.193727 192.151.11.32.80 > 111.111.1.1.1037: . ack > 354 win 32768 (DF) > 07:43:50.201616 192.151.11.32.80 > 111.111.1.1.1037: . > 1:1461(1460) ack 354 > win 32768 (DF) > 07:43:50.202799 192.151.11.32.80 > 111.111.1.1.1037: . > 1461:2921(1460) ack > 354 win 32768 (DF) > 07:43:50.203198 111.111.1.1.1037 > 192.151.11.32.80: . ack > 2921 win 8760 (DF) > 07:43:50.284190 192.151.11.32.80 > 111.111.1.1.1037: . > 2921:4381(1460) ack > 354 win 32768 (DF) > 07:43:50.285364 192.151.11.32.80 > 111.111.1.1.1037: . > 4381:5841(1460) ack > 354 win 32768 (DF) > 07:43:50.285781 111.111.1.1.1037 > 192.151.11.32.80: . ack > 5841 win 8760 (DF) > 07:43:50.286605 192.151.11.32.80 > 111.111.1.1.1037: . > 5841:7301(1460) ack > 354 win 32768 (DF) > 07:43:50.364794 192.151.11.32.80 > 111.111.1.1.1037: . > 7301:8761(1460) ack > 354 win 32768 (DF) > 07:43:50.365226 111.111.1.1.1037 > 192.151.11.32.80: . ack > 8761 win 8760 (DF) > 07:43:50.365996 192.151.11.32.80 > 111.111.1.1.1037: . > 8761:10221(1460) ack > 354 win 32768 (DF) > 07:43:50.367277 192.151.11.32.80 > 111.111.1.1.1037: . > 10221:11681(1460) > ack 354 win 32768 (DF) > 07:43:50.367667 111.111.1.1.1037 > 192.151.11.32.80: . ack > 11681 win 8760 (DF) > 07:43:50.399393 111.111.1.1.1038 > 192.151.11.32.80: S > 632332:632332(0) win > 8192 (DF) > 07:43:50.400059 111.111.1.1.1039 > 192.151.11.32.80: S > 632332:632332(0) win > 8192 (DF) > 07:43:50.400670 111.111.1.1.1040 > 192.151.11.32.80: S > 632333:632333(0) win > 8192 (DF) > 07:43:50.444329 192.151.11.32.80 > 111.111.1.1.1037: . > 11681:13141(1460) > ack 354 win 32768 (DF) > 07:43:50.445530 192.151.11.32.80 > 111.111.1.1.1037: . > 13141:14601(1460) > ack 354 win 32768 (DF) > 07:43:50.445944 111.111.1.1.1037 > 192.151.11.32.80: . ack > 14601 win 8760 (DF) > 07:43:50.446788 192.151.11.32.80 > 111.111.1.1.1037: . > 14601:16061(1460) > ack 354 win 32768 (DF) > > Any help in getting this working will be appreciated. :) > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun Mar 26 19:14:31 2000 Delivered-To: freebsd-net@freebsd.org Received: from mail.pinboard.com (mail.pinboard.com [194.209.195.7]) by hub.freebsd.org (Postfix) with ESMTP id E504B37BA75 for ; Sun, 26 Mar 2000 19:14:27 -0800 (PST) (envelope-from kurt@pinboard.com) Received: (from uucp@localhost) by mail.pinboard.com (8.9.1/8.9.1/19980920-01/KK) with UUCP id FAA21342; Mon, 27 Mar 2000 05:14:24 +0200 (CEST) (envelope-from: kurt@pinboard.com) Received: (from kurt@localhost) by squirrel.pbdhome.pinboard.com (8.9.1/8.9.1-19980817-01/KK) id VAA29325; Sun, 26 Mar 2000 21:18:46 +0200 (CEST) (envelope-from: kurt) Date: Sun, 26 Mar 2000 21:18:46 +0200 From: Kurt@pinboard.com To: freebsd-net@FreeBSD.ORG Cc: intmktg@cam.org Subject: Re: dumb terminal on db9 serial port Message-ID: <20000326211845.A29173@pinboard.com> Mail-Followup-To: freebsd-net@FreeBSD.ORG, intmktg@cam.org References: <38DD50E4.DD1298C8@cam.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <38DD50E4.DD1298C8@cam.org>; from intmktg@CAM.ORG on Sat, Mar 25, 2000 at 06:51:01PM -0500 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Mar 25, 2000 at 06:51:01PM -0500, Claude Tardif wrote: > > 4. wired my own null-modem cable (double-checked using a multi-meter), > taken from: > http://www.linux.org/help/ldp/howto/Text-Terminal-HOWTO-11.html#ss11.2 > > PC DB9 Terminal DB25 > RxD Receive Data 2 <-- 2 TxD Transmit Data > TxD Transmit Data 3 --> 3 RxD Receive Data > SG Signal Ground 5 --- 7 SG Signal Ground > CTS Clear To Send 8 <--20 DTR Data Terminal Ready > RTS Request To Send 7 --> 6 DSR Data Set Ready Shouldn't a null modem cable be: DB9 - DB25 3 - 3 2 - 2 7 - 5 8 - 4 5 - 7 1/6 - 20 4 - 8/6 Then of course, it also matters whether your terminal is wired as DTE or DCE. A minimum DB9-DB25 null modem cable, used to connect DTE-DTE should be: DB9 - DB25 3 - 3 2 - 2 5 - 7 And for a minimum DB9-DB25 straight cable, used for DTE-DCE connections it should look like: DB9 - DB25 2 - 3 3 - 2 5 - 7 Kurt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun Mar 26 19:30:22 2000 Delivered-To: freebsd-net@freebsd.org Received: from oahu.WURLDLINK.NET (oahu.WURLDLINK.NET [208.164.68.1]) by hub.freebsd.org (Postfix) with ESMTP id 0E1C537BAE3 for ; Sun, 26 Mar 2000 19:30:16 -0800 (PST) (envelope-from vince@oahu.WURLDLINK.NET) Received: from localhost (vince@localhost) by oahu.WURLDLINK.NET (8.9.3/8.9.3) with ESMTP id RAA54924; Sun, 26 Mar 2000 17:30:11 -1000 (HST) (envelope-from vince@oahu.WURLDLINK.NET) Date: Sun, 26 Mar 2000 17:30:11 -1000 (HST) From: Vincent Poy To: Michael Wozniak Cc: freebsd-net@FreeBSD.ORG Subject: RE: PPP/PPPOE and NAT In-Reply-To: <001101bf974a$86b13e00$0a80a8c0@mwozniak.uniservers.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 26 Mar 2000, Michael Wozniak wrote: Actually, the number could be as high as 1492 for the PPPoE as far as the RFC is concerned. Also, on the Windows machine, you may want to increase the Receive Window size to 32767. Speaking about FreeBSD as a NAT router, can it do port mapping so that it will sense which machine sent the request for apps like dialpad instead of mapping to a certain machine only? Since I noticed that Linux seems to have the triggered mapping support. Cheers, Vince - vince@WURLDLINK.NET - Vice President ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] WurldLink Corporation / / / / | / | __] ] San Francisco - Honolulu - Hong Kong / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] Almighty1@IRC - oahu.DAL.NET Hawaii's DALnet IRC Network Server Admin > Bob, > > What you have created/encountered is a called a "Black Hole" router. > 98 is sending TCP packets with a requested segment size too big to > fit into a PPPoE frame (MTU is 1500 by default for ethernet) AND > have the "don't fragment" bit set (default of TCP) and the Telco > router is not sending ICMP "must fragment" back to the www site > you are trying to load. When the www server is sending you frames > that don't fit into the PPPoE pipe the Telco router drops them on > the floor and your page doesn't load (some pages/graphics do as they > are smaller than a MSS.) This seems to be the default of most Telco > PPPoE configurations (if only they knew how to program a router... > sigh...) > > One fix is to use regedit on your 95/98 boxes to add the following > registry entry... > > HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Class\NetTrans\0000\Max > MTU > > It should be a string with a value "1450" (more accurately it > should be "1464" to fit TCP packets into a PPPoE frame perfectly > but the 1450 gives you a margin of error for other IP protocols > you may encounter.) > > Refer to MS KB # "Q158474 - Windows TCPIP Registry Entries" and > "Q120642 - TCPIP & NBT Configuration Parameters for Windows NT" > for more information on changing Windoze MTU to work with a > FreeBSD/NAT/PPPoE router. > > Mike > > > -----Original Message----- > > From: owner-freebsd-net@FreeBSD.ORG > > [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Bob Fayne > > Sent: Sunday, March 26, 2000 11:48 AM > > To: freebsd-net@FreeBSD.ORG > > Subject: PPP/PPPOE and NAT > > > > > > I've also been having a lot of trouble using NAT over a PPPoE > > connection. > > > > I'm using 3.4-RELEASE and noticed the problems right away. > > They still show > > up with the 0326-ppp. It seems like it's some sort of > > fragmentation issue. > > Most of my experience is with straight ethernet and not ppp. > > Anyway here's > > my ppp.conf... > > > > > > default: > > set device PPPoE:de0 > > set log Error Alert Warning Phase Chat IPCP CCP tun command > > set dial > > set timeout 60 > > set ifaddr 0.0.0.0 > > set cd 5 > > enable dns > > accept PAP > > set speed sync > > add 0 0 HISADDR > > enable lqr > > set redial 0 0 > > nat enable yes > > nat log yes > > set mru 1492 > > set mtu 1492 > > > > Bell: > > set authname xxxxxx > > set authkey yyyyyy > > > > > > I issue the command "ppp -ddial -nat Bell" as root and it > > connects just fine. > > Speed looks fine, pages load quickly, etc. But when I use > > Windows98 clients > > with the NAT, it doesn't go so well. > > > > The symptoms range from pretty much none with some pages > > (www.ibm.com), to > > missing banners(www.intellicast.com) to nothing at all with > > most pages. > > I used www.hp.com as a test. > > > > I did some tcpdumps to try and see where the break is. This > > is what I get > > when I try to load a page using the dsl connection: > > > > 08:19:00.716742 111.111.1.1.1105 > 192.151.11.32.80: S > > 1471379:1471379(0) > > win 8192 (DF) > > 08:19:00.813355 192.151.11.32.80 > 111.111.1.1.1105: S > > 31360000:31360000(0) > > ack 1471380 win 32768 (DF) > > 08:19:00.813802 111.111.1.1.1105 > 192.151.11.32.80: . ack 1 > > win 8760 (DF) > > 08:19:00.817677 111.111.1.1.1105 > 192.151.11.32.80: P > > 1:354(353) ack 1 win > > 8760 (DF) > > 08:19:03.723892 111.111.1.1.1105 > 192.151.11.32.80: P > > 1:354(353) ack 1 win > > 8760 (DF) > > 08:19:03.870080 192.151.11.32.80 > 111.111.1.1.1105: . ack > > 354 win 32768 (DF) > > > > When I change the default route on this box to be the cable > > interface, this > > is what I get: > > > > 07:43:47.122168 111.111.1.1.1037 > 192.151.11.32.80: S > > 629054:629054(0) win > > 8192 (DF) > > 07:43:50.027428 111.111.1.1.1037 > 192.151.11.32.80: S > > 629054:629054(0) win > > 8192 (DF) > > 07:43:50.107253 192.151.11.32.80 > 111.111.1.1.1037: S > > 88448000:88448000(0) > > ack 629055 win 32768 (DF) > > 07:43:50.107411 111.111.1.1.1037 > 192.151.11.32.80: . ack 1 > > win 8760 (DF) > > 07:43:50.110678 111.111.1.1.1037 > 192.151.11.32.80: P > > 1:354(353) ack 1 win > > 8760 (DF) > > 07:43:50.193727 192.151.11.32.80 > 111.111.1.1.1037: . ack > > 354 win 32768 (DF) > > 07:43:50.201616 192.151.11.32.80 > 111.111.1.1.1037: . > > 1:1461(1460) ack 354 > > win 32768 (DF) > > 07:43:50.202799 192.151.11.32.80 > 111.111.1.1.1037: . > > 1461:2921(1460) ack > > 354 win 32768 (DF) > > 07:43:50.203198 111.111.1.1.1037 > 192.151.11.32.80: . ack > > 2921 win 8760 (DF) > > 07:43:50.284190 192.151.11.32.80 > 111.111.1.1.1037: . > > 2921:4381(1460) ack > > 354 win 32768 (DF) > > 07:43:50.285364 192.151.11.32.80 > 111.111.1.1.1037: . > > 4381:5841(1460) ack > > 354 win 32768 (DF) > > 07:43:50.285781 111.111.1.1.1037 > 192.151.11.32.80: . ack > > 5841 win 8760 (DF) > > 07:43:50.286605 192.151.11.32.80 > 111.111.1.1.1037: . > > 5841:7301(1460) ack > > 354 win 32768 (DF) > > 07:43:50.364794 192.151.11.32.80 > 111.111.1.1.1037: . > > 7301:8761(1460) ack > > 354 win 32768 (DF) > > 07:43:50.365226 111.111.1.1.1037 > 192.151.11.32.80: . ack > > 8761 win 8760 (DF) > > 07:43:50.365996 192.151.11.32.80 > 111.111.1.1.1037: . > > 8761:10221(1460) ack > > 354 win 32768 (DF) > > 07:43:50.367277 192.151.11.32.80 > 111.111.1.1.1037: . > > 10221:11681(1460) > > ack 354 win 32768 (DF) > > 07:43:50.367667 111.111.1.1.1037 > 192.151.11.32.80: . ack > > 11681 win 8760 (DF) > > 07:43:50.399393 111.111.1.1.1038 > 192.151.11.32.80: S > > 632332:632332(0) win > > 8192 (DF) > > 07:43:50.400059 111.111.1.1.1039 > 192.151.11.32.80: S > > 632332:632332(0) win > > 8192 (DF) > > 07:43:50.400670 111.111.1.1.1040 > 192.151.11.32.80: S > > 632333:632333(0) win > > 8192 (DF) > > 07:43:50.444329 192.151.11.32.80 > 111.111.1.1.1037: . > > 11681:13141(1460) > > ack 354 win 32768 (DF) > > 07:43:50.445530 192.151.11.32.80 > 111.111.1.1.1037: . > > 13141:14601(1460) > > ack 354 win 32768 (DF) > > 07:43:50.445944 111.111.1.1.1037 > 192.151.11.32.80: . ack > > 14601 win 8760 (DF) > > 07:43:50.446788 192.151.11.32.80 > 111.111.1.1.1037: . > > 14601:16061(1460) > > ack 354 win 32768 (DF) > > > > Any help in getting this working will be appreciated. :) > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-net" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun Mar 26 20:28:26 2000 Delivered-To: freebsd-net@freebsd.org Received: from mb.dnsdata.com (adsl-64-223-16-3.bellatlantic.net [64.223.16.3]) by hub.freebsd.org (Postfix) with ESMTP id 648C337BAFA for ; Sun, 26 Mar 2000 20:28:23 -0800 (PST) (envelope-from bsd-lists@dnsdata.com) Received: from flipper.dnsdata.com (brussel.ids.nettv.net [155.212.5.2]) by mb.dnsdata.com (8.9.3/8.9.3) with ESMTP id XAA01607 for ; Sun, 26 Mar 2000 23:28:11 -0500 (EST) (envelope-from bsd-lists@dnsdata.com) Message-Id: <4.3.2.20000326232454.00b18100@dnsdata.com> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Sun, 26 Mar 2000 23:28:06 -0500 To: freebsd-net@FreeBSD.ORG From: Bob Fayne Subject: RE: PPP/PPPOE and NAT In-Reply-To: <001101bf974a$86b13e00$0a80a8c0@mwozniak.uniservers.com> References: <4.3.2.20000326112757.00b3ae00@dnsdata.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks, that solved the problem. :) I tried it at 1450 at first, and it was better but a tiny bit balky. Then I noticed that the Bell Atlantic PPPoE client sets its MTU to be 1400. I set all the windoze machines to that and we're working like a charm. :) At 12:41 PM 3/26/2000, Michael Wozniak" wrote: >What you have created/encountered is a called a "Black Hole" router. >98 is sending TCP packets with a requested segment size too big to >fit into a PPPoE frame (MTU is 1500 by default for ethernet) AND To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun Mar 26 20:32:30 2000 Delivered-To: freebsd-net@freebsd.org Received: from oahu.WURLDLINK.NET (oahu.WURLDLINK.NET [208.164.68.1]) by hub.freebsd.org (Postfix) with ESMTP id 93E4437BB6F for ; Sun, 26 Mar 2000 20:32:17 -0800 (PST) (envelope-from vince@oahu.WURLDLINK.NET) Received: from localhost (vince@localhost) by oahu.WURLDLINK.NET (8.9.3/8.9.3) with ESMTP id SAA55414; Sun, 26 Mar 2000 18:30:32 -1000 (HST) (envelope-from vince@oahu.WURLDLINK.NET) Date: Sun, 26 Mar 2000 18:30:32 -1000 (HST) From: Vincent Poy To: Bob Fayne Cc: freebsd-net@FreeBSD.ORG Subject: RE: PPP/PPPOE and NAT In-Reply-To: <4.3.2.20000326232454.00b18100@dnsdata.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 26 Mar 2000, Bob Fayne wrote: Hmmm, actually, you should not go over 1492 which should work fine. Another thing you may want to set is the Windows Receive size to 32767. Cheers, Vince - vince@WURLDLINK.NET - Vice President ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] WurldLink Corporation / / / / | / | __] ] San Francisco - Honolulu - Hong Kong / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] Almighty1@IRC - oahu.DAL.NET Hawaii's DALnet IRC Network Server Admin > Thanks, that solved the problem. :) > > I tried it at 1450 at first, and it was better but a tiny bit balky. > Then I noticed that the Bell Atlantic PPPoE client sets its MTU to be 1400. > I set all the windoze machines to that and we're working like a charm. :) > > > At 12:41 PM 3/26/2000, Michael Wozniak" wrote: > >What you have created/encountered is a called a "Black Hole" router. > >98 is sending TCP packets with a requested segment size too big to > >fit into a PPPoE frame (MTU is 1500 by default for ethernet) AND > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Mar 27 12:35:10 2000 Delivered-To: freebsd-net@freebsd.org Received: from netcom.com (netcom1.netcom.com [199.183.9.101]) by hub.freebsd.org (Postfix) with ESMTP id ACFEA37BAC1 for ; Mon, 27 Mar 2000 12:35:04 -0800 (PST) (envelope-from stanb@netcom.com) Received: (from stanb@localhost) by netcom.com (8.9.3/8.9.3) id MAA15453 for freebsd-net@FreeBSD.ORG; Mon, 27 Mar 2000 12:33:38 -0800 (PST) From: Stan Brown Message-Id: <200003272033.MAA15453@netcom.com> Subject: Why does this work (routing) To: freebsd-net@FreeBSD.ORG (FreeBSD Networking) Date: Mon, 27 Mar 2000 15:33:37 -0500 (EST) X-Mailer: ELM [version 2.5 PL3] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have set up an interesting routing scenario using a FreBSD 3.4 Stable baox. It's very intuitive, and works well. However now I am trying to do something similar n a Solaris box, and not only can I not make it work, lot's of people are trying to convince me it's imposible! Here is the scenario. I have a single homed box laets say 170.85.109.64. It's default router is 170.85.109.1 In another building I have a machine that connects to the outside wrld let's asy 32.77.3.5 Now the router at 170.85.109.1 _does not_ have a route to 32.77.x.x but a router in the other building at 170.85.43.1 does. So I did route add net 32.77.0.0 170.85.43.1 On the FreeBSD box. Works like a cahrm The Sun box insists that all gateways be on a directly conected newtork. People are trying to tell me this is required, since there is only 1 source and 1 destination address in the packet. At this pont in time I am _totaly_ confused. Could some kind soul please educate me here? A pointer to docs would be appropriate. Thanks. -- Stan Brown stanb@netcom.com 404-996-6955 Factory Automation Systems Atlanta Ga. -- Look, look, see Windows 95. Buy, lemmings, buy! Pay no attention to that cliff ahead... Henry Spencer (c) 1998 Stan Brown. Redistribution via the Microsoft Network is prohibited. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Mar 27 13:26:57 2000 Delivered-To: freebsd-net@freebsd.org Received: from xmh02.scott.af.mil (vejxoislxmh02.scott.af.mil [140.175.214.29]) by hub.freebsd.org (Postfix) with ESMTP id 6DE0137B753 for ; Mon, 27 Mar 2000 13:26:37 -0800 (PST) (envelope-from DARYL.CHANCE@SCOTT.AF.MIL) Received: from cornerback.scott.af.mil (cornerback.scott.af.mil [140.175.214.11]) by xmh02.scott.af.mil (8.9.3/8.9.3) with ESMTP id PAA29066 for ; Mon, 27 Mar 2000 15:29:36 -0600 Received: from cornerback.scott.af.mil (root@localhost) by cornerback.scott.af.mil with ESMTP id PAA04846 for ; Mon, 27 Mar 2000 15:26:37 -0600 (CST) Received: from SMTP (vejxoisntav81.scott.af.mil [140.175.254.101]) by cornerback.scott.af.mil with SMTP id PAA04842 for ; Mon, 27 Mar 2000 15:26:37 -0600 (CST) Received: from ksvejx02.SCOTT.AF.MIL ([140.175.192.102]) by 140.175.254.101 (Norton AntiVirus for Internet Email Gateways 1.0) ; Mon, 27 Mar 2000 21:26:33 0000 (GMT) Received: by ksvejx02.scott.af.mil with Internet Mail Service (5.5.2448.0) id ; Mon, 27 Mar 2000 15:34:48 -0600 Message-ID: From: Chance Daryl SrA AMC CSS/SAS To: "'freebsd-net'" Subject: FW: bad link ppp Date: Mon, 27 Mar 2000 15:26:29 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I sent this to the newbie list, wasn't sure if that was the right mailing list or not...hope this one works out :) Thanks, <---------------------------------------------------------------> <- SrA Daryl Chance - A programmer is someone who solves a -> <- USAF AMC CSS/SASR - problem you didn't know you had in a -> <- RAD Programmer - way you don't understand. -> <- (618) 256-5225 - - ????? -> <---------------------------------------------------------------> -----Original Message----- From: Chance Daryl SrA AMC CSS/SAS Sent: Monday, March 27, 2000 1:01 PM To: 'FreeBSD Newbies' Subject: bad link ppp Hello, Not really sure that this is the correct list for this type of question, but I'll give it a shot :). I recently downloaded the freebsd 4.0 iso image and burned it onto a cd. Previously I had 3.4 and it ran fine, no problems with the exception of a small ppp problem, which is why I decided to give 4.0 a try. That and I had to change out a HD that was going bad :). well, it installed fine (minor partitioning problem on my part) and I set it up to be my gateway, setup the ip for it, could ping it and all that from my win boxes. Seeing all this was good, I brought up ppp something like this: ppp -nat ppp on>set device /dev/cuaa1 (modem is on com2) ppp on>dial can not open device /dev/cuaa1 bad link (or something to that effect). so, i quit out of ppp, go into /dev and do a ./MAKEDEV tun* cuaa* go back into ppp and it does the same thing. I do a ./MAKEDEV all and go back to ppp, same thing. any thoughts? any help would be appreciated. the minor problem i was hoping to resolve with ppp is this: i play Rouge Spear online with a friend of mine. I setup the ports so that if it came through on X port number, send it to my machine. i run ppp -nat -auto when i run it through auto, it doesn't alias the ports correctly. it also leaves old ips around, the mask on one is 0XFFFFFF the other is 0XFFFF00 (or something to that effect). Before, it was leaving all stale ips around, so I checked up on some stuff and found that creating a ppp.linkdown would fix it...it fixed part of it :)....cleans out all but 2. the odd thing is that all this works if i don't use auto IE: ppp -nat ppp on>dial all is fine. Thanks again, <---------------------------------------------------------------> <- SrA Daryl Chance - A programmer is someone who solves a -> <- USAF AMC CSS/SASR - problem you didn't know you had in a -> <- RAD Programmer - way you don't understand. -> <- (618) 256-5225 - - ????? -> <---------------------------------------------------------------> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Mar 27 14:55:48 2000 Delivered-To: freebsd-net@freebsd.org Received: from databus.databus.com (databus.databus.com [198.186.154.34]) by hub.freebsd.org (Postfix) with SMTP id 5196937B7CA for ; Mon, 27 Mar 2000 14:55:45 -0800 (PST) (envelope-from barney@databus.databus.com) From: Barney Wolff To: freebsd-net@FreeBSD.ORG (FreeBSD Networking) Date: Mon, 27 Mar 2000 17:52 EST Subject: Re: Why does this work (routing) Content-Length: 816 Content-Type: text/plain Message-ID: <38dfe6e10.71cd@databus.databus.com> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You might want to look at the netmasks on the two boxes - your box may believe (perhaps even correctly) that it can get to 43.1 over the Ethernet, while the Sun box may have a more restrictive netmask. Barney Wolff > From: Stan Brown > Date: Mon, 27 Mar 2000 15:33:37 -0500 (EST) > > Here is the scenario. I have a single homed box laets say > 170.85.109.64. It's default router is 170.85.109.1 In another building > I have a machine that connects to the outside wrld let's asy 32.77.3.5 > Now the router at 170.85.109.1 _does not_ have a route to 32.77.x.x but > a router in the other building at 170.85.43.1 does. So I did > > route add net 32.77.0.0 170.85.43.1 > > On the FreeBSD box. Works like a cahrm The Sun box insists that all > gateways be on a directly conected newtork. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Mar 27 15:25:33 2000 Delivered-To: freebsd-net@freebsd.org Received: from awfulhak.org (tun.AwfulHak.org [194.242.139.173]) by hub.freebsd.org (Postfix) with ESMTP id DAD0F37BD38 for ; Mon, 27 Mar 2000 15:24:24 -0800 (PST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.awfulhak.org [172.16.0.12]) by awfulhak.org (8.9.3/8.9.3) with ESMTP id AAA57186; Tue, 28 Mar 2000 00:22:52 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id AAA01028; Tue, 28 Mar 2000 00:22:50 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200003272322.AAA01028@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.1 10/15/1999 To: Chance Daryl SrA AMC CSS/SAS Cc: "'freebsd-net'" , brian@hak.lan.awfulhak.org Subject: Re: FW: bad link ppp In-Reply-To: Message from Chance Daryl SrA AMC CSS/SAS of "Mon, 27 Mar 2000 15:26:29 MDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 28 Mar 2000 00:22:50 +0100 From: Brian Somers Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Hello, > > Not really sure that this is the correct list for this type of > question, but I'll give it a shot :). > > I recently downloaded the freebsd 4.0 iso image and burned it onto > a cd. Previously I had 3.4 and it ran fine, no problems with the > exception of a small ppp problem, which is why I decided to give > 4.0 a try. That and I had to change out a HD that was going bad :). > > well, it installed fine (minor partitioning problem on my part) and > I set it up to be my gateway, setup the ip for it, could ping it and > all that from my win boxes. Seeing all this was good, I brought up > ppp something like this: > > ppp -nat > ppp on>set device /dev/cuaa1 (modem is on com2) > ppp on>dial > can not open device /dev/cuaa1 bad link (or something to that > effect). > > so, i quit out of ppp, go into /dev and do a ./MAKEDEV tun* cuaa* > > go back into ppp and it does the same thing. I do a ./MAKEDEV all > and go back to ppp, same thing. > > any thoughts? any help would be appreciated. Ensure that sio1 was probed correctly (run ``dmesg''). If it is, please post the full message. > the minor problem i was hoping to resolve with ppp is this: > > i play Rouge Spear online with a friend of mine. I setup the ports > so that if it came through on X port number, send it to my machine. > i run ppp -nat -auto > > when i run it through auto, it doesn't alias the ports correctly. Doesn't it ? What are your ``nat port'' commands ? > it also leaves old ips around, the mask on one is 0XFFFFFF the other > is 0XFFFF00 (or something to that effect). Before, it was leaving all > stale ips around, so I checked up on some stuff and found that creating > a ppp.linkdown would fix it...it fixed part of it :)....cleans out all but > 2. These alias addresses shouldn't be a problem. ppp.linkdown.sample keeps things tidier, but that's all. > the odd thing is that all this works if i don't use auto IE: > > ppp -nat > ppp on>dial > > all is fine. That's because ``iface-alias'' is disabled. See the documentation. I would think this stuff is a red herring. > Thanks again, > <---------------------------------------------------------------> > <- SrA Daryl Chance - A programmer is someone who solves a -> > <- USAF AMC CSS/SASR - problem you didn't know you had in a -> > <- RAD Programmer - way you don't understand. -> > <- (618) 256-5225 - - ????? -> > <---------------------------------------------------------------> -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Mar 27 18: 0:43 2000 Delivered-To: freebsd-net@freebsd.org Received: from vinyl.sentex.ca (vinyl.sentex.ca [209.112.4.14]) by hub.freebsd.org (Postfix) with ESMTP id 561DB37BD1E for ; Mon, 27 Mar 2000 18:00:33 -0800 (PST) (envelope-from mike@sentex.net) Received: from granite.sentex.net (granite-atm.sentex.ca [209.112.4.1]) by vinyl.sentex.ca (8.9.3/8.9.3) with ESMTP id VAA86217; Mon, 27 Mar 2000 21:00:26 -0500 (EST) (envelope-from mike@sentex.net) Received: from chimp.simianscience.com (ospf-mdt.sentex.net [205.211.164.81]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id VAA06324; Mon, 27 Mar 2000 21:00:25 -0500 (EST) From: mike@sentex.net (Mike Tancsa) To: stanb@netcom.com (Stan Brown) Cc: freebsd-net@freebsd.org Subject: Re: Why does this work (routing) Date: Tue, 28 Mar 2000 02:00:43 GMT Message-ID: <38e0120e.2862974269@mail.sentex.net> References: In-Reply-To: X-Mailer: Forte Agent .99e/32.227 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 27 Mar 2000 15:35:38 -0500, in sentex.lists.freebsd.net you wrote: > Here is the scenario. I have a single homed box laets say > 170.85.109.64. It's default router is 170.85.109.1 In another building > I have a machine that connects to the outside wrld let's asy 32.77.3.5 > Now the router at 170.85.109.1 _does not_ have a route to 32.77.x.x but > a router in the other building at 170.85.43.1 does. So I did > > route add net 32.77.0.0 170.85.43.1 What route is it actually installing ? netstat -nr Also, what are your netmasks on the machines in question ? ---Mike Mike Tancsa (mdtancsa@sentex.net) Sentex Communications Corp, Waterloo, Ontario, Canada "Given enough time, 100 monkeys on 100 routers could setup a national IP network." (KDW2) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Mar 27 19: 3:17 2000 Delivered-To: freebsd-net@freebsd.org Received: from rose.niw.com.au (app3022-2.gw.connect.com.au [203.63.119.4]) by hub.freebsd.org (Postfix) with ESMTP id E594437B596 for ; Mon, 27 Mar 2000 19:03:12 -0800 (PST) (envelope-from ian@niw.com.au) Received: by rose.niw.com.au (Postfix, from userid 1000) id E10A162D12; Tue, 28 Mar 2000 12:32:43 +0930 (CST) Date: Tue, 28 Mar 2000 12:32:43 +0930 From: Ian West To: freebsd-net@freebsd.org Subject: ipfw tee Message-ID: <20000328123243.I78585@rose.niw.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I have been looking at ipfw tee operation, specifically to see if I can make it tee to a divert socket without terminating. I would like to use this for logging traffic with more detail as to source and destination addresses without running through and processing syslog files :-). My though is to be able to tee traffic outbound prior to nat, and inbound after nat so that I can see the real source and dest addresses. It seems from a couple of hours (minimal) looking at it that by 'teeing' in the ip_fw_chk itself, we can just 'continue' as per count, and all works well. I have tested this briefly, and it doesn;t seem to kill anything. Can anyone point me at other important things to look at ? vmstat -m does not show any mbuf's going missing. netstat -m shows no slow increase. Everything still seems to work :-) Output from ipfw -a l on the box I am testing with.. 01000 110270 149841377 tee 12345 ip from any to any 65000 110270 149841377 allow ip from any to any 65535 0 0 deny ip from any to any This suggests that it is doing roughly what I want, although I have not hooked anything onto the divert socket so I cannot say for sure. Is what I am doing valid ? (close ?) The diff that I have been testing with is below.. Index: ip_fw.c =================================================================== RCS file: /cvs/freebsd/src/sys/netinet/ip_fw.c,v retrieving revision 1.132 diff -u -r1.132 ip_fw.c --- ip_fw.c 2000/03/14 14:11:53 1.132 +++ ip_fw.c 2000/03/28 02:39:16 @@ -1278,8 +1278,17 @@ *cookie = f->fw_number; return(f->fw_divert_port); case IP_FW_F_TEE: - *cookie = f->fw_number; - return(f->fw_divert_port | IP_FW_PORT_TEE_FLAG); + { + struct mbuf *clone; + struct ip *cip; + *cookie = f->fw_number; + clone=m_dup(*m, M_DONTWAIT); + cip = mtod(clone, struct ip *); + HTONS(cip->ip_len); + HTONS(cip->ip_off); + divert_packet(clone,0,f->fw_divert_port); + } + continue; #endif case IP_FW_F_SKIPTO: /* XXX check */ if ( f->next_rule_ptr ) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Mar 27 21: 9:16 2000 Delivered-To: freebsd-net@freebsd.org Received: from rose.niw.com.au (app3022-2.gw.connect.com.au [203.63.119.4]) by hub.freebsd.org (Postfix) with ESMTP id EACA637BA08 for ; Mon, 27 Mar 2000 21:09:10 -0800 (PST) (envelope-from ian@niw.com.au) Received: by rose.niw.com.au (Postfix, from userid 1000) id 8AB3C62D12; Tue, 28 Mar 2000 14:39:00 +0930 (CST) Date: Tue, 28 Mar 2000 14:39:00 +0930 From: Ian West To: Ian West Subject: Re: ipfw tee Message-ID: <20000328143900.L78585@rose.niw.com.au> References: <20000328123243.I78585@rose.niw.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000328123243.I78585@rose.niw.com.au>; from ian@niw.com.au on Tue, Mar 28, 2000 at 12:32:43PM +0930 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org To add to previous, after a bit more testing, the following patch fixes an issue where the ipfw rule number was not passed through to recvfrom call in client. I now have a consumer of tee'd packets running, and it still seems to be working without any problems. I have not yet tried this in an environment with a real divert (say for nat) working yet. Index: ip_fw.c ========================================================================= RCS file: /cvs/freebsd/src/sys/netinet/ip_fw.c,v retrieving revision 1.132 diff -u -r1.132 ip_fw.c --- ip_fw.c 2000/03/14 14:11:53 1.132 +++ ip_fw.c 2000/03/28 05:05:35 @@ -1278,8 +1278,20 @@ *cookie = f->fw_number; return(f->fw_divert_port); case IP_FW_F_TEE: - *cookie = f->fw_number; - return(f->fw_divert_port | IP_FW_PORT_TEE_FLAG); + { + struct mbuf *clone; + struct ip *cip; + u_int16_t divert_cookie; + divert_cookie=ip_divert_cookie; + ip_divert_cookie = f->fw_number; + clone=m_dup(*m, M_DONTWAIT); + cip = mtod(clone, struct ip *); + HTONS(cip->ip_len); + HTONS(cip->ip_off); + divert_packet(clone,0,f->fw_divert_port); + ip_divert_cookie=divert_cookie; + } + continue; #endif case IP_FW_F_SKIPTO: /* XXX check */ if ( f->next_rule_ptr ) ========================================================================= On Tue, Mar 28, 2000 at 12:32:43PM +0930, Ian West wrote: > Hi, I have been looking at ipfw tee operation, specifically to see if I > can make it tee to a divert socket without terminating. I would like to > use this for logging traffic with more detail as to source and > destination addresses without running through and processing syslog > files :-). > > My though is to be able to tee traffic outbound prior to nat, and inbound > after nat so that I can see the real source and dest addresses. > > It seems from a couple of hours (minimal) looking at it that by 'teeing' > in the ip_fw_chk itself, we can just 'continue' as per count, and all > works well. I have tested this briefly, and it doesn;t seem to kill > anything. Can anyone point me at other important things to look at ? > > vmstat -m does not show any mbuf's going missing. netstat -m shows no > slow increase. Everything still seems to work :-) > > Output from ipfw -a l on the box I am testing with.. > > 01000 110270 149841377 tee 12345 ip from any to any > 65000 110270 149841377 allow ip from any to any > 65535 0 0 deny ip from any to any > > This suggests