From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 24 11:03:08 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C69DC16A517 for ; Mon, 24 Jul 2006 11:03:08 +0000 (UTC) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 05EFF43DB4 for ; Mon, 24 Jul 2006 11:02:46 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k6OB2hAC013654 for ; Mon, 24 Jul 2006 11:02:43 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k6OB2g9x013650 for freebsd-ipfw@freebsd.org; Mon, 24 Jul 2006 11:02:42 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 24 Jul 2006 11:02:42 GMT Message-Id: <200607241102.k6OB2g9x013650@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jul 2006 11:03:08 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules f [2003/04/24] kern/51341 ipfw [ipfw] [patch] ipfw rule 'deny icmp from o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or r o [2005/03/13] conf/78762 ipfw [ipfw] [patch] /etc/rc.d/ipfw should exce o [2005/05/11] bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC o [2005/11/08] kern/88659 ipfw [modules] ipfw and ip6fw do not work prop o [2006/02/13] kern/93300 ipfw ipfw pipe lost packets o [2006/03/29] kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/v o [2006/05/19] kern/97504 ipfw [ipfw] IPFW Rules bug o [2006/05/26] kern/97951 ipfw [ipfw] [patch] ipfw does not tie interfac o [2006/06/11] kern/98831 ipfw [ipfw] ipfw has UDP hickups 12 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/u o [2002/12/10] kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetim o [2003/02/11] kern/48172 ipfw [ipfw] [patch] ipfw does not log size and o [2003/03/10] kern/49086 ipfw [ipfw] [patch] Make ipfw2 log to differen o [2003/04/09] bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses p o [2003/08/26] kern/55984 ipfw [ipfw] [patch] time based firewalling sup o [2003/12/30] kern/60719 ipfw [ipfw] Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw [ipfw] install_state warning about alread o [2004/09/04] kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites dest o [2004/10/22] kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [B o [2004/10/29] kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parse o [2005/03/13] bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machi o [2005/05/05] kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RUL o [2005/06/28] kern/82724 ipfw [ipfw] [patch] Add setnexthop and default o [2005/10/05] kern/86957 ipfw [ipfw] [patch] ipfw mac logging o [2005/10/07] kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface imple o [2006/01/16] kern/91847 ipfw [ipfw] ipfw with vlanX as the device o [2006/02/16] kern/93422 ipfw ipfw divert rule no longer works in 6.0 ( o [2006/03/31] bin/95146 ipfw [ipfw][patch]ipfw -p option handler is bo 19 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 26 19:45:11 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 03AE916A53E for ; Wed, 26 Jul 2006 19:45:11 +0000 (UTC) (envelope-from webmaster@elaconta.com) Received: from sapo.pt (relay2.ptmail.sapo.pt [212.55.154.22]) by mx1.FreeBSD.org (Postfix) with SMTP id D155543D64 for ; Wed, 26 Jul 2006 19:45:08 +0000 (GMT) (envelope-from webmaster@elaconta.com) Received: (qmail 32678 invoked from network); 26 Jul 2006 19:44:59 -0000 Received: from unknown (HELO sapo.pt) (10.134.35.207) by relay2 with SMTP; 26 Jul 2006 19:44:59 -0000 Received: (qmail 7769 invoked from network); 26 Jul 2006 19:45:00 -0000 X-AntiVirus: PTMail-AV 0.3-0.88.3 X-Virus-Status: Clean (0.00805 seconds) Received: from unknown (HELO pop.elaconta.pt) (op149960@[213.228.181.10]) (envelope-sender ) by mta12 (qmail-ldap-1.03) with SMTP for ; 26 Jul 2006 19:45:00 -0000 Received: from pop.elaconta.pt (localhost.elaconta.pt [127.0.0.1]) by pop.elaconta.pt (Postfix) with ESMTP id 3959027E641 for ; Wed, 26 Jul 2006 20:45:00 +0100 (WEST) Received: from [192.168.0.165] (195-23-239-12.nr.ip.pt [195.23.239.12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pop.elaconta.pt (Postfix) with ESMTP id BDBE827E620 for ; Wed, 26 Jul 2006 20:44:59 +0100 (WEST) Message-ID: <44C7C55E.3090907@elaconta.com> Date: Wed, 26 Jul 2006 20:41:18 +0100 From: "elaconta.com Webmaster" User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Subject: FreeBSD Gateway to replace old Linux gateway X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2006 19:45:11 -0000 Howdy We have here an old (Mandrake Linux 8 - yeah i know...) PC with two NICs which serves as a firewall for our LAN and runs a Bind caching nameserver. Although the machine is getting old, it still works well. Thing is, i'm having a hard time trying to reproduce it, that is, getting another PC to do exactly the same thing this PC is doing. It was configured by a guy that left the company, so i can't simply ask him how he configured it configured. It's a precautionary measure, if the machine breaks down we need another one to go in its place. So while am at it i would love to replace the crusty old thing with a new one running FreeBSD. The networking scheme is: Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122) <-> (192.168.1.0/24) LAN Now, thing is, the Linux firewall has two NICs: NIC 1: 192.168.1.121 NIC 2: 192.168.1.122 The two NICs on the Linux box are configured with 192.168.1.121 and 192.168.1.122, both interfaces on the same subnet. 