that it is doing roughly what I want, although I have not > hooked anything onto the divert socket so I cannot say for sure. > > Is what I am doing valid ? (close ?) > > The diff that I have been testing with is below.. > > Index: ip_fw.c > =================================================================== > RCS file: /cvs/freebsd/src/sys/netinet/ip_fw.c,v > retrieving revision 1.132 > diff -u -r1.132 ip_fw.c > --- ip_fw.c 2000/03/14 14:11:53 1.132 > +++ ip_fw.c 2000/03/28 02:39:16 > @@ -1278,8 +1278,17 @@ > *cookie = f->fw_number; > return(f->fw_divert_port); > case IP_FW_F_TEE: > - *cookie = f->fw_number; > - return(f->fw_divert_port | IP_FW_PORT_TEE_FLAG); > + { > + struct mbuf *clone; > + struct ip *cip; > + *cookie = f->fw_number; > + clone=m_dup(*m, M_DONTWAIT); > + cip = mtod(clone, struct ip *); > + HTONS(cip->ip_len); > + HTONS(cip->ip_off); > + divert_packet(clone,0,f->fw_divert_port); > + } > + continue; > #endif > case IP_FW_F_SKIPTO: /* XXX check */ > if ( f->next_rule_ptr ) > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Mar 28 7:13: 2 2000 Delivered-To: freebsd-net@freebsd.org Received: from hotmail.com (f24.law8.hotmail.com [216.33.241.24]) by hub.freebsd.org (Postfix) with SMTP id 0B3D237B730 for ; Tue, 28 Mar 2000 07:12:57 -0800 (PST) (envelope-from hjeffrey@hotmail.com) Received: (qmail 89245 invoked by uid 0); 28 Mar 2000 15:12:54 -0000 Message-ID: <20000328151254.89244.qmail@hotmail.com> Received: from 130.11.112.22 by www.hotmail.com with HTTP; Tue, 28 Mar 2000 07:12:53 PST X-Originating-IP: [130.11.112.22] From: "Jeff Hamilton" To: freebsd-net@freebsd.org, freebsd-security@freebsd.org Subject: FreeBSD as VPN server for Win2000 Clients Date: Tue, 28 Mar 2000 07:12:53 PST Mime-Version: 1.0 Content-Type: text/plain; format=flowed Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi. I am interested in setting up FreeBSD to act as a VPN server for remote users running Windows 2000 Professional. I am restricted to using the VPN support that is built-in to Win2000, so I can't purchase any addon products. My boss would also much prefer a free solution on the FreeBSD end. Is this possible to do? If so, how do I get started? Thanks. Jeff hjeffrey@hotmail.com ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Mar 28 8:39:19 2000 Delivered-To: freebsd-net@freebsd.org Received: from decoy.sfc.keio.ac.jp (decoy.sfc.keio.ac.jp [133.27.84.101]) by hub.freebsd.org (Postfix) with ESMTP id BD3E037BFC7; Tue, 28 Mar 2000 08:39:08 -0800 (PST) (envelope-from say@sfc.wide.ad.jp) Received: from deborah (decoy.sfc.keio.ac.jp [133.27.84.101]) by decoy.sfc.keio.ac.jp (8.9.3/8.9.3) with ESMTP id BAA90960; Wed, 29 Mar 2000 01:38:11 +0900 (JST) (envelope-from say@sfc.wide.ad.jp) Date: Wed, 29 Mar 2000 01:38:11 +0900 (JST) Message-Id: <200003281638.BAA90960@decoy.sfc.keio.ac.jp> From: ARIGA Seiji To: freebsd-net@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD as VPN server for Win2000 Clients In-Reply-To: <20000328151254.89244.qmail@hotmail.com> References: <20000328151254.89244.qmail@hotmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver. 2.00 (beta 3) Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, On Tue, 28 Mar 2000 07:12:53 PST "Jeff Hamilton" wrote: :I am interested in setting up FreeBSD to act as a VPN server for remote :users running Windows 2000 Professional. I am restricted to using the VPN :support that is built-in to Win2000, so I can't purchase any addon products. : My boss would also much prefer a free solution on the FreeBSD end. Some time before, I set up IPsec connection between KAME box and Windows2000 using racoon (KAME IKE daemon). You can use FreeBSD with KAME as VPN server using IPsec. # As far as IPsec concerned, KAME snap is more stable than KAME merged # in FreeBSD4, in my opinion. So you'd better use FreeBSD3 with KAME # snap for your purpose. -- ARIGA Seiji To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Mar 28 8:52:19 2000 Delivered-To: freebsd-net@freebsd.org Received: from astralblue.com (adsl-209-76-108-39.dsl.snfc21.pacbell.net [209.76.108.39]) by hub.freebsd.org (Postfix) with ESMTP id 7851937C02C; Tue, 28 Mar 2000 08:52:09 -0800 (PST) (envelope-from ab@astralblue.com) Received: from localhost (ab@localhost) by astralblue.com (8.9.3/8.9.3) with ESMTP id IAA40035; Tue, 28 Mar 2000 08:52:03 -0800 (PST) (envelope-from ab@astralblue.com) Date: Tue, 28 Mar 2000 08:52:02 -0800 (PST) From: "Eugene M. Kim" To: Jeff Hamilton Cc: freebsd-net@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD as VPN server for Win2000 Clients In-Reply-To: <20000328151254.89244.qmail@hotmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There's also a free PPTP implementation called poptop; you can find it in /usr/ports/net/poptop. HTH, Eugene On Tue, 28 Mar 2000, Jeff Hamilton wrote: | Hi. | | I am interested in setting up FreeBSD to act as a VPN server for remote | users running Windows 2000 Professional. I am restricted to using the VPN | support that is built-in to Win2000, so I can't purchase any addon products. | My boss would also much prefer a free solution on the FreeBSD end. | | Is this possible to do? If so, how do I get started? | | Thanks. | | Jeff | hjeffrey@hotmail.com -- Eugene M. Kim "Is your music unpopular? Make it popular; make music which people like, or make people who like your music." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Mar 28 8:52:51 2000 Delivered-To: freebsd-net@freebsd.org Received: from p0016c23.us.kpmg.com (p0016c23.us.kpmg.com [199.207.255.23]) by hub.freebsd.org (Postfix) with ESMTP id EEEB737C0E2 for ; Tue, 28 Mar 2000 08:52:38 -0800 (PST) (envelope-from efisch@kpmg.com) Received: from p0016c56.kweb.us.kpmg.com by p0016c23.us.kpmg.com(Pro-8.9.3/Pro-8.9.3) with SMTP id LAA16282 for ; Tue, 28 Mar 2000 11:52:34 -0500 (EST) Received: from p0016c22.kweb.us.kpmg.com by p0016c56.kweb.us.kpmg.com via smtpd (for p0016c23.us.kpmg.com [199.207.255.23]) with SMTP; 28 Mar 2000 16:52:33 UT Received: from usnssexc11.kweb.us.kpmg.com by kpmg.com(Pro-8.9.2/Pro-8.9.2) with ESMTP id LAA20199 for ; Tue, 28 Mar 2000 11:52:32 -0500 (EST) Received: from usnssexc11.kweb.us.kpmg.com (unverified) by usnssexc11.kweb.us.kpmg.com (Content Technologies SMTPRS 2.0.15) with ESMTP id for ; Tue, 28 Mar 2000 11:52:26 -0500 Received: by usnssexc11.kweb.us.kpmg.com with Internet Mail Service (5.5.2650.21) id ; Tue, 28 Mar 2000 11:52:26 -0500 Message-Id: <211A728F180ED311B01F0008C75F54CFA48BB6@usdalexc05.kweb.us.kpmg.com> From: "Fisch, Eric" To: "'freebsd-net'" Subject: Q: Any thoughts on NetMax Firewall Date: Tue, 28 Mar 2000 11:52:19 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Has anyone had any experience with the NetMAX firewall product. They supposedly make a version that sits on top of FreeBSD and Linux. I have seen the Linux version and it looks interesting. Thanks, Eric Fisch efisch@kpmg.com ***************************************************************************** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. ***************************************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Mar 28 11:25:47 2000 Delivered-To: freebsd-net@freebsd.org Received: from wat-border.sentex.ca (waterloo-hespler.sentex.ca [199.212.135.66]) by hub.freebsd.org (Postfix) with ESMTP id 28EB937BFC6; Tue, 28 Mar 2000 11:25:28 -0800 (PST) (envelope-from mike@sentex.ca) Received: from vinyl.sentex.ca (vinyl.sentex.ca [209.112.4.14]) by wat-border.sentex.ca (8.9.3/8.9.3) with ESMTP id OAA66850; Tue, 28 Mar 2000 14:25:13 -0500 (EST) (envelope-from mike@sentex.ca) Received: from simoeon (simeon.sentex.ca [209.112.4.47]) by vinyl.sentex.ca (8.9.3/8.9.3) with SMTP id OAA29463; Tue, 28 Mar 2000 14:25:12 -0500 (EST) (envelope-from mike@sentex.ca) Message-Id: <3.0.5.32.20000328142245.01bcf4c0@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Tue, 28 Mar 2000 14:22:45 -0500 To: "Jeff Hamilton" , freebsd-net@FreeBSD.ORG, freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: Re: FreeBSD as VPN server for Win2000 Clients In-Reply-To: <20000328151254.89244.qmail@hotmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 07:12 AM 3/28/00 PST, Jeff Hamilton wrote: >Hi. > >I am interested in setting up FreeBSD to act as a VPN server for remote >users running Windows 2000 Professional. I am restricted to using the VPN >support that is built-in to Win2000, so I can't purchase any addon products. > My boss would also much prefer a free solution on the FreeBSD end. > >Is this possible to do? If so, how do I get started? 2 *possible* options... ptpp (aka point 2 point tunneling protocol), or ipsec. From the ports collection /usr/ports/net/poptop 1.0 Introduction ---------------- 1.1 About PoPToP PoPToP is the PPTP Server solution for Linux. PoPToP allows Linux servers to function seamlessly in the PPTP VPN environment. This enables administrators to leverage the considerable benefits of both Microsoft and Linux. The current pre-release version supports Windows 95/98/NT/2000 PPTP clients and PPTP Linux clients. PoPToP is free GNU software. PoPToP Home Page: http://www.moretonbay.com/vpn/pptp.html But I would try the IPsec route first... ---Mike ------------------------------------------------------------------------ Mike Tancsa, tel +1 519 651 3400 Network Administrator, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Mar 28 11:26:31 2000 Delivered-To: freebsd-net@freebsd.org Received: from mail.rdc1.sfba.home.com (ha1.rdc1.sfba.home.com [24.0.0.66]) by hub.freebsd.org (Postfix) with ESMTP id EB0AC37BD99 for ; Tue, 28 Mar 2000 11:26:28 -0800 (PST) (envelope-from boshea@ricochet.net) Received: from beastie.localdomain ([24.19.158.41]) by mail.rdc1.sfba.home.com (InterMail v4.01.01.00 201-229-111) with ESMTP id <20000328192628.FFOO5721.mail.rdc1.sfba.home.com@beastie.localdomain> for ; Tue, 28 Mar 2000 11:26:28 -0800 Received: (from brian@localhost) by beastie.localdomain (8.9.3/8.8.7) id LAA21929 for freebsd-net@freebsd.org; Tue, 28 Mar 2000 11:35:34 -0800 (PST) (envelope-from brian) Date: Tue, 28 Mar 2000 11:35:34 -0800 From: "Brian O'Shea" To: freebsd-net@freebsd.org Subject: Security of NAT "firewall" vs. packet filtering firewall. Message-ID: <20000328113534.W330@beastie.localdomain> Mail-Followup-To: freebsd-net@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I have set up a FreeBSD 3.4-STABLE machine as a NAT router for my home. The only service that I am running on it is SSH. Because there is no external route to any of the machines on my internal network (I am using one of the RFC1918 network addresses), is there any security benefit to installing packet filtering rules? It wouldn't be much trouble for me to do so, but I'm wondering if it is necessary. Thanks, -brian -- Brian O'Shea boshea@ricochet.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Mar 28 11:40:38 2000 Delivered-To: freebsd-net@freebsd.org Received: from kronos.networkrichmond.com (kronos.alcnet.com [63.69.28.22]) by hub.freebsd.org (Postfix) with ESMTP id 1330237B914 for ; Tue, 28 Mar 2000 11:40:32 -0800 (PST) (envelope-from kbyanc@posi.net) X-Provider: Network Richmond, LLC. http://www.networkrichmond.com/ Received: from localhost (kbyanc@localhost) by kronos.networkrichmond.com (8.9.3/8.9.3/antispam) with ESMTP id OAA03235; Tue, 28 Mar 2000 14:40:29 -0500 (EST) Date: Tue, 28 Mar 2000 14:40:29 -0500 (EST) From: Kelly Yancey X-Sender: kbyanc@kronos.networkrichmond.com To: "Brian O'Shea" Cc: freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. In-Reply-To: <20000328113534.W330@beastie.localdomain> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 28 Mar 2000, Brian O'Shea wrote: > Hello, > > I have set up a FreeBSD 3.4-STABLE machine as a NAT router for my > home. The only service that I am running on it is SSH. Because there > is no external route to any of the machines on my internal network (I > am using one of the RFC1918 network addresses), is there any security > benefit to installing packet filtering rules? It wouldn't be much > trouble for me to do so, but I'm wondering if it is necessary. > NAT will effectively protect the boxes on your network. It's the router you need to worry about (since it is the only box on the public Internet). You say you are only running SSH on it, so it sounds like you have locked that box down but good. Depending on how paranoid you are, you might still want to put packet filter rules just for protecting your router. Kelly -- Kelly Yancey - kbyanc@posi.net - Richmond, VA Analyst / E-business Development, Bell Industries http://www.bellind.com/ Maintainer, BSD Driver Database http://www.posi.net/freebsd/drivers/ Coordinator, Team FreeBSD http://www.posi.net/freebsd/Team-FreeBSD/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Mar 28 12:19:14 2000 Delivered-To: freebsd-net@freebsd.org Received: from scotch.merit.edu (scotch.merit.edu [198.108.60.195]) by hub.freebsd.org (Postfix) with ESMTP id C19AC37C017 for ; Tue, 28 Mar 2000 12:19:08 -0800 (PST) (envelope-from chopps@scotch.merit.edu) Received: (from chopps@localhost) by scotch.merit.edu (8.8.8/8.8.8) id PAA13490 for freebsd-net@freebsd.org; Tue, 28 Mar 2000 15:19:07 -0500 (EST) Date: Tue, 28 Mar 2000 15:19:07 -0500 From: "Christian E. Hopps" To: freebsd-net@freebsd.org Subject: namespace pollution (if_list) Message-ID: <20000328151907.K8280@merit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1us Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I thought I would drop a note since this is the _second_ time in the last year that I've had to change my code becuase new defines were added to freebsd's header files unprotected. This time its in if_var.h: /* for compatibility with other BSDs */ #define if_addrlist if_addrhead #define if_list if_link Are people failing to realize that this now prohibits use of `if_list' and `if_addrlist' in user programs?? Thanks, Chris. (please include me in the cc as I'm not on the list) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Mar 28 12:32: 3 2000 Delivered-To: freebsd-net@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id A3E0B37B61B for ; Tue, 28 Mar 2000 12:31:59 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id PAA83082; Tue, 28 Mar 2000 15:31:56 -0500 (EST) (envelope-from wollman) Date: Tue, 28 Mar 2000 15:31:56 -0500 (EST) From: Garrett Wollman Message-Id: <200003282031.PAA83082@khavrinen.lcs.mit.edu> To: "Christian E. Hopps" Cc: freebsd-net@FreeBSD.ORG Subject: namespace pollution (if_list) In-Reply-To: <20000328151907.K8280@merit.edu> References: <20000328151907.K8280@merit.edu> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Are people failing to realize that this now prohibits use of > `if_list' and `if_addrlist' in user programs?? If you include , and expect to use if_ANYTHING in your programs, you have made a serious error -- just as you cannot include and then expect to define a macro called isfoo(). -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Mar 28 12:52:52 2000 Delivered-To: freebsd-net@freebsd.org Received: from scotch.merit.edu (scotch.merit.edu [198.108.60.195]) by hub.freebsd.org (Postfix) with ESMTP id 019EB37BB1B for ; Tue, 28 Mar 2000 12:52:47 -0800 (PST) (envelope-from chopps@scotch.merit.edu) Received: (from chopps@localhost) by scotch.merit.edu (8.8.8/8.8.8) id PAA20395; Tue, 28 Mar 2000 15:52:45 -0500 (EST) Date: Tue, 28 Mar 2000 15:52:44 -0500 From: "Christian E. Hopps" To: Garrett Wollman Cc: freebsd-net@FreeBSD.ORG Subject: Re: namespace pollution (if_list) Message-ID: <20000328155244.A20019@merit.edu> References: <20000328151907.K8280@merit.edu> <200003282031.PAA83082@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1us In-Reply-To: <200003282031.PAA83082@khavrinen.lcs.mit.edu>; from wollman@khavrinen.lcs.mit.edu on Tue, Mar 28, 2000 at 03:31:56PM -0500 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Mar 28, 2000 at 03:31:56PM -0500, Garrett Wollman wrote: > < said: > > > Are people failing to realize that this now prohibits use of > > `if_list' and `if_addrlist' in user programs?? > > If you include , and expect to use if_ANYTHING in your > programs, you have made a serious error -- just as you cannot include > and then expect to define a macro called isfoo(). Is this the position of FreeBSD? You do realize that this is horrible OS design right? To be honest I expected an "Oops we'll fix it" not some justification for a stupid action. But let me get this straight FreeBSD is now reserving the prefix "if_" and user programs are not allowed to use it? How many other of these are there? Should I go through every OS header file in FreeBSD and consider any prefix it uses as reserverd?? Chris. P.S. the program is GateD, which has been around and using if_list since before FreeBSD was even some dream in a 386bsd patchkit maintainer's head. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Mar 28 12:59:44 2000 Delivered-To: freebsd-net@freebsd.org Received: from mail.rdc1.sfba.home.com (ha1.rdc1.sfba.home.com [24.0.0.66]) by hub.freebsd.org (Postfix) with ESMTP id 5350037BAC3 for ; Tue, 28 Mar 2000 12:59:42 -0800 (PST) (envelope-from boshea@ricochet.net) Received: from beastie.localdomain ([24.19.158.41]) by mail.rdc1.sfba.home.com (InterMail v4.01.01.00 201-229-111) with ESMTP id <20000328205942.HPTT5721.mail.rdc1.sfba.home.com@beastie.localdomain>; Tue, 28 Mar 2000 12:59:42 -0800 Received: (from brian@localhost) by beastie.localdomain (8.9.3/8.8.7) id NAA22163; Tue, 28 Mar 2000 13:08:50 -0800 (PST) (envelope-from brian) Date: Tue, 28 Mar 2000 13:08:50 -0800 From: "Brian O'Shea" To: Kelly Yancey Cc: "Brian O'Shea" , freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. Message-ID: <20000328130850.Z330@beastie.localdomain> Mail-Followup-To: Kelly Yancey , Brian O'Shea , freebsd-net@FreeBSD.ORG References: <20000328113534.W330@beastie.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: ; from Kelly Yancey on Tue, Mar 28, 2000 at 02:40:29PM -0500 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Mar 28, 2000 at 02:40:29PM -0500, Kelly Yancey wrote: > > NAT will effectively protect the boxes on your network. It's the router > you need to worry about (since it is the only box on the public Internet). > You say you are only running SSH on it, so it sounds like you have locked > that box down but good. Depending on how paranoid you are, you might still > want to put packet filter rules just for protecting your router. > > Kelly > Thank you for your response. This is what I thought, although I should have clarified my question. I was wondering if there is any added security to having packet filtering rules on the router, in addition to NAT. Since there are no services to exploit (ignoring sshd for the moment), what rules would I add? If there are no services running, then there is no need to block any ports. But are there other types of vulnerabilities that I should be worried about? Thanks, -brian p.s. I have considered limiting access to the sshd port to only certian authorized networks, but this is only a minor obstacle at best (especially considering the networks to which I would have to grant access). -- Brian O'Shea boshea@ricochet.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Mar 28 13: 2:16 2000 Delivered-To: freebsd-net@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 322BF37B556 for ; Tue, 28 Mar 2000 13:02:13 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id QAA83159; Tue, 28 Mar 2000 16:02:09 -0500 (EST) (envelope-from wollman) Date: Tue, 28 Mar 2000 16:02:09 -0500 (EST) From: Garrett Wollman Message-Id: <200003282102.QAA83159@khavrinen.lcs.mit.edu> To: "Christian E. Hopps" Cc: Garrett Wollman , freebsd-net@FreeBSD.ORG Subject: Re: namespace pollution (if_list) In-Reply-To: <20000328155244.A20019@merit.edu> References: <20000328151907.K8280@merit.edu> <200003282031.PAA83082@khavrinen.lcs.mit.edu> <20000328155244.A20019@merit.edu> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Is this the position of FreeBSD? No, this is my personal opinion. I didn't say anything about whether or not it will be changed in FreeBSD -- I'll leave that up to whomever made the original change. I'm simply pointing out that many headers internal to the operating system have their own peculiar namespaces and users should not expect to be able to use those namespaces with impunity. To expound a bit further, and in a different direction: to the extent any user program includes at all, either the program is broken, or the system is. There should not be any information in that user-mode programs have need to access. It will make it more likely that your problem can be fixed if you tell us just what data structures, precisely, your program is using from that header. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Mar 28 13:16:56 2000 Delivered-To: freebsd-net@freebsd.org Received: from xmh02.scott.af.mil (vejxoislxmh02.scott.af.mil [140.175.214.29]) by hub.freebsd.org (Postfix) with ESMTP id 19CEF37BE61 for ; Tue, 28 Mar 2000 13:16:53 -0800 (PST) (envelope-from DARYL.CHANCE@SCOTT.AF.MIL) Received: from cornerback.scott.af.mil (cornerback.scott.af.mil [140.175.214.11]) by xmh02.scott.af.mil (8.9.3/8.9.3) with ESMTP id PAA06072 for ; Tue, 28 Mar 2000 15:19:50 -0600 Received: from cornerback.scott.af.mil (root@localhost) by cornerback.scott.af.mil with ESMTP id PAA12362 for ; Tue, 28 Mar 2000 15:16:50 -0600 (CST) Received: from SMTP (vejxoisntav82.scott.af.mil [140.175.254.102]) by cornerback.scott.af.mil with SMTP id PAA12329 for ; Tue, 28 Mar 2000 15:16:49 -0600 (CST) Received: from ksvejx02.SCOTT.AF.MIL ([140.175.192.102]) by 140.175.254.102 (Norton AntiVirus for Internet Email Gateways 1.0) ; Tue, 28 Mar 2000 21:16:50 0000 (GMT) Received: by ksvejx02.scott.af.mil with Internet Mail Service (5.5.2448.0) id ; Tue, 28 Mar 2000 15:16:47 -0600 Message-ID: From: Chance Daryl SrA AMC CSS/SAS To: "'freebsd-net'" Subject: RE: FW: bad link ppp Date: Tue, 28 Mar 2000 15:16:45 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Ensure that sio1 was probed correctly (run ``dmesg''). If it is, > please post the full message. I'll keep this in mind when I try and install 4.0 again, the box was down for most of this weekend, so I made the wife a little ticked since she was bored and couldn't do anything on the net :). Just so I know for future knowledge, what should I do if it isn't probed correctly? > > the odd thing is that all this works if i don't use auto IE: > > > > ppp -nat > > ppp on>dial > > > > all is fine. > > That's because ``iface-alias'' is disabled. See the > documentation. I > would think this stuff is a red herring. Thanks. That was something I must have overlooked in the examples and explanations on your page. Thanks for your help :). <---------------------------------------------------------------> <- SrA Daryl Chance - A programmer is someone who solves a -> <- USAF AMC CSS/SASR - problem you didn't know you had in a -> <- RAD Programmer - way you don't understand. -> <- (618) 256-5225 - - ????? -> <---------------------------------------------------------------> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Mar 28 13:38:44 2000 Delivered-To: freebsd-net@freebsd.org Received: from scotch.merit.edu (scotch.merit.edu [198.108.60.195]) by hub.freebsd.org (Postfix) with ESMTP id 3E3C537B83E for ; Tue, 28 Mar 2000 13:38:42 -0800 (PST) (envelope-from chopps@scotch.merit.edu) Received: (from chopps@localhost) by scotch.merit.edu (8.8.8/8.8.8) id QAA21843; Tue, 28 Mar 2000 16:38:39 -0500 (EST) Date: Tue, 28 Mar 2000 16:38:38 -0500 From: "Christian E. Hopps" To: Garrett Wollman Cc: freebsd-net@FreeBSD.ORG Subject: Re: namespace pollution (if_list) Message-ID: <20000328163838.C20019@merit.edu> References: <20000328151907.K8280@merit.edu> <200003282031.PAA83082@khavrinen.lcs.mit.edu> <20000328155244.A20019@merit.edu> <200003282102.QAA83159@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1us In-Reply-To: <200003282102.QAA83159@khavrinen.lcs.mit.edu>; from wollman@khavrinen.lcs.mit.edu on Tue, Mar 28, 2000 at 04:02:09PM -0500 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Mar 28, 2000 at 04:02:09PM -0500, Garrett Wollman wrote: > < said: > > > Is this the position of FreeBSD? > > No, this is my personal opinion. I didn't say anything about whether > or not it will be changed in FreeBSD -- I'll leave that up to whomever > made the original change. I'm simply pointing out that many headers > internal to the operating system have their own peculiar namespaces > and users should not expect to be able to use those namespaces with > impunity. Yes but thats what #ifdef _KERNEL is for. > To expound a bit further, and in a different direction: to the extent > any user program includes at all, either the program is > broken, or the system is. There should not be any information in > that user-mode programs have need to access. It will > make it more likely that your problem can be fixed if you tell us just > what data structures, precisely, your program is using from that > header. The point is well taken, nothing in if_var looks like a normal user program needs it. It would appear to be required by the IGMP SNMP MIB code which does some amount of poking around in kvm. To the system vs. program broken end I'm not sure which it is in this case becuase I'm not familiar with the SNMP code in question. It could be that technically the system is broken because its not exporting through a sane interface information which user programs may need. Chris. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Mar 28 13:52:15 2000 Delivered-To: freebsd-net@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 1943E37B57F for ; Tue, 28 Mar 2000 13:52:10 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id QAA83356; Tue, 28 Mar 2000 16:52:04 -0500 (EST) (envelope-from wollman) Date: Tue, 28 Mar 2000 16:52:04 -0500 (EST) From: Garrett Wollman Message-Id: <200003282152.QAA83356@khavrinen.lcs.mit.edu> To: "Christian E. Hopps" Cc: freebsd-net@FreeBSD.ORG Subject: Re: namespace pollution (if_list) In-Reply-To: <20000328163838.C20019@merit.edu> References: <20000328151907.K8280@merit.edu> <200003282031.PAA83082@khavrinen.lcs.mit.edu> <20000328155244.A20019@merit.edu> <200003282102.QAA83159@khavrinen.lcs.mit.edu> <20000328163838.C20019@merit.edu> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > It would appear to be required by the IGMP SNMP MIB code which does > some amount of poking around in kvm. OK, I think I see the problem now. Multicast group memberships are reported via the routing socket when they change, but there is no sysctl(3) interface to get the information statically. This shouldn't be too hard to accomplish -- although I'm not at all sure why I didn't do it in the first place. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Mar 28 13:54:21 2000 Delivered-To: freebsd-net@freebsd.org Received: from hermes.avantgo.com (ws1.avantgo.com [207.214.200.194]) by hub.freebsd.org (Postfix) with ESMTP id 614D037BDAE for ; Tue, 28 Mar 2000 13:54:09 -0800 (PST) (envelope-from scott@avantgo.com) Received: from river.avantgo.com (river.avantgo.com [10.0.128.30]) by hermes.avantgo.com (Postfix) with ESMTP id 4CAA8F; Tue, 28 Mar 2000 13:54:08 -0800 (PST) Received: (from scott@localhost) by river.avantgo.com (8.9.3/8.9.3) id NAA17760; Tue, 28 Mar 2000 13:54:01 -0800 Date: Tue, 28 Mar 2000 13:54:01 -0800 From: Scott Hess To: "Brian O'Shea" Cc: Kelly Yancey , freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. Message-ID: <20000328135401.A17746@river.avantgo.com> References: <20000328113534.W330@beastie.localdomain> <20000328130850.Z330@beastie.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3us In-Reply-To: <20000328130850.Z330@beastie.localdomain> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Mar 28, 2000 at 01:08:50PM -0800, Brian O'Shea wrote: > Thank you for your response. This is what I thought, although I > should have clarified my question. I was wondering if there is any > added security to having packet filtering rules on the router, in > addition to NAT. Since there are no services to exploit (ignoring > sshd for the moment), what rules would I add? If there are no > services running, then there is no need to block any ports. But are > there other types of vulnerabilities that I should be worried about? You could tell the packet filter to only allow packets to the ssh port. Sounds redundant, but it certainly does prevent you from accidentally opening up a hole at some point. You might want to log packets, on the off chance that someone is doing something interesting. You might want to adjust whether non-ssh packets are rejected, or simply dropped on the floor. Rejecting the packet gives an immediate "Connection denied" response to probes, whereas dropping the packet just leaves the probe high&dry. Later, scott To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Mar 28 13:59:22 2000 Delivered-To: freebsd-net@freebsd.org Received: from roam.psg.com (dhcp-193-29.ietf.connect.com.au [169.208.193.29]) by hub.freebsd.org (Postfix) with ESMTP id 9A28E37C02B for ; Tue, 28 Mar 2000 13:59:19 -0800 (PST) (envelope-from randy@psg.com) Received: from randy by roam.psg.com with local (Exim 3.12 #1) id 12a411-0001UE-00; Wed, 29 Mar 2000 07:29:11 +0930 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Kelly Yancey Cc: freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. References: <20000328113534.W330@beastie.localdomain> Message-Id: Date: Wed, 29 Mar 2000 07:29:11 +0930 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > NAT will effectively protect the boxes on your network. how? firewalls protect. nat merely translates addresses. randy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Mar 28 14:46:16 2000 Delivered-To: freebsd-net@freebsd.org Received: from implode.root.com (root.com [209.102.106.178]) by hub.freebsd.org (Postfix) with ESMTP id 8DE5037B7DC for ; Tue, 28 Mar 2000 14:46:11 -0800 (PST) (envelope-from dg@implode.root.com) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.8/8.8.5) with ESMTP id OAA21034; Tue, 28 Mar 2000 14:39:58 -0800 (PST) Message-Id: <200003282239.OAA21034@implode.root.com> To: "Christian E. Hopps" Cc: freebsd-net@FreeBSD.ORG Subject: Re: namespace pollution (if_list) In-reply-to: Your message of "Tue, 28 Mar 2000 15:19:07 EST." <20000328151907.K8280@merit.edu> From: David Greenman Reply-To: dg@root.com Date: Tue, 28 Mar 2000 14:39:58 -0800 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >I thought I would drop a note since this is the _second_ time in the >last year that I've had to change my code becuase new defines were >added to freebsd's header files unprotected. > >This time its in if_var.h: > > /* for compatibility with other BSDs */ > #define if_addrlist if_addrhead > #define if_list if_link > >Are people failing to realize that this now prohibits use of >`if_list' and `if_addrlist' in user programs?? Looks like this was added as part of the IPv6 integration by the KAME team. I don't have much to say about it other than programs shouldn't need to include if_var.h unless there is a deficiency in the user-kernel interface (in which case that should be fixed). -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project - http://www.freebsd.org Creator of high-performance Internet servers - http://www.terasolutions.com Pave the road of life with opportunities. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Mar 28 14:47:16 2000 Delivered-To: freebsd-net@freebsd.org Received: from mail.rdc1.sfba.home.com (ha1.rdc1.sfba.home.com [24.0.0.66]) by hub.freebsd.org (Postfix) with ESMTP id 6559A37C23B for ; Tue, 28 Mar 2000 14:47:09 -0800 (PST) (envelope-from boshea@ricochet.net) Received: from beastie.localdomain ([24.19.158.41]) by mail.rdc1.sfba.home.com (InterMail v4.01.01.00 201-229-111) with ESMTP id <20000328224707.KLYN5721.mail.rdc1.sfba.home.com@beastie.localdomain>; Tue, 28 Mar 2000 14:47:07 -0800 Received: (from brian@localhost) by beastie.localdomain (8.9.3/8.8.7) id OAA22363; Tue, 28 Mar 2000 14:56:15 -0800 (PST) (envelope-from brian) Date: Tue, 28 Mar 2000 14:56:15 -0800 From: "Brian O'Shea" To: Randy Bush Cc: Kelly Yancey , freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. Message-ID: <20000328145615.B330@beastie.localdomain> Mail-Followup-To: Randy Bush , Kelly Yancey , freebsd-net@FreeBSD.ORG References: <20000328113534.W330@beastie.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: ; from Randy Bush on Wed, Mar 29, 2000 at 07:29:11AM +0930 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Mar 29, 2000 at 07:29:11AM +0930, Randy Bush wrote: > > NAT will effectively protect the boxes on your network. > > how? firewalls protect. nat merely translates addresses. Correct. And since there is no way for machines outside of my local network to know what internal addresses are being translated by my router, there is no way to address them from outside. Even if these addresses are known, there is no route to them from the internet; they are reserved for use by private networks: So my network is logically isolated from the rest of the world, with the exception that internal machines can establish connections to external machines. -brian -- Brian O'Shea boshea@ricochet.