192.168.1.121 acesses the company router (192.168.1.120) and 192.168.1.122 acesses the company LAN (192.168.1.0/24) >From what i've googled, this shouldn't even be possible, everything is on the same subnet. Regardless, it works great, and if i went and got an FreeBSD rig to replace the old Linux rig, it would have to retain this networking scheme, we can't afford to reconfigure the entire network just for switching our firewall. I known we could use a network bridge, but we need the caching nameserver functionality. I'm an all round Unix guy, but i'm a bit green on the routing departament. Can an FreeBSD box be configured the same way the Linux box is so it can be a drop-in replacement for the Linux box? I can of course depict in further detail the configuration of the Linux box (netstat -r to show the routes, ifconfig or whatever). I've already prepped a FreeBSD 6.1 box which already works if the NICs in the gateway are in different subnets (dc0 is 192.168.1.125 and dc1 is 192.168.0.5, for instance), i've changed a PC in the network to the 192.168.0.20 IP (instead of 192.168.1.20) and if connected without a problem to the Internet, but we have lots of appliances which depend on the 192.168.1.0 style network. We would need the two NICs in the box to be in the same subnet... ----------------------------- Elaconta.com Webmaster ----------------------------- From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 26 22:16:25 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC1D316A4DE for ; Wed, 26 Jul 2006 22:16:25 +0000 (UTC) (envelope-from taa@acm.org) Received: from mail.cs.dal.ca (Mail.cs.Dal.Ca [129.173.66.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3141143D58 for ; Wed, 26 Jul 2006 22:16:25 +0000 (GMT) (envelope-from taa@acm.org) Received: from flame (flame [129.173.67.126]) by mail.cs.dal.ca (Postfix) with ESMTP id C6677B01A; Wed, 26 Jul 2006 19:16:23 -0300 (ADT) Date: Wed, 26 Jul 2006 19:16:23 -0300 (ADT) From: Tony Abou-Assaleh X-X-Sender: taa@flame.cs.dal.ca To: "elaconta.com Webmaster" In-Reply-To: <44C7C55E.3090907@elaconta.com> Message-ID: References: <44C7C55E.3090907@elaconta.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org Subject: Re: FreeBSD Gateway to replace old Linux gateway X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Tony Abou-Assaleh List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2006 22:16:25 -0000 I would like to see a reference that shows that it is not possible to have two networks with the same subnet IP ranges. In fact, your working linux PC is a good example that it can be done. You need to be careful not to use the same full IP address on both sides of the network, that's about it. The rest can be handled with a proper configuration of the routing table. take a look at your routing table (using route) and see if you can reproduce it on FreeBSD. If you run into problems on the freebsd, report them, and someone might recognize something. Cheers, TAA ----------------------------------------------------- Tony Abou-Assaleh Email: taa@acm.org Web site: http://taa.eits.ca ----------------------[THE END]---------------------- On Wed, 26 Jul 2006, elaconta.com Webmaster wrote: > Howdy > > We have here an old (Mandrake Linux 8 - yeah i know...) PC with two NICs > which serves as a firewall for our LAN and runs a Bind caching nameserver. > Although the machine is getting old, it still works well. Thing is, i'm > having a hard time trying to reproduce it, that is, getting another PC > to do exactly the same thing this PC is doing. It was configured by a > guy that left the company, so i can't simply ask him how he configured > it configured. > It's a precautionary measure, if the machine breaks down we need another > one to go in its place. > So while am at it i would love to replace the crusty old thing with a > new one running FreeBSD. > The networking scheme is: > > Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122) > <-> (192.168.1.0/24) LAN > > Now, thing is, the Linux firewall has two NICs: > > NIC 1: 192.168.1.121 > NIC 2: 192.168.1.122 > > The two NICs on the Linux box are configured with 192.168.1.121 and > 192.168.1.122, both interfaces on the same subnet. 192.168.1.121 acesses > the company router (192.168.1.120) and 192.168.1.122 acesses the company > LAN (192.168.1.0/24) > >From what i've googled, this shouldn't even be possible, everything is > on the same subnet. Regardless, it works great, and if i went and got an > FreeBSD rig to replace the old Linux rig, it would have to retain this > networking scheme, we can't afford to reconfigure the entire network > just for switching our firewall. > > I known we could use a network bridge, but we need the caching > nameserver functionality. > > I'm an all round Unix guy, but i'm a bit green on the routing departament. > > Can an FreeBSD box be configured the same way the Linux box is so it can > be a drop-in replacement for the Linux box? I can of course depict in > further detail the configuration of the Linux box (netstat -r to show > the routes, ifconfig or whatever). > > I've already prepped a FreeBSD 6.1 box which already works if the NICs in the gateway > are in different subnets (dc0 is 192.168.1.125 and dc1 is 192.168.0.5, for instance), > i've changed a PC in the network to the 192.168.0.20 IP (instead of 192.168.1.20) and > if connected without a problem to the Internet, but we have lots of appliances which > depend on the 192.168.1.0 style network. We would need the two NICs in the box to be in the same subnet... > > ----------------------------- > Elaconta.com Webmaster > ----------------------------- > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 26 23:07:07 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E395316A4DA for ; Wed, 26 Jul 2006 23:07:07 +0000 (UTC) (envelope-from webmaster@elaconta.com) Received: from sapo.pt (relay3.ptmail.sapo.pt [212.55.154.23]) by mx1.FreeBSD.org (Postfix) with SMTP id E28C143D4C for ; Wed, 26 Jul 2006 23:07:06 +0000 (GMT) (envelope-from webmaster@elaconta.com) Received: (qmail 5508 invoked from network); 26 Jul 2006 23:07:04 -0000 Received: from unknown (HELO sapo.pt) (10.134.35.206) by relay3 with SMTP; 26 Jul 2006 23:07:04 -0000 Received: (qmail 14275 invoked from network); 26 Jul 2006 23:07:04 -0000 X-AntiVirus: PTMail-AV 0.3-0.88.3 X-Virus-Status: Clean (0.01259 seconds) Received: from unknown (HELO pop.elaconta.pt) (op149960@[213.228.181.10]) (envelope-sender ) by mta11 (qmail-ldap-1.03) with SMTP for ; 26 Jul 2006 23:07:04 -0000 Received: from pop.elaconta.pt (localhost.elaconta.pt [127.0.0.1]) by pop.elaconta.pt (Postfix) with ESMTP id 87D9527E644; Thu, 27 Jul 2006 00:07:04 +0100 (WEST) Received: from [192.168.0.165] (195-23-239-12.nr.ip.pt [195.23.239.12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pop.elaconta.pt (Postfix) with ESMTP id D556827E5D8; Thu, 27 Jul 2006 00:07:03 +0100 (WEST) Message-ID: <44C7F4BE.2080805@elaconta.com> Date: Thu, 27 Jul 2006 00:03:26 +0100 From: "elaconta.com Webmaster" User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: Tony Abou-Assaleh References: <44C7C55E.3090907@elaconta.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV using ClamSMTP Cc: freebsd-ipfw@freebsd.org Subject: Re: FreeBSD Gateway to replace old Linux gateway X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2006 23:07:08 -0000 Tony Abou-Assaleh wrote: > I would like to see a reference that shows that it is not possible to have > two networks with the same subnet IP ranges. In fact, your working linux > PC is a good example that it can be done. > > You need to be careful not to use the same full IP address on both sides > of the network, that's about it. The rest can be handled with a proper > configuration of the routing table. > > take a look at your routing table (using route) and see if you can > reproduce it on FreeBSD. If you run into problems on the freebsd, report > them, and someone might recognize something. > > Cheers, > > TAA > > ----------------------------------------------------- > Tony Abou-Assaleh > Email: taa@acm.org > Web site: http://taa.eits.ca > ----------------------[THE END]---------------------- > > On Wed, 26 Jul 2006, elaconta.com Webmaster wrote: > > >> Howdy >> >> We have here an old (Mandrake Linux 8 - yeah i know...) PC with two NICs >> which serves as a firewall for our LAN and runs a Bind caching nameserver. >> Although the machine is getting old, it still works well. Thing is, i'm >> having a hard time trying to reproduce it, that is, getting another PC >> to do exactly the same thing this PC is doing. It was configured by a >> guy that left the company, so i can't simply ask him how he configured >> it configured. >> It's a precautionary measure, if the machine breaks down we need another >> one to go in its place. >> So while am at it i would love to replace the crusty old thing with a >> new one running FreeBSD. >> The networking scheme is: >> >> Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122) >> <-> (192.168.1.0/24) LAN >> >> Now, thing is, the Linux firewall has two NICs: >> >> NIC 1: 192.168.1.121 >> NIC 2: 192.168.1.122 >> >> The two NICs on the Linux box are configured with 192.168.1.121 and >> 192.168.1.122, both interfaces on the same subnet. 