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Mar 28 15: 9:45 2000 Delivered-To: freebsd-net@freebsd.org Received: from mail.rdc1.sfba.home.com (ha1.rdc1.sfba.home.com [24.0.0.66]) by hub.freebsd.org (Postfix) with ESMTP id 7B73B37B651 for ; Tue, 28 Mar 2000 15:09:42 -0800 (PST) (envelope-from boshea@ricochet.net) Received: from beastie.localdomain ([24.19.158.41]) by mail.rdc1.sfba.home.com (InterMail v4.01.01.00 201-229-111) with ESMTP id <20000328230941.LCLF5721.mail.rdc1.sfba.home.com@beastie.localdomain>; Tue, 28 Mar 2000 15:09:41 -0800 Received: (from brian@localhost) by beastie.localdomain (8.9.3/8.8.7) id PAA22410; Tue, 28 Mar 2000 15:18:49 -0800 (PST) (envelope-from brian) Date: Tue, 28 Mar 2000 15:18:49 -0800 From: "Brian O'Shea" To: Scott Hess Cc: freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. Message-ID: <20000328151849.C330@beastie.localdomain> Mail-Followup-To: Scott Hess , freebsd-net@FreeBSD.ORG References: <20000328113534.W330@beastie.localdomain> <20000328130850.Z330@beastie.localdomain> <20000328135401.A17746@river.avantgo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <20000328135401.A17746@river.avantgo.com>; from Scott Hess on Tue, Mar 28, 2000 at 01:54:01PM -0800 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Mar 28, 2000 at 01:54:01PM -0800, Scott Hess wrote: > > You could tell the packet filter to only allow packets to the > ssh port. Sounds redundant, but it certainly does prevent you > from accidentally opening up a hole at some point. True. > > You might want to log packets, on the off chance that someone is > doing something interesting. Hmm, this could be interesting. > > You might want to adjust whether non-ssh packets are rejected, or > simply dropped on the floor. Rejecting the packet gives an immediate > "Connection denied" response to probes, whereas dropping the packet > just leaves the probe high&dry. That's a good idea, I'll have to check it out. I assume you mean the "deny" and "reject" (now "unreach") actions mentioned in the ipfw(8) man page. Thanks a lot! -brian -- Brian O'Shea boshea@ricochet.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Mar 28 16:45:30 2000 Delivered-To: freebsd-net@freebsd.org Received: from obie.softweyr.com (obie.softweyr.com [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id 91D7B37BE61 for ; Tue, 28 Mar 2000 16:45:27 -0800 (PST) (envelope-from wes@softweyr.com) Received: from softweyr.com (Foolstrustidentd@obie.softweyr.com [204.68.178.33]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id RAA27706; Tue, 28 Mar 2000 17:45:14 -0700 (MST) (envelope-from wes@softweyr.com) Message-ID: <38E1528B.974251A6@softweyr.com> Date: Tue, 28 Mar 2000 17:47:07 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Randy Bush Cc: Kelly Yancey , freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. References: <20000328113534.W330@beastie.localdomain> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Randy Bush wrote: > > > NAT will effectively protect the boxes on your network. > > how? firewalls protect. nat merely translates addresses. If you don't "forward" ports from the NAT box to internal boxes, there is NO path from the outside to the inside. Viola! The internal boxes are safe from attack. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Mar 28 17:39:39 2000 Delivered-To: freebsd-net@freebsd.org Received: from awfulhak.org (tun.AwfulHak.org [194.242.139.173]) by hub.freebsd.org (Postfix) with ESMTP id 5A19637BEBD for ; Tue, 28 Mar 2000 17:39:35 -0800 (PST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.awfulhak.org [172.16.0.12]) by awfulhak.org (8.9.3/8.9.3) with ESMTP id CAA61959; Wed, 29 Mar 2000 02:33:49 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id CAA03951; Wed, 29 Mar 2000 02:33:45 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200003290133.CAA03951@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.1 10/15/1999 To: Chance Daryl SrA AMC CSS/SAS Cc: "'freebsd-net'" , brian@hak.lan.Awfulhak.org Subject: Re: FW: bad link ppp In-Reply-To: Message from Chance Daryl SrA AMC CSS/SAS of "Tue, 28 Mar 2000 15:16:45 MDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 29 Mar 2000 02:33:43 +0100 From: Brian Somers Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Ensure that sio1 was probed correctly (run ``dmesg''). If it is, > > please post the full message. > > I'll keep this in mind when I try and install 4.0 again, the box > was down for most of this weekend, so I made the wife a little > ticked since she was bored and couldn't do anything on the net :). > > Just so I know for future knowledge, what should I do if it isn't > probed correctly? [.....] Tricky.... there could be lots of things wrong. The most common things are problably one of the following o The modem is a winmodem (can't be fixed as it's not a *real* modem). o You've got the wrong irq (need to boot with -c and fix it) o You've got the wrong i/o address (use another com port) o You've got a PnP modem (ensure you haven't set the BIOS to PnP os, otherwise boot -v to find the PnP id and file a bug report). o Something else.... dunno. I usually avoid answering this sort of question :-/ > <---------------------------------------------------------------> > <- SrA Daryl Chance - A programmer is someone who solves a -> > <- USAF AMC CSS/SASR - problem you didn't know you had in a -> > <- RAD Programmer - way you don't understand. -> > <- (618) 256-5225 - - ????? -> > <---------------------------------------------------------------> -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Mar 28 19:47:53 2000 Delivered-To: freebsd-net@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 5F5F537BF30; Tue, 28 Mar 2000 19:47:46 -0800 (PST) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id TAA31075; Tue, 28 Mar 2000 19:47:46 -0800 (PST) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Tue, 28 Mar 2000 19:47:46 -0800 (PST) From: Kris Kennaway To: Mike Tancsa Cc: Jeff Hamilton , freebsd-net@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD as VPN server for Win2000 Clients In-Reply-To: <3.0.5.32.20000328142245.01bcf4c0@marble.sentex.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 28 Mar 2000, Mike Tancsa wrote: > 2 *possible* options... ptpp (aka point 2 point tunneling protocol), or > ipsec. pptp isn't exactly a secure protocol, so you're much better server going with ipsec unless you can't for some reason. Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Mar 29 5:32:36 2000 Delivered-To: freebsd-net@freebsd.org Received: from roam.psg.com (dhcp-193-29.ietf.connect.com.au [169.208.193.29]) by hub.freebsd.org (Postfix) with ESMTP id 5B4EE37B66F for ; Wed, 29 Mar 2000 05:32:33 -0800 (PST) (envelope-from randy@psg.com) Received: from randy by roam.psg.com with local (Exim 3.12 #1) id 12aIaA-0001yj-00; Wed, 29 Mar 2000 23:02:26 +0930 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: "Brian O'Shea" Cc: freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. References: <20000328113534.W330@beastie.localdomain> <20000328145615.B330@beastie.localdomain> Message-Id: Date: Wed, 29 Mar 2000 23:02:26 +0930 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>> NAT will effectively protect the boxes on your network. >> how? firewalls protect. nat merely translates addresses. > Correct. And since there is no way for machines outside of my local > network to know what internal addresses are being translated by my > router, there is no way to address them from outside. nats kindly create and generate the mappings for he attacker. > Even if these addresses are known, there is no route to them from the > internet; there are routes to the addresses to which nat translates them. > they are reserved for use by private networks: > wow! what an exciting rfc! i am sitting next to three rather reknown security folk at the iesg/iab breakfast here at the adelaide ieft. quote one whose book you probably read "NATs per se provide little security. They can, however, be used as one component of a firewall, which does provide some security." randy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Mar 29 6: 8:20 2000 Delivered-To: freebsd-net@freebsd.org Received: from catatonia.ip.versatel.net (catatonia.ip.versatel.net [212.48.44.33]) by hub.freebsd.org (Postfix) with ESMTP id 1583F37B579 for ; Wed, 29 Mar 2000 06:07:38 -0800 (PST) (envelope-from joshua@roughtrade.net) Received: from localhost (joshua@localhost) by catatonia.ip.versatel.net (8.9.3/8.9.3) with ESMTP id QAA72615; Wed, 29 Mar 2000 16:07:21 +0200 (CEST) (envelope-from joshua@roughtrade.net) Date: Wed, 29 Mar 2000 16:07:21 +0200 (CEST) From: Joshua Goodall X-Sender: joshua@catatonia To: Randy Bush Cc: "Brian O'Shea" , freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > nats kindly create and generate the mappings for he attacker. not if you are using a raw natd like many of us might use on a home cable-modem-connected network e.g. # /sbin/ifconfig fx0 inet 10.1.1.1 netmask 0xfffffe00 # /sbin/dhclient de0 # /sbin/natd -dynamic -n de0 or the rc.conf equivalent thereof. However, I think Randy is essentially warning that each private address can be statically mapped to a public one, demonstrating that NAT is not necessarily a security feature, it's a convenience. Security comes from application-layer content filtering, thorough logging, packet filtering, competent administration, regular sweeps, subscriptions to bugtraq et al, and so on into the darkness. - J To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Mar 29 7:45:31 2000 Delivered-To: freebsd-net@freebsd.org Received: from hotmail.com (law-f153.hotmail.com [209.185.131.216]) by hub.freebsd.org (Postfix) with SMTP id 1206A37B6ED for ; Wed, 29 Mar 2000 07:45:29 -0800 (PST) (envelope-from zak107@hotmail.com) Received: (qmail 58275 invoked by uid 0); 29 Mar 2000 15:45:27 -0000 Message-ID: <20000329154527.58274.qmail@hotmail.com> Received: from 192.117.163.3 by www.hotmail.com with HTTP; Wed, 29 Mar 2000 07:45:27 PST X-Originating-IP: [192.117.163.3] From: "Falsch Fillet" To: freebsd-net@freebsd.org Subject: Porting the (TCP/IP) net stack to another OS. Date: Wed, 29 Mar 2000 07:45:27 PST Mime-Version: 1.0 Content-Type: text/plain; format=flowed Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello All, I am interested in exploring the possibility of porting the FreeBSD networking code to another OS (e.g. VxWorks, pSOS). What are the major issues in porting the FreeBSD networking code to another OS? Where would one start? Any help is greatly appreciated. Thanks in advance, Zak. ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Mar 29 7:56:38 2000 Delivered-To: freebsd-net@freebsd.org Received: from meer.meer.net (meer.meer.net [140.174.164.2]) by hub.freebsd.org (Postfix) with ESMTP id 05EA337B680 for ; Wed, 29 Mar 2000 07:56:36 -0800 (PST) (envelope-from gnn@neville-neil.com) Received: from jchurch.meer.net (unknown-35-202.wrs.com [147.11.35.202]) by meer.meer.net (8.9.3/8.9.3/meer) with ESMTP id HAA450219; Wed, 29 Mar 2000 07:56:32 -0800 (PST) Received: from neville-neil.com (localhost [127.0.0.1]) by jchurch.meer.net (8.9.3/8.9.2) with ESMTP id IAA64030; Wed, 29 Mar 2000 08:02:08 -0800 (PST) (envelope-from gnn@neville-neil.com) Message-Id: <200003291602.IAA64030@jchurch.meer.net> X-Mailer: exmh version 2.0.2 2/24/98 To: "Falsch Fillet" Cc: freebsd-net@FreeBSD.ORG Subject: Re: Porting the (TCP/IP) net stack to another OS. In-Reply-To: Message from "Falsch Fillet" of "Wed, 29 Mar 2000 07:45:27 PST." <20000329154527.58274.qmail@hotmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 29 Mar 2000 08:02:08 -0800 From: George Neville-Neil Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Hello All, > > I am interested in exploring the possibility of porting the FreeBSD > networking code to another OS (e.g. VxWorks, pSOS). What are the major > issues in porting the FreeBSD networking code to another OS? Where would one > start? Any help is greatly appreciated. > Why do that when it's already done for you? VxWorks and pSOS both run modified Berkeley TCP/IP stacks. Later, George To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Mar 29 11:40:40 2000 Delivered-To: freebsd-net@freebsd.org Received: from mail.rdc1.sfba.home.com (ha1.rdc1.sfba.home.com [24.0.0.66]) by hub.freebsd.org (Postfix) with ESMTP id E692437B885 for ; Wed, 29 Mar 2000 11:39:51 -0800 (PST) (envelope-from boshea@ricochet.net) Received: from beastie.localdomain ([24.19.158.41]) by mail.rdc1.sfba.home.com (InterMail v4.01.01.00 201-229-111) with ESMTP id <20000329193944.LOHL13305.mail.rdc1.sfba.home.com@beastie.localdomain>; Wed, 29 Mar 2000 11:39:44 -0800 Received: (from brian@localhost) by beastie.localdomain (8.9.3/8.8.7) id LAA24365; Wed, 29 Mar 2000 11:48:54 -0800 (PST) (envelope-from brian) Date: Wed, 29 Mar 2000 11:48:54 -0800 From: "Brian O'Shea" To: Randy Bush Cc: "Brian O'Shea" , freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. Message-ID: <20000329114854.F330@beastie.localdomain> Mail-Followup-To: Randy Bush , Brian O'Shea , freebsd-net@FreeBSD.ORG References: <20000328113534.W330@beastie.localdomain> <20000328145615.B330@beastie.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: ; from Randy Bush on Wed, Mar 29, 2000 at 11:02:26PM +0930 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Mar 29, 2000 at 11:02:26PM +0930, Randy Bush wrote: > >>> NAT will effectively protect the boxes on your network. > >> how? firewalls protect. nat merely translates addresses. > > Correct. And since there is no way for machines outside of my local > > network to know what internal addresses are being translated by my > > router, there is no way to address them from outside. > > nats kindly create and generate the mappings for he attacker. Excellent! Now, that's the kind of information I was asking for in my original post. Could you elaborate on the security risks? How would an attacker find out my internal network address (other than by reading this e-mail message), and how would they address an IP packet to one of them from outside of my network? > > > Even if these addresses are known, there is no route to them from the > > internet; > > there are routes to the addresses to which nat translates them. So how would an attacker address one of my internal machines from another machine outside of my network? My network address on the internal net is 10.0.0.0/24 and I have one public IP address (provided by my ISP). I was under the impression that the upstream router would drop all packets destined for one of the RFC1918 networks. > > > they are reserved for use by private networks: > > > > wow! what an exciting rfc! It wasn't meant to be entertaining! :) I just wanted to provide some background, to differentiate it from other possible NAT configurations. I am fairly new at this, so I am just providing as much information in my questions as possible. > > i am sitting next to three rather reknown security folk at the iesg/iab > breakfast here at the adelaide ieft. quote one whose book you probably read > "NATs per se provide little security. They can, however, be used as one > component of a firewall, which does provide some security." Well, tell him or her thank you for me the next time you have breakfast together! > > randy > -brian -- Brian O'Shea boshea@ricochet.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Mar 29 12:18:36 2000 Delivered-To: freebsd-net@freebsd.org Received: from mail.rdc1.sfba.home.com (ha1.rdc1.sfba.home.com [24.0.0.66]) by hub.freebsd.org (Postfix) with ESMTP id BA44037B642 for ; Wed, 29 Mar 2000 12:18:08 -0800 (PST) (envelope-from boshea@ricochet.net) Received: from beastie.localdomain ([24.19.158.41]) by mail.rdc1.sfba.home.com (InterMail v4.01.01.00 201-229-111) with ESMTP id <20000329201805.MOSL13305.mail.rdc1.sfba.home.com@beastie.localdomain>; Wed, 29 Mar 2000 12:18:05 -0800 Received: (from brian@localhost) by beastie.localdomain (8.9.3/8.8.7) id MAA24418; Wed, 29 Mar 2000 12:27:15 -0800 (PST) (envelope-from brian) Date: Wed, 29 Mar 2000 12:27:15 -0800 From: "Brian O'Shea" To: Joshua Goodall Cc: Randy Bush , "Brian O'Shea" , freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. Message-ID: <20000329122715.G330@beastie.localdomain> Mail-Followup-To: Joshua Goodall , Randy Bush , Brian O'Shea , freebsd-net@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: ; from Joshua Goodall on Wed, Mar 29, 2000 at 04:07:21PM +0200 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Mar 29, 2000 at 04:07:21PM +0200, Joshua Goodall wrote: > > > nats kindly create and generate the mappings for he attacker. > > not if you are using a raw natd like many of us might use on a home > cable-modem-connected network e.g. What is raw natd, what are the other types of natd, and what distinguishes them from one another? > > # /sbin/ifconfig fx0 inet 10.1.1.1 netmask 0xfffffe00 > # /sbin/dhclient de0 > # /sbin/natd -dynamic -n de0 > > or the rc.conf equivalent thereof. > > However, I think Randy is essentially warning that each private address > can be statically mapped to a public one, demonstrating that NAT is not > necessarily a security feature, it's a convenience. Ok, so that basically answers the question in my last post. If I understand correctly, someone on the same subnet as my router's external interface could set a static route to my internal network through my router's external interface. In other words, I am vulnerable to attack from anyone who subscribs to the same cable modem service that I do, and happens to be on the same subnet (I believe subnets are regional, so that means roughly anyone in my neighborhood). Not to mention anyone who manages to compromise one of my neighbor's systems and subsequently attack my system. > > Security comes from application-layer content filtering, thorough logging, > packet filtering, competent administration, regular sweeps, subscriptions > to bugtraq et al, and so on into the darkness. This sounds like reason enough for me to implement some packet filtering rules. Decsion made. The next question is, if my assumptions (above) are correct, is it sufficuent to only block packets from the subnet to which my external interface is connected? -brian > > - J > Thank you! This is all very good information. -brian -- Brian O'Shea boshea@ricochet.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Mar 29 13:17:56 2000 Delivered-To: freebsd-net@freebsd.org Received: from mail.rdc1.sfba.home.com (ha1.rdc1.sfba.home.com [24.0.0.66]) by hub.freebsd.org (Postfix) with ESMTP id 2182D37BBFE for ; Wed, 29 Mar 2000 13:17:24 -0800 (PST) (envelope-from boshea@ricochet.net) Received: from beastie.localdomain ([24.19.158.41]) by mail.rdc1.sfba.home.com (InterMail v4.01.01.00 201-229-111) with ESMTP id <20000329211722.OCOX13305.mail.rdc1.sfba.home.com@beastie.localdomain>; Wed, 29 Mar 2000 13:17:22 -0800 Received: (from brian@localhost) by beastie.localdomain (8.9.3/8.8.7) id NAA24483; Wed, 29 Mar 2000 13:26:33 -0800 (PST) (envelope-from brian) Date: Wed, 29 Mar 2000 13:26:33 -0800 From: "Brian O'Shea" To: "Brian O'Shea" Cc: freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. Message-ID: <20000329132633.H330@beastie.localdomain> Mail-Followup-To: Brian O'Shea , freebsd-net@FreeBSD.ORG References: <20000329122715.G330@beastie.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <20000329122715.G330@beastie.localdomain>; from Brian O'Shea on Wed, Mar 29, 2000 at 12:27:15PM -0800 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Mar 29, 2000 at 12:27:15PM -0800, Brian O'Shea wrote: > > > > However, I think Randy is essentially warning that each private address > > can be statically mapped to a public one, demonstrating that NAT is not > > necessarily a security feature, it's a convenience. > > Ok, so that basically answers the question in my last post. If I > understand correctly, someone on the same subnet as my router's external > interface could set a static route to my internal network through my > router's external interface. In other words, I am vulnerable to attack > from anyone who subscribs to the same cable modem service that I do, and > happens to be on the same subnet (I believe subnets are regional, so > that means roughly anyone in my neighborhood). Not to mention anyone > who manages to compromise one of my neighbor's systems and subsequently > attack my system. > It occurs to me that the problem I described in my last post (included above) has nothing to do with NAT, but is the result of the fact that this machine is a router, and so it forwards packets between interfaces if the destination address is on a network connected to one of its interfaces. But it is still a problem. Is this correct? Thanks (and sorry for the numerous posts! I'm not usually this noisy) -brian -- Brian O'Shea boshea@ricochet.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Mar 29 13:20:58 2000 Delivered-To: freebsd-net@freebsd.org Received: from hermes.avantgo.com (ws1.avantgo.com [207.214.200.194]) by hub.freebsd.org (Postfix) with ESMTP id BF9BA37B9C1 for ; Wed, 29 Mar 2000 13:19:52 -0800 (PST) (envelope-from scott@avantgo.com) Received: from river.avantgo.com (river.avantgo.com [10.0.128.30]) by hermes.avantgo.com (Postfix) with ESMTP id 2648D24; Wed, 29 Mar 2000 13:19:51 -0800 (PST) Received: (from scott@localhost) by river.avantgo.com (8.9.3/8.9.3) id NAA20656; Wed, 29 Mar 2000 13:19:45 -0800 Date: Wed, 29 Mar 2000 13:19:45 -0800 From: Scott Hess To: "Brian O'Shea" Cc: Joshua Goodall , Randy Bush , freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. Message-ID: <20000329131945.A20455@river.avantgo.com> References: <20000329122715.G330@beastie.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3us In-Reply-To: <20000329122715.G330@beastie.localdomain> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Mar 29, 2000 at 12:27:15PM -0800, Brian O'Shea wrote: > The next question is, if my assumptions (above) are correct, is it > sufficuent to only block packets from the subnet to which my external > interface is connected? The two general classes of this problem are to allow all while denying specific ports/ips, or to deny all and allow specific ports/ips. In a hostile environment (I think cable modems qualify :-), you probably want to deny all, and only allow through the specific things that are needed. Denying everything has the added advantage of making it very clear what needs to be open. Everything that breaks has to be fixed, and then you know exactly what's going through. The downside is that you might spend three weeks without email because you denied too much :-). Later, scott To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Mar 29 13:21:13 2000 Delivered-To: freebsd-net@freebsd.org Received: from roam.psg.com (dhcp-193-29.ietf.connect.com.au [169.208.193.29]) by hub.freebsd.org (Postfix) with ESMTP id 4C84837BBFE for ; Wed, 29 Mar 2000 13:19:54 -0800 (PST) (envelope-from randy@psg.com) Received: from randy by roam.psg.com with local (Exim 3.12 #1) id 12aPsX-00024e-00; Thu, 30 Mar 2000 06:49:53 +0930 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Joshua Goodall Cc: freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. References: Message-Id: Date: Thu, 30 Mar 2000 06:49:53 +0930 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Security comes from application-layer content filtering, thorough logging, > packet filtering, competent administration, regular sweeps, subscriptions > to bugtraq et al, and so on into the darkness. bingo! randy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Mar 29 13:34:30 2000 Delivered-To: freebsd-net@freebsd.org Received: from xmh02.scott.af.mil (vejxoislxmh02.scott.af.mil [140.175.214.29]) by hub.freebsd.org (Postfix) with ESMTP id 4D53F37B5EB for ; Wed, 29 Mar 2000 13:34:13 -0800 (PST) (envelope-from DARYL.CHANCE@SCOTT.AF.MIL) Received: from cornerback.scott.af.mil (cornerback.scott.af.mil [140.175.214.11]) by xmh02.scott.af.mil (8.9.3/8.9.3) with ESMTP id PAA16078 for ; Wed, 29 Mar 2000 15:37:10 -0600 Received: from cornerback.scott.af.mil (root@localhost) by cornerback.scott.af.mil with ESMTP id PAA13436 for ; Wed, 29 Mar 2000 15:34:07 -0600 (CST) Received: from SMTP (vejxoisntav81.scott.af.mil [140.175.254.101]) by cornerback.scott.af.mil with SMTP id PAA13430 for ; Wed, 29 Mar 2000 15:34:07 -0600 (CST) Received: from ksvejx02.SCOTT.AF.MIL ([140.175.192.102]) by 140.175.254.101 (Norton AntiVirus for Internet Email Gateways 1.0) ; Wed, 29 Mar 2000 21:34:02 0000 (GMT) Received: by ksvejx02.scott.af.mil with Internet Mail Service (5.5.2448.0) id ; Wed, 29 Mar 2000 15:34:04 -0600 Message-ID: From: Chance Daryl SrA AMC CSS/SAS To: "'freebsd-net'" Subject: RE: FW: bad link ppp Date: Wed, 29 Mar 2000 15:34:03 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Tricky.... there could be lots of things wrong. The most common > things are problably one of the following > > o The modem is a winmodem (can't be fixed as it's not a *real* > modem). > o You've got the wrong irq (need to boot with -c and fix it) > o You've got the wrong i/o address (use another com port) > o You've got a PnP modem (ensure you haven't set the BIOS to PnP os, > otherwise boot -v to find the PnP id and file a bug report). > o Something else.... dunno. I usually avoid answering this sort of > question :-/ well, i know for sure the modem isn't a winmodem...but it can be plug and play (it's not setup for it atm, setup on com2). As for the irq, that could be it as i haven't checked that out. If I try it again, i'll check the irq and the com port as well as the dmesg output. when you say -c, do you mean when it gives the "kernel will boot in 9seconds or hit enter to boot immediately" message? I've been using freebsd for about 1-2 months now and am just starting to get into the interesting things of it...caching only dns, firewalls, port aliasing, and dhcp....will soon tackle the kernel though, and from there...who knows. Thanks again for the help. I think i'm going to base a(yet another of the many) how-to off my experience with ppp and the caching only dns. :). If anyone would like to proof-read it and/or offer up any ideas, i'd appreciate it. I know theres a lot of how-to's, but it only takes that one thats worded just right for someone to go "DOH! Thats what they meant in the other tutorials". thats how it was with me and the dns server yesterday :). Ok, done rambling. thanks, <---------------------------------------------------------------> <- SrA Daryl Chance - A programmer is someone who solves a -> <- USAF AMC CSS/SASR - problem you didn't know you had in a -> <- RAD Programmer - way you don't understand. -> <- (618) 256-5225 - - ????? -> <---------------------------------------------------------------> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Mar 29 13:50:22 2000 Delivered-To: freebsd-net@freebsd.org Received: from roam.psg.com (dhcp-193-29.ietf.connect.com.au [169.208.193.29]) by hub.freebsd.org (Postfix) with ESMTP id 15A1237B9E7 for ; Wed, 29 Mar 2000 13:50:20 -0800 (PST) (envelope-from randy@psg.com) Received: from randy by roam.psg.com with local (Exim 3.12 #1) id 12aQLp-00025w-00; Thu, 30 Mar 2000 07:20:09 +0930 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: "Brian O'Shea" Cc: Joshua Goodall , freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. References: <20000329122715.G330@beastie.localdomain> Message-Id: Date: Thu, 30 Mar 2000 07:20:09 +0930 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > What is raw natd, what are the other types of natd, and what > distinguishes them from one another? see rfc 2663 randy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Mar 29 14:53:29 2000 Delivered-To: freebsd-net@freebsd.org Received: from mail.rdc1.sfba.home.com (ha1.rdc1.sfba.home.com [24.0.0.66]) by hub.freebsd.org (Postfix) with ESMTP id 0813A37B670 for ; Wed, 29 Mar 2000 14:53:13 -0800 (PST) (envelope-from boshea@ricochet.net) Received: from beastie.localdomain ([24.19.158.41]) by mail.rdc1.sfba.home.com (InterMail v4.01.01.00 201-229-111) with ESMTP id <20000329225312.QPAM13305.mail.rdc1.sfba.home.com@beastie.localdomain>; Wed, 29 Mar 2000 14:53:12 -0800 Received: (from brian@localhost) by beastie.localdomain (8.9.3/8.8.7) id PAA24695; Wed, 29 Mar 2000 15:02:22 -0800 (PST) (envelope-from brian) Date: Wed, 29 Mar 2000 15:02:22 -0800 From: "Brian O'Shea" To: Randy Bush Cc: freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. Message-ID: <20000329150222.I330@beastie.localdomain> Mail-Followup-To: Randy Bush , freebsd-net@FreeBSD.ORG References: <20000329122715.G330@beastie.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: ; from Randy Bush on Thu, Mar 30, 2000 at 07:20:09AM +0930 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Mar 30, 2000 at 07:20:09AM +0930, Randy Bush wrote: > > What is raw natd, what are the other types of natd, and what > > distinguishes them from one another? > > see rfc 2663 Thanks, this is an interesting RFC. However, it doesn't answer my question. -brian -- Brian O'Shea boshea@ricochet.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Mar 29 15:48:59 2000 Delivered-To: freebsd-net@freebsd.org Received: from silver.kpnqwest.fi (silver.kpnqwest.fi [193.64.226.17]) by hub.freebsd.org (Postfix) with ESMTP id 7986937C1B2 for ; Wed, 29 Mar 2000 15:48:53 -0800 (PST) (envelope-from pete@kpnqwest.fi) Received: from tossu (silver.kpnqwest.fi [193.64.226.17]) by silver.kpnqwest.fi (8.9.3/8.9.2) with SMTP id CAA42874 for ; Thu, 30 Mar 2000 02:48:40 +0300 (EEST) (envelope-from pete@kpnqwest.fi) Message-ID: <001b01bf99d9$620ceb30$9ac2d0a9@ad.kpnqwest.fi> From: "Petri Helenius" To: Subject: IKE / IPsec Date: Thu, 30 Mar 2000 09:13:47 +0930 Organization: KPNQwest Finland Oy MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is there a document on how to make IKE work in FreeBSD? Iīd love to use IPsec now that itīs available with 4.0 but itīs a little challenging without working IKE daemon... (there is only a note that IKE is not in the kernel) Pete To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Mar 29 15:59:25 2000 Delivered-To: freebsd-net@freebsd.org Received: from hotmail.com (law-f128.hotmail.com [209.185.131.191]) by hub.freebsd.org (Postfix) with SMTP id 274C337B9D5 for ; Wed, 29 Mar 2000 15:59:21 -0800 (PST) (envelope-from zak107@hotmail.com) Received: (qmail 27033 invoked by uid 0); 29 Mar 2000 23:59:19 -0000 Message-ID: <20000329235919.27032.qmail@hotmail.com> Received: from 62.0.135.44 by www.hotmail.com with HTTP; Wed, 29 Mar 2000 15:59:19 PST X-Originating-IP: [62.0.135.44] From: "Falsch Fillet" To: freebsd-net@freebsd.org Subject: Re: Porting the (TCP/IP) net stack to another OS. Date: Wed, 29 Mar 2000 15:59:19 PST Mime-Version: 1.0 Content-Type: text/plain; format=flowed Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >From: George Neville-Neil ... > >Why do that when it's already done for you? VxWorks and pSOS both >run modified Berkeley TCP/IP stacks. > >Later, >George > Hi George, Thanks for your response. These are not necessarily the platforms that will be used (just an example). In any case, how about various "newer" features, such as IPv6, which sometimes cannot be simply added to an existing stack? I am asking generally. Cheers, Zak. ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Mar 29 16:43:30 2000 Delivered-To: freebsd-net@freebsd.org Received: from obie.softweyr.com (obie.softweyr.com [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id C426537BA40 for ; Wed, 29 Mar 2000 16:43:06 -0800 (PST) (envelope-from wes@softweyr.com) Received: from softweyr.com (Foolstrustidentd@obie.softweyr.com [204.68.178.33]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id RAA00378; Wed, 29 Mar 2000 17:42:50 -0700 (MST) (envelope-from wes@softweyr.com) Message-ID: <38E2A373.E4144C0B@softweyr.com> Date: Wed, 29 Mar 2000 17:44:35 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Falsch Fillet Cc: freebsd-net@FreeBSD.ORG Subject: Re: Porting the (TCP/IP) net stack to another OS. References: <20000329154527.58274.qmail@hotmail.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Falsch Fillet wrote: > > Hello All, > > I am interested in exploring the possibility of porting the FreeBSD > networking code to another OS (e.g. VxWorks, pSOS). What are the major > issues in porting the FreeBSD networking code to another OS? Where would one > start? Any help is greatly appreciated. You might want to sniff around over at RTEMS, they did this last summer. http://www.oarcorp.com/rtems/ is a starting point. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Mar 29 18:18:45 2000 Delivered-To: freebsd-net@freebsd.org Received: from volatile.by-tor.tacorp.net (ci391991-a.grnvle1.sc.home.com [24.9.31.75]) by hub.freebsd.org (Postfix) with ESMTP id 3821D37B9DC for ; Wed, 29 Mar 2000 18:18:37 -0800 (PST) (envelope-from by-tor@volatile.by-tor.tacorp.net) Received: (from by-tor@localhost) by volatile.by-tor.tacorp.net (8.9.3/8.9.3) id VAA00306; Wed, 29 Mar 2000 21:20:09 -0500 (EST) (envelope-from by-tor) Date: Wed, 29 Mar 2000 21:20:09 -0500 (EST) From: Wes Morgan X-Sender: by-tor@volatile.by-tor.tacorp.net To: freebsd-net@freebsd.org Subject: 5.0 tcp weirdness Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In 5.0 since sometime last weekend, I have been experiencing some very strange TCP problems. Complete inability to connect to some machines, poor throughput, etc. I first noticed that my nameserver was having trouble talking to some other nameservers, and at first thought @home was using some very weird filtering, or maybe had set up something to require some sort of DHCP validation (I don't bother with DHCP since my IP is virtually static). After running dhclient, the nameserver lookups seemed to improve, but there were still a few sites I could not connect to. Here is some data I gathered: tcpdump of conversation with an "unconnectable" site: [root@volatile:/usr/home/by-tor#]: tcpdump src or dst port 110 tcpdump: listening on ed0 21:16:37.066637 ci391991-a.grnvle1.sc.home.com.1027 > mailbox.engr.sc.edu.pop3: S 1003018417:1003018417(0) win 16384 (DF) 21:16:40.066444 ci391991-a.grnvle1.sc.home.com.1027 > mailbox.engr.sc.edu.pop3: S 1003018417:1003018417(0) win 16384 (DF) 21:16:46.066497 ci391991-a.grnvle1.sc.home.com.1027 > mailbox.engr.sc.edu.pop3: S 1003018417:1003018417(0) win 16384 (DF) 21:16:58.066660 ci391991-a.grnvle1.sc.home.com.1027 > mailbox.engr.sc.edu.pop3: S 1003018417:1003018417(0) win 16384 (DF) 21:17:22.066970 ci391991-a.grnvle1.sc.home.com.1027 > mailbox.engr.sc.edu.pop3: S 1003018417:1003018417(0) win 16384 (DF) nmap "TCP SYN stealth" scan _will_ successfully communicate with the machine (according to tcpdump). The "Stealth FIN, Xmas, or Null" scans report that the port is filtered, and the regular connect() scan doesnt work at all. Booting to 4.0 solves ALL the problems. **this is no complaint, but an offer to help find the problem** My kernel config has INET and INET6 enabled, network card is an ed0 (Realtek 8029). Any other info is gladly provided! -- _ __ ___ ____ ___ ___ ___ Wesley N Morgan _ __ ___ | _ ) __| \ morganw@engr.sc.edu _ __ | _ \._ \ |) | FreeBSD: The Power To Serve _ |___/___/___/ Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Mar 29 18:42:43 2000 Delivered-To: freebsd-net@freebsd.org Received: from fgwmail6.fujitsu.co.jp (fgwmail6.fujitsu.co.jp [192.51.44.36]) by hub.freebsd.org (Postfix) with ESMTP id 1932F37B91B for ; Wed, 29 Mar 2000 18:42:40 -0800 (PST) (envelope-from shin@nd.net.fujitsu.co.jp) Received: from m3.gw.fujitsu.co.jp by fgwmail6.fujitsu.co.jp (8.9.3/3.7W-MX0002-Fujitsu Gateway) id LAA28664; Thu, 30 Mar 2000 11:42:37 +0900 (JST) (envelope-from shin@nd.net.fujitsu.co.jp) Received: from chisato.nd.net.fujitsu.co.jp by m3.gw.fujitsu.co.jp (8.9.3/3.7W-0003-Fujitsu Domain Master) id LAA07921; Thu, 30 Mar 2000 11:42:36 +0900 (JST) Received: from localhost (dhcp7173.nd.net.fujitsu.co.jp [10.18.7.173]) by chisato.nd.net.fujitsu.co.jp (8.8.5+2.7Wbeta5/3.3W8chisato-970826) with ESMTP id LAA17754; Thu, 30 Mar 2000 11:42:35 +0900 (JST) To: pete@kpnqwest.fi Cc: freebsd-net@FreeBSD.ORG Subject: Re: IKE / IPsec In-Reply-To: <001b01bf99d9$620ceb30$9ac2d0a9@ad.kpnqwest.fi> References: <001b01bf99d9$620ceb30$9ac2d0a9@ad.kpnqwest.fi> X-Mailer: Mew version 1.94 on Emacs 20.4 / Mule 4.0 (HANANOEN) X-Prom-Mew: Prom-Mew 1.93.4 (procmail reader for Mew) Mime-Version: 1.0 Content-Type: Text/Plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Message-Id: <20000330114336A.shin@nd.net.fujitsu.co.jp> Date: Thu, 30 Mar 2000 11:43:36 +0900 From: Yoshinobu Inoue X-Dispatcher: imput version 990905(IM130) Lines: 23 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Is there a document on how to make IKE work in FreeBSD? I=B4d love to = use > IPsec now that it=B4s > available with 4.0 but it=B4s a little challenging without working IKE= > daemon... > (there is only a note that IKE is not in the kernel) > = > Pete I am trying to prepare a port for racoon, but it is continuously changing somewhat backword incompatibly, and not successful yet. Also now it provides no configuration information. Also, its configuration file format change is schedule soon. I hope I can create a port for it around the time when the change is finished. Cheers, Yoshinobu Inoue To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Mar 29 18:56: 1 2000 Delivered-To: freebsd-net@freebsd.org Received: from prism.flugsvamp.com (cb58709-a.mdsn1.wi.home.com [24.17.241.9]) by hub.freebsd.org (Postfix) with ESMTP id 8C8A037B917 for ; Wed, 29 Mar 2000 18:55:54 -0800 (PST) (envelope-from jlemon@flugsvamp.com) Received: (from jlemon@localhost) by prism.flugsvamp.com (8.9.3/8.9.3) id UAA35767; Wed, 29 Mar 2000 20:59:06 -0600 (CST) (envelope-from jlemon) Date: Wed, 29 Mar 2000 20:59:06 -0600 (CST) From: Jonathan Lemon Message-Id: <200003300259.UAA35767@prism.flugsvamp.com> To: morganw@engr.sc.edu, net@freebsd.org Subject: Re: 5.0 tcp weirdness X-Newsgroups: local.mail.freebsd-net In-Reply-To: Organization: Cc: Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In article you write: >In 5.0 since sometime last weekend, I have been experiencing some very >strange TCP problems. Complete inability to connect to some machines, poor >throughput, etc. I first noticed that my nameserver was having trouble >talking to some other nameservers, and at first thought @home was using >some very weird filtering, or maybe had set up something to require some >sort of DHCP validation (I don't bother with DHCP since my IP is virtually >static). After running dhclient, the nameserver lookups seemed to improve, >but there were still a few sites I could not connect to. Here is some data >I gathered: Hmm. What's your routing table look like? I was seeing some really weird problems like this (some connections okay, some not), when I had my default route set to whatever gateway that @home gave me. After I changed it to an interface route, the problems went away. -- Jonathan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Mar 30 0:58:48 2000 Delivered-To: freebsd-net@freebsd.org Received: from catatonia.ip.versatel.net (catatonia.ip.versatel.net [212.48.44.33]) by hub.freebsd.org (Postfix) with ESMTP id AE51A37B690 for ; Thu, 30 Mar 2000 00:58:45 -0800 (PST) (envelope-from joshua@roughtrade.net) Received: from localhost (joshua@localhost) by catatonia.ip.versatel.net (8.9.3/8.9.3) with ESMTP id KAA80596; Thu, 30 Mar 2000 10:58:37 +0200 (CEST) (envelope-from joshua@roughtrade.net) Date: Thu, 30 Mar 2000 10:58:37 +0200 (CEST) From: Joshua Goodall X-Sender: joshua@catatonia To: "Brian O'Shea" Cc: Randy Bush , freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. In-Reply-To: <20000329150222.I330@beastie.localdomain> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I did not intend "raw" as a technical term. I meant simply the use of /sbin/natd with a very bare & basic configuration, as might be implemented by configuration via /etc/rc.conf fyi the other possible NAT systems used on freebsd might be: ipfilter ppp -nat netgraph ( i think ) + many other implementations, but the above will provide you with plenty of reading matter :) - J On Wed, 29 Mar 2000, Brian O'Shea wrote: > On Thu, Mar 30, 2000 at 07:20:09AM +0930, Randy Bush wrote: > > > What is raw natd, what are the other types of natd, and what > > > distinguishes them from one another? > > > > see rfc 2663 > > Thanks, this is an interesting RFC. However, it doesn't answer my > question. > > -brian > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Mar 30 3: 0:33 2000 Delivered-To: freebsd-net@freebsd.org Received: from mail.rdc1.sfba.home.com (ha1.rdc1.sfba.home.com [24.0.0.66]) by hub.freebsd.org (Postfix) with ESMTP id 48C7937BA3F for ; Thu, 30 Mar 2000 03:00:31 -0800 (PST) (envelope-from boshea@ricochet.net) Received: from beastie.localdomain ([24.19.158.41]) by mail.rdc1.sfba.home.com (InterMail v4.01.01.00 201-229-111) with ESMTP id <20000330110030.PLW13099.mail.rdc1.sfba.home.com@beastie.localdomain>; Thu, 30 Mar 2000 03:00:30 -0800 Received: (from brian@localhost) by beastie.localdomain (8.9.3/8.8.7) id DAA26505; Thu, 30 Mar 2000 03:09:42 -0800 (PST) (envelope-from brian) Date: Thu, 30 Mar 2000 03:09:42 -0800 From: "Brian O'Shea" To: Joshua Goodall Cc: freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. Message-ID: <20000330030942.J330@beastie.localdomain> Mail-Followup-To: Joshua Goodall , freebsd-net@FreeBSD.ORG References: <20000329150222.I330@beastie.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: ; from Joshua Goodall on Thu, Mar 30, 2000 at 10:58:37AM +0200 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Mar 30, 2000 at 10:58:37AM +0200, Joshua Goodall wrote: > > I did not intend "raw" as a technical term. I meant simply the use of > /sbin/natd with a very bare & basic configuration, as might be implemented > by configuration via /etc/rc.conf Ah, got it. Thanks. > > fyi the other possible NAT systems used on freebsd might be: > > ipfilter > ppp -nat > netgraph ( i think ) > + many other implementations, but the above will provide you with > plenty of reading matter :) Terrific. Looks like I've got my work cut out for me. Thanks for all of your help, it is much appreciated. -brian -- Brian O'Shea boshea@ricochet.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Mar 30 8:13:47 2000 Delivered-To: freebsd-net@freebsd.org Received: from irbs.irbs.com (irbs.irbs.com [209.36.62.129]) by hub.freebsd.org (Postfix) with ESMTP id DCA4937BA5E for ; Thu, 30 Mar 2000 08:13:40 -0800 (PST) (envelope-from jc@irbs.com) Received: (from jc@localhost) by irbs.irbs.com (8.8.5/8.8.5) id LAA11015; Thu, 30 Mar 2000 11:13:35 -0500 (EST) Message-ID: <20000330111335.44210@irbs.com> Date: Thu, 30 Mar 2000 11:13:35 -0500 From: John Capo To: freebsd-net@FreeBSD.ORG Subject: Re: Porting the (TCP/IP) net stack to another OS. References: <20000329154527.58274.qmail@hotmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89i In-Reply-To: <20000329154527.58274.qmail@hotmail.com>; from Falsch Fillet on Wed, Mar 29, 2000 at 07:45:27AM -0800 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I wrapped the 1.X networking code including NFS around a real-time tasker called Ucos that we were running on MIPS and 68K processors. Both are big endian processors. I spent less than 40 hours getting the loopback and a PPP serial interface working. Adding a file descriptor mechanism for the tasks, a working select, and dealing with variables in client/task side code from libc was much more of a challenge. The kernel and task shared the same name/address space. If I had to do it again I would budget at least 200 hours if a *nix API is used, open/fopen/socket etc. John Capo Quoting Falsch Fillet (zak107@hotmail.com): > Hello All, > > I am interested in exploring the possibility of porting the FreeBSD > networking code to another OS (e.g. VxWorks, pSOS). What are the major > issues in porting the FreeBSD networking code to another OS? Where would one > start? Any help is greatly appreciated. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Mar 30 10:56:55 2000 Delivered-To: freebsd-net@freebsd.org Received: from griffin.aciri.org (griffin.aciri.org [192.150.187.12]) by hub.freebsd.org (Postfix) with ESMTP id B98B037C0C2 for ; Thu, 30 Mar 2000 10:56:50 -0800 (PST) (envelope-from wilbertdg@hetnet.nl) Received: from hetnet.nl (localhost.aciri.org [127.0.0.1]) by griffin.aciri.org (8.9.3/8.9.3) with ESMTP id KAA45128 for ; Thu, 30 Mar 2000 10:56:49 -0800 (PST) (envelope-from wilbertdg@hetnet.nl) Message-ID: <38E3A371.8030917C@hetnet.nl> Date: Thu, 30 Mar 2000 10:56:49 -0800 From: Wilbert de Graaf X-Mailer: Mozilla 4.7 [en] (X11; U; Linux 2.0.36 i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: The socket structure & igmpv3 Content-Type: multipart/mixed; boundary="------------675BF586E9EFD648C1CAD6F3" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. --------------675BF586E9EFD648C1CAD6F3 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hello all, I'm working on an implementation of the IGMPv3 protocol in the Net/3 stack, and several questions popped up. The first one is about the socket structure. The IGMPv3 protocol allows a process to set (ip)source filters, which is a list of ip addresses of sources which indicates the process is not (exclude mode) or just (include mode) interested to receive data from those sources, on that particular socket. The igmpv3 extensions to the socket api allow you to add source filters to sockets subscribed to one or more multicast groups. So a process identifies a socket with a descriptor, which is a index into an array of pointers to file structures. These file structures reside in the kernel and could be shared among processes. Now I'm thinking about where to keep this sourcfilter-list. If it's possible to share a socket between processes it could be that one process is interested, but another is not. On the other hand, I believe the filter is a per socket and if it's shared ... so is the filter. So my question is ... Is it true that such a filter should be attached / stored within the socket datastructure ? Thanks in advance, Wilbert Btw. Besides the fact that a sourcefilter-list per socket should be implemented, there should also be a sourcefilter-list per (the in_multi{} structure). This in order to generate IGMPv3 reports, or maybe in later stage to do filtering at a lower level in order to improve performance. --------------675BF586E9EFD648C1CAD6F3 Content-Type: text/x-vcard; charset=us-ascii; name="wilbertdg.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Wilbert de Graaf Content-Disposition: attachment; filename="wilbertdg.vcf" begin:vcard n:de Graaf;Wilbert x-mozilla-html:FALSE url:http://home.hetnet.nl/~wilbertdg/ org:KPN Research adr:;;;;;; version:2.1 email;internet:wilbertdg@hetnet.nl x-mozilla-cpt:;0 fn:Wilbert de Graaf end:vcard --------------675BF586E9EFD648C1CAD6F3-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Mar 30 11:12:24 2000 Delivered-To: freebsd-net@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 7092037BA4B for ; Thu, 30 Mar 2000 11:12:21 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id OAA92561; Thu, 30 Mar 2000 14:12:15 -0500 (EST) (envelope-from wollman) Date: Thu, 30 Mar 2000 14:12:15 -0500 (EST) From: Garrett Wollman Message-Id: <200003301912.OAA92561@khavrinen.lcs.mit.edu> To: Wilbert de Graaf Cc: freebsd-net@FreeBSD.ORG Subject: The socket structure & igmpv3 In-Reply-To: <38E3A371.8030917C@hetnet.nl> References: <38E3A371.8030917C@hetnet.nl> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > So my question is ... Is it true that such a filter should be attached > / stored within the socket datastructure ? Yes and no. You need to look more closely at how the FreeBSD implementation works. Essentially, there are two levels of multicast group subscription: 1) the per-interface subscription table (which drives IGMP), and 2) the per-socket subscription table (which is used mainly to ensure that groups are properly unsubscribed when the socket is closed). Part (1) is not quite entirely different from the 4.4-Lite code. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Mar 30 14:29:16 2000 Delivered-To: freebsd-net@freebsd.org Received: from volatile.by-tor.tacorp.net (ci391991-a.grnvle1.sc.home.com [24.9.31.75]) by hub.freebsd.org (Postfix) with ESMTP id 1E6A837B86E for ; Thu, 30 Mar 2000 14:29:11 -0800 (PST) (envelope-from by-tor@volatile.by-tor.tacorp.net) Received: (from by-tor@localhost) by volatile.by-tor.tacorp.net (8.9.3/8.9.3) id RAA00313; Thu, 30 Mar 2000 17:29:36 -0500 (EST) (envelope-from by-tor) Date: Thu, 30 Mar 2000 17:29:36 -0500 (EST) From: Wes Morgan X-Sender: by-tor@volatile.by-tor.tacorp.net To: Jonathan Lemon Cc: net@freebsd.org Subject: Re: 5.0 tcp weirdness In-Reply-To: <200003300259.UAA35767@prism.flugsvamp.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well, I would think there may be some merit in this if I didnt see a sudden functionality return when I boot a 4.0 kernel. However, the routing tables are functionally the same: Routing tables in 4.0: Internet: Destination Gateway Flags Refs Use Netif Expire default 24.9.31.1 UGSc 17 13 ed0 24.9.31/24 link#1 UC 0 0 ed0 => 24.9.31.1 8:0:3e:e:e9:4f UHLW 18 0 ed0 792 24.9.31.255 ff:ff:ff:ff:ff:ff UHLWb 1 402 ed0 localhost localhost UH 3 1733 lo0 Routing tables in 5.0: Internet: Destination Gateway Flags Refs Use Netif Expire default 24.9.31.1 UGSc 13 0 ed0 24.9.31/24 link#1 UC 0 0 ed0 => 24.9.31.1 8:0:3e:e:e9:4f UHLW 14 0 ed0 1169 24.9.31.255 ff:ff:ff:ff:ff:ff UHLWb 1 1 ed0 localhost localhost UH 2 55 lo0 On Wed, 29 Mar 2000, Jonathan Lemon wrote: > Hmm. What's your routing table look like? I was seeing some really > weird problems like this (some connections okay, some not), when I > had my default route set to whatever gateway that @home gave me. > After I changed it to an interface route, the problems went away. > -- > Jonathan > -- _ __ ___ ____ ___ ___ ___ Wesley N Morgan _ __ ___ | _ ) __| \ morganw@engr.sc.edu _ __ | _ \._ \ |) | FreeBSD: The Power To Serve _ |___/___/___/ Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Mar 31 3:14:51 2000 Delivered-To: freebsd-net@freebsd.org Received: from storm.FreeBSD.org.uk (storm.freebsd.org.uk [194.242.139.170]) by hub.freebsd.org (Postfix) with ESMTP id 7956737BD8D for ; Fri, 31 Mar 2000 03:14:47 -0800 (PST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (hak.nat.Awfulhak.org [172.31.0.12]) by storm.FreeBSD.org.uk (8.9.3/8.9.3) with ESMTP id MAA10679; Fri, 31 Mar 2000 12:14:38 +0100 (BST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id MAA01613; Fri, 31 Mar 2000 12:14:36 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200003311114.MAA01613@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.1 10/15/1999 To: "Brian O'Shea" Cc: Joshua Goodall , Randy Bush , freebsd-net@FreeBSD.ORG, brian@hak.lan.Awfulhak.org Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. In-Reply-To: Message from "Brian O'Shea" of "Wed, 29 Mar 2000 12:27:15 -0800." <20000329122715.G330@beastie.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 31 Mar 2000 12:14:36 +0100 From: Brian Somers Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > However, I think Randy is essentially warning that each private address > > can be statically mapped to a public one, demonstrating that NAT is not > > necessarily a security feature, it's a convenience. > > Ok, so that basically answers the question in my last post. If I > understand correctly, someone on the same subnet as my router's external > interface could set a static route to my internal network through my > router's external interface. In other words, I am vulnerable to attack > from anyone who subscribs to the same cable modem service that I do, and > happens to be on the same subnet (I believe subnets are regional, so > that means roughly anyone in my neighborhood). Not to mention anyone > who manages to compromise one of my neighbor's systems and subsequently > attack my system. Hmm, there's a PacketAliasSetTarget() function in libalias that will direct all incoming connections to a given IP number irrespective of their destination address. Unfortunately, it's not used by either ppp or natd. I think I'll add a ``nat target'' command to ppp. -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Mar 31 3:33:40 2000 Delivered-To: freebsd-net@freebsd.org Received: from storm.FreeBSD.org.uk (storm.freebsd.org.uk [194.242.139.170]) by hub.freebsd.org (Postfix) with ESMTP id 108B237B5C1 for ; Fri, 31 Mar 2000 03:33:34 -0800 (PST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (hak.nat.Awfulhak.org [172.31.0.12]) by storm.FreeBSD.org.uk (8.9.3/8.9.3) with ESMTP id MAA10772; Fri, 31 Mar 2000 12:33:30 +0100 (BST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id MAA01679; Fri, 31 Mar 2000 12:33:28 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200003311133.MAA01679@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.1 10/15/1999 To: Chance Daryl SrA AMC CSS/SAS Cc: "'freebsd-net'" , brian@hak.lan.Awfulhak.org Subject: Re: FW: bad link ppp In-Reply-To: Message from Chance Daryl SrA AMC CSS/SAS of "Wed, 29 Mar 2000 15:34:03 MDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 31 Mar 2000 12:33:28 +0100 From: Brian Somers Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > If I try it again, i'll check the irq and the com port as well as > the dmesg output. when you say -c, do you mean when it gives the > "kernel will boot in 9seconds or hit enter to boot immediately" message? Yep, press a key and then type ``boot -c''. -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Mar 31 4: 7:29 2000 Delivered-To: freebsd-net@freebsd.org Received: from pr.infosec.ru (pr.infosec.ru [194.135.141.98]) by hub.freebsd.org (Postfix) with ESMTP id 45A3C37B5C1 for ; Fri, 31 Mar 2000 04:07:26 -0800 (PST) (envelope-from blaze@infosec.ru) Received: from blaze (200.0.0.51 [200.0.0.51]) by pr.infosec.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id H9Z76TCT; Fri, 31 Mar 2000 16:07:38 +0400 Date: Fri, 31 Mar 2000 16:06:23 +0400 (MSD) From: Andrey Sverdlichenko X-Sender: blaze@blaze To: freebsd-net@freebsd.org Subject: hostcache Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I need to store some info (in kernel) indexed by peer hosts ip addresses. in_hostcache.h interface looks good, but i hasn't found any use of it in -CURRENT kernel sources. It this interface obsoleted by other? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Mar 31 6: 7:20 2000 Delivered-To: freebsd-net@freebsd.org Received: from storm.FreeBSD.org.uk (storm.freebsd.org.uk [194.242.139.170]) by hub.freebsd.org (Postfix) with ESMTP id ADF2B37B7C5 for ; Fri, 31 Mar 2000 06:06:51 -0800 (PST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (hak.nat.Awfulhak.org [172.31.0.12]) by storm.FreeBSD.org.uk (8.9.3/8.9.3) with ESMTP id PAA13739; Fri, 31 Mar 2000 15:06:26 +0100 (BST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id PAA02684; Fri, 31 Mar 2000 15:06:23 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200003311406.PAA02684@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.1 10/15/1999 To: Brian Somers Cc: "Brian O'Shea" , Joshua Goodall , Randy Bush , freebsd-net@FreeBSD.ORG, brian@hak.lan.Awfulhak.org, brian@hak.lan.Awfulhak.org Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. In-Reply-To: Message from Brian Somers of "Fri, 31 Mar 2000 12:14:36 BST." <200003311114.MAA01613@hak.lan.Awfulhak.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 31 Mar 2000 15:06:22 +0100 From: Brian Somers Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > However, I think Randy is essentially warning that each private address > > > can be statically mapped to a public one, demonstrating that NAT is not > > > necessarily a security feature, it's a convenience. > > > > Ok, so that basically answers the question in my last post. If I > > understand correctly, someone on the same subnet as my router's external > > interface could set a static route to my internal network through my > > router's external interface. In other words, I am vulnerable to attack > > from anyone who subscribs to the same cable modem service that I do, and > > happens to be on the same subnet (I believe subnets are regional, so > > that means roughly anyone in my neighborhood). Not to mention anyone > > who manages to compromise one of my neighbor's systems and subsequently > > attack my system. > > Hmm, there's a PacketAliasSetTarget() function in libalias that will > direct all incoming connections to a given IP number irrespective of > their destination address. Unfortunately, it's not used by either > ppp or natd. > > I think I'll add a ``nat target'' command to ppp. In fact, there's a bug in libalias. Packets destined to anything that's not redirected (with PacketAliasRedirectAddr() or implicitly) should be redirected to the alias address according to the documentation. This is now reality (as of about a minute ago). -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Mar 31 6:20:52 2000 Delivered-To: freebsd-net@freebsd.org Received: from vidle.i.cz (vidle.i.cz [193.179.36.138]) by hub.freebsd.org (Postfix) with ESMTP id BF0B137B8A1 for ; Fri, 31 Mar 2000 06:20:40 -0800 (PST) (envelope-from mm@i.cz) Received: from ns.i.cz (brana.i.cz [193.179.36.134]) by vidle.i.cz (Postfix) with ESMTP id DA5A830703 for ; Fri, 31 Mar 2000 16:20:39 +0200 (CEST) Received: from woody.i.cz (woody.i.cz [192.168.18.29]) by ns.i.cz (Postfix) with ESMTP id DB82336416 for ; Fri, 31 Mar 2000 16:20:38 +0200 (CEST) Content-Length: 732 Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <200003311406.PAA02684@hak.lan.Awfulhak.org> Date: Fri, 31 Mar 2000 16:20:38 +0200 (MET DST) Reply-To: mm@i.cz From: Martin Machacek To: freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 31-Mar-00 Brian Somers wrote: > In fact, there's a bug in libalias. Packets destined to anything > that's not redirected (with PacketAliasRedirectAddr() or implicitly) > should be redirected to the alias address according to the > documentation. > > This is now reality (as of about a minute ago). There is possibly another bug in natd/libalias. Incoming ICMP packets are being translated and forwarded if there is some "redirect address" configured even if "deny-incoming" is specified. TCP/UDP packets are denied correctly. I haven't had enough time to inspect this possible problem more thoroughly so I haven't produced any PR yet. Maybe somebody else has more time ... :-) Martin --- [PGP KeyID F3F409C4] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Mar 31 6:39:34 2000 Delivered-To: freebsd-net@freebsd.org Received: from storm.FreeBSD.org.uk (storm.freebsd.org.uk [194.242.139.170]) by hub.freebsd.org (Postfix) with ESMTP id 5B29737B652 for ; Fri, 31 Mar 2000 06:39:25 -0800 (PST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (hak.nat.Awfulhak.org [172.31.0.12]) by storm.FreeBSD.org.uk (8.9.3/8.9.3) with ESMTP id PAA13815; Fri, 31 Mar 2000 15:39:14 +0100 (BST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id PAA03288; Fri, 31 Mar 2000 15:39:10 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200003311439.PAA03288@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.1 10/15/1999 To: mm@i.cz Cc: freebsd-net@FreeBSD.ORG, brian@hak.lan.Awfulhak.org Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. In-Reply-To: Message from Martin Machacek of "Fri, 31 Mar 2000 16:20:38 +0200." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 31 Mar 2000 15:39:08 +0100 From: Brian Somers Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > On 31-Mar-00 Brian Somers wrote: > > In fact, there's a bug in libalias. Packets destined to anything > > that's not redirected (with PacketAliasRedirectAddr() or implicitly) > > should be redirected to the alias address according to the > > documentation. > > > > This is now reality (as of about a minute ago). > > There is possibly another bug in natd/libalias. Incoming ICMP packets are > being translated and forwarded if there is some "redirect address" configured > even if "deny-incoming" is specified. TCP/UDP packets are denied correctly. I > haven't had enough time to inspect this possible problem more thoroughly so I > haven't produced any PR yet. Maybe somebody else has more time ... :-) Yes, I think I noticed this when I was in there a little while ago. The DENY_INCOMING flag is only checked for incoming tcp/udp connections. > Martin > > --- > [PGP KeyID F3F409C4] -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Mar 31 21:21:44 2000 Delivered-To: freebsd-net@freebsd.org Received: from sprout.cgf.net (adsl-207-215-8-122.dsl.snfc21.pacbell.net [207.215.8.122]) by hub.freebsd.org (Postfix) with ESMTP id 11D9537B6D9 for ; Fri, 31 Mar 2000 21:21:37 -0800 (PST) (envelope-from tomb@cgf.net) Received: from cgf.net (localhost.cgf.net [127.0.0.1]) by sprout.cgf.net (8.9.3/8.9.3) with ESMTP id VAA24757 for ; Fri, 31 Mar 2000 21:26:14 GMT (envelope-from tomb@cgf.net) Message-ID: <38E517F6.EBE5D183@cgf.net> Date: Fri, 31 Mar 2000 21:26:14 +0000 From: tomb Organization: Badger Basters (We do it with lard!) X-Mailer: Mozilla 4.72 [en] (X11; U; FreeBSD 3.4-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: Release 4.0 and IPSec Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I'm planning to setup a VPN using IPSec. I hear that Release 4.0 has improved IPSec features. I have looked around and found an older distribution of kame based IPSec from Release 3.1. I was expecting the IPSec stuff to be part of the base code or have a port with 4.0. But I can't find ether. I expect that it's ether fully integrated or has to be custom built. Which is it? Can anybody point me in the right direction please. I found a good paper on implementing it with Release-3.1 but nothing on 4.0 . Thanks in advance. Tom To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Mar 31 23:41:51 2000 Delivered-To: freebsd-net@freebsd.org Received: from sharmas.dhs.org (c62443-a.frmt1.sfba.home.com [24.0.69.165]) by hub.freebsd.org (Postfix) with ESMTP id A40B837BB45 for ; Fri, 31 Mar 2000 23:41:49 -0800 (PST) (envelope-from adsharma@sharmas.dhs.org) Received: (from adsharma@localhost) by sharmas.dhs.org (8.9.3/8.9.3) id XAA28145 for freebsd-net@freebsd.org; Fri, 31 Mar 2000 23:41:56 -0800 Date: Fri, 31 Mar 2000 23:41:56 -0800 From: Arun Sharma To: freebsd-net@freebsd.org Subject: kernel vs user level implementation of NAT Message-ID: <20000331234156.A28140@sharmas.dhs.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Can someone point me to some discussion or literature on why *BSDs chose to implement natd as a daemon as opposed to a kernel service ? I'm particularly interested in the performance (latency) aspects of the issue. Thanks in advance, -Arun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sat Apr 1 10:55:38 2000 Delivered-To: freebsd-net@freebsd.org Received: from prism.flugsvamp.com (cb58709-a.mdsn1.wi.home.com [24.17.241.9]) by hub.freebsd.org (Postfix) with ESMTP id C0C4F37BC4D for ; Sat, 1 Apr 2000 10:55:24 -0800 (PST) (envelope-from jlemon@flugsvamp.com) Received: (from jlemon@localhost) by prism.flugsvamp.com (8.9.3/8.9.3) id MAA01290; Sat, 1 Apr 2000 12:59:07 -0600 (CST) (envelope-from jlemon) Date: Sat, 1 Apr 2000 12:59:07 -0600 From: Jonathan Lemon To: Wes Morgan Cc: Jonathan Lemon , net@freebsd.org Subject: Re: 5.0 tcp weirdness Message-ID: <20000401125907.B946@prism.flugsvamp.com> References: <200003300259.UAA35767@prism.flugsvamp.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i In-Reply-To: Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Mar 30, 2000 at 05:29:36PM -0500, Wes Morgan wrote: > Well, I would think there may be some merit in this if I didnt see a > sudden functionality return when I boot a 4.0 kernel. However, the routing > tables are functionally the same: I've just committed a patch to -current to fix a problem that cropped up when using divert sockets (e.g.: natd). Try cvsuping again and see if it fixes your problem. -- Jonathan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sat Apr 1 11:24: 8 2000 Delivered-To: freebsd-net@freebsd.org Received: from fgwmail6.fujitsu.co.jp (fgwmail6.fujitsu.co.jp [192.51.44.36]) by hub.freebsd.org (Postfix) with ESMTP id 34DE537B630 for ; Sat, 1 Apr 2000 11:24:04 -0800 (PST) (envelope-from shin@nd.net.fujitsu.co.jp) Received: from m3.gw.fujitsu.co.jp by fgwmail6.fujitsu.co.jp (8.9.3/3.7W-MX0002-Fujitsu Gateway) id EAA00925; Sun, 2 Apr 2000 04:23:53 +0900 (JST) (envelope-from shin@nd.net.fujitsu.co.jp) Received: from incapgw.fujitsu.co.jp by m3.gw.fujitsu.co.jp (8.9.3/3.7W-0003-Fujitsu Domain Master) id EAA29108; Sun, 2 Apr 2000 04:23:53 +0900 (JST) Received: from localhost ([192.168.245.32]) by incapgw.fujitsu.co.jp (8.9.3/3.7W-0002) id EAA12861; Sun, 2 Apr 2000 04:23:51 +0900 (JST) To: tomb@cgf.net Cc: freebsd-net@FreeBSD.ORG Subject: Re: Release 4.0 and IPSec In-Reply-To: <38E517F6.EBE5D183@cgf.net> References: <38E517F6.EBE5D183@cgf.net> X-Mailer: Mew version 1.94 on Emacs 20.4 / Mule 4.0 (HANANOEN) X-Prom-Mew: Prom-Mew 1.93.4 (procmail reader for Mew) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20000402042449E.shin@nd.net.fujitsu.co.jp> Date: Sun, 02 Apr 2000 04:24:49 +0900 From: Yoshinobu Inoue X-Dispatcher: imput version 990905(IM130) Lines: 26 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Hi, > > I'm planning to setup a VPN using IPSec. I hear that Release 4.0 has > improved IPSec features. > > I have looked around and found an older distribution of kame based IPSec > from Release 3.1. > > I was expecting the IPSec stuff to be part of the base code or have a > port with 4.0. But I can't find ether. I expect that it's ether fully > integrated or has to be custom built. Which is it? > > Can anybody point me in the right direction please. I found a good > paper on implementing it with Release-3.1 but nothing on 4.0 . > > Thanks in advance. > > Tom It is in a base distribution (except racoon, an IKE daemon). Please try below for its usage. http://www.freebsd.org/handbook/ipsec.html Cheers, Yoshinobu Inoue To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message