192.168.1.121 acesses >> the company router (192.168.1.120) and 192.168.1.122 acesses the company >> LAN (192.168.1.0/24) >> >From what i've googled, this shouldn't even be possible, everything is >> on the same subnet. Regardless, it works great, and if i went and got an >> FreeBSD rig to replace the old Linux rig, it would have to retain this >> networking scheme, we can't afford to reconfigure the entire network >> just for switching our firewall. >> >> I known we could use a network bridge, but we need the caching >> nameserver functionality. >> >> I'm an all round Unix guy, but i'm a bit green on the routing departament. >> >> Can an FreeBSD box be configured the same way the Linux box is so it can >> be a drop-in replacement for the Linux box? I can of course depict in >> further detail the configuration of the Linux box (netstat -r to show >> the routes, ifconfig or whatever). >> >> I've already prepped a FreeBSD 6.1 box which already works if the NICs in the gateway >> are in different subnets (dc0 is 192.168.1.125 and dc1 is 192.168.0.5, for instance), >> i've changed a PC in the network to the 192.168.0.20 IP (instead of 192.168.1.20) and >> if connected without a problem to the Internet, but we have lots of appliances which >> depend on the 192.168.1.0 style network. We would need the two NICs in the box to be in the same subnet... >> >> ----------------------------- >> Elaconta.com Webmaster >> ----------------------------- >> >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> >> > > > The routing table on the Linux box, as shown per the "route" command: [root@visao root]# route Tabela de Roteamento IP do Kernel Destino Roteador MáscaraGen. Opções Métrica Ref Uso Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default 192.168.1.120 0.0.0.0 UG 0 0 0 eth0 Hum, some things in this table are in portuguese... Basically "Tabela de Roteamento IP do Kernel" means Kernel IP Routing Table, "Destino" means Destiny, "Roteador" means Router, "Máscara" means Mask. Now the thing that strikes me in this Linux routing table are the asterisks (*).Are they normal, or some kind of Linux black magic? Is there a way to reproduce this routing table on FreeBSD? What do the asteriks mean? ----------------------------- Elaconta.com Webmaster ----------------------------- From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 26 23:11:06 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC59C16A4DA for ; Wed, 26 Jul 2006 23:11:06 +0000 (UTC) (envelope-from FatBeard@LootHole.Com) Received: from LootHole.Com (loothole.com [64.27.5.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7492443D49 for ; Wed, 26 Jul 2006 23:11:06 +0000 (GMT) (envelope-from FatBeard@LootHole.Com) Received: from blackice (adsl-70-230-158-129.dsl.stlsmo.sbcglobal.net [70.230.158.129] (may be forged)) (authenticated bits=0) by LootHole.Com (8.13.3/8.13.3) with ESMTP id k6QNLsLC090301 for ; Wed, 26 Jul 2006 16:21:54 -0700 (PDT) (envelope-from FatBeard@LootHole.Com) From: Sender: "FatBeard The Pirate" To: Date: Wed, 26 Jul 2006 18:11:09 -0500 Message-ID: <02dc01c6b108$cb620050$0a010a0a@blackice> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: <44C7C55E.3090907@elaconta.com> thread-index: Acaw7tUQEQSnLrATRB+vjvMoJ90GKgAGct+A X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2663 Subject: RE: FreeBSD Gateway to replace old Linux gateway X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2006 23:11:06 -0000 I was thinking that the interfaces could simply be bridged, and could you do a traceroute from a workstation to say google.com and see if the firewall appears as a hop. If it's a hop, its routing, vs if its invisible, its bridging. That should help guide you in the creation of a replacement. DBM -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of elaconta.com Webmaster Sent: Wednesday, July 26, 2006 2:41 PM To: freebsd-ipfw@freebsd.org Subject: FreeBSD Gateway to replace old Linux gateway Howdy We have here an old (Mandrake Linux 8 - yeah i know...) PC with two NICs which serves as a firewall for our LAN and runs a Bind caching nameserver. Although the machine is getting old, it still works well. Thing is, i'm having a hard time trying to reproduce it, that is, getting another PC to do exactly the same thing this PC is doing. It was configured by a guy that left the company, so i can't simply ask him how he configured it configured. It's a precautionary measure, if the machine breaks down we need another one to go in its place. So while am at it i would love to replace the crusty old thing with a new one running FreeBSD. The networking scheme is: Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122) <-> (192.168.1.0/24) LAN Now, thing is, the Linux firewall has two NICs: NIC 1: 192.168.1.121 NIC 2: 192.168.1.122 The two NICs on the Linux box are configured with 192.168.1.121 and 192.168.1.122, both interfaces on the same subnet. 192.168.1.121 acesses the company router (192.168.1.120) and 192.168.1.122 acesses the company LAN (192.168.1.0/24) >From what i've googled, this shouldn't even be possible, everything is on the same subnet. Regardless, it works great, and if i went and got an FreeBSD rig to replace the old Linux rig, it would have to retain this networking scheme, we can't afford to reconfigure the entire network just for switching our firewall. I known we could use a network bridge, but we need the caching nameserver functionality. I'm an all round Unix guy, but i'm a bit green on the routing departament. Can an FreeBSD box be configured the same way the Linux box is so it can be a drop-in replacement for the Linux box? I can of course depict in further detail the configuration of the Linux box (netstat -r to show the routes, ifconfig or whatever). I've already prepped a FreeBSD 6.1 box which already works if the NICs in the gateway are in different subnets (dc0 is 192.168.1.125 and dc1 is 192.168.0.5, for instance), i've changed a PC in the network to the 192.168.0.20 IP (instead of 192.168.1.20) and if connected without a problem to the Internet, but we have lots of appliances which depend on the 192.168.1.0 style network. We would need the two NICs in the box to be in the same subnet... ----------------------------- Elaconta.com Webmaster ----------------------------- _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 27 03:15:45 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C6E7616A4E5 for ; Thu, 27 Jul 2006 03:15:45 +0000 (UTC) (envelope-from taa@acm.org) Received: from mail.cs.dal.ca (Mail.cs.Dal.Ca [129.173.66.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7338843D4C for ; Thu, 27 Jul 2006 03:15:45 +0000 (GMT) (envelope-from taa@acm.org) Received: from flame (flame [129.173.67.126]) by mail.cs.dal.ca (Postfix) with ESMTP id 107F9B046; Thu, 27 Jul 2006 00:15:44 -0300 (ADT) Date: Thu, 27 Jul 2006 00:15:44 -0300 (ADT) From: Tony Abou-Assaleh X-X-Sender: taa@flame.cs.dal.ca To: "elaconta.com Webmaster" In-Reply-To: <44C7F4BE.2080805@elaconta.com> Message-ID: References: <44C7C55E.3090907@elaconta.com> <44C7F4BE.2080805@elaconta.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Cc: freebsd-ipfw@freebsd.org Subject: Re: FreeBSD Gateway to replace old Linux gateway X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Tony Abou-Assaleh List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jul 2006 03:15:45 -0000 On Thu, 27 Jul 2006, elaconta.com Webmaster wrote: > The routing table on the Linux box, as shown per the "route" command: > > [root@visao root]# route > Tabela de Roteamento IP do Kernel > Destino Roteador M=E1scaraGen. Op=E7=F5es M=E9= trica > Ref Uso Iface > 192.168.1.0 * 255.255.255.0 U 0 > 0 0 eth1 > 192.168.1.0 * 255.255.255.0 U 0 > 0 0 eth1 > 127.0.0.0 * 255.0.0.0 U 0 > 0 0 lo > default 192.168.1.120 0.0.0.0 UG 0 > 0 0 eth0 > > Hum, some things in this table are in portuguese... Basically "Tabela de > Roteamento IP do Kernel" means Kernel IP Routing Table, "Destino" means > Destiny, "Roteador" means Router, "M=E1scara" means Mask. > Now the thing that strikes me in this Linux routing table are the > asterisks (*).Are they normal, or some kind of Linux black magic? > Is there a way to reproduce this routing table on FreeBSD? What do the > asteriks mean? In English, the headings are: Destination Gateway Genmask Flags Metric Ref Use Iface Gateway is more appropriately described as 'next hop'. In your case, that would be the IP of your router for all outgoing external traffic. Since the internal traffic is connected directly (likely through an Ethernet hub), packets going to the LAN should be destined directly to their destination IP. According to your routing table, I believe there is no way to access the web interface of your router (if any) from your LAN, because all 192.168.1.* traffic will be sent on eth1, which is your LAN. You can use the route command manipulate the routing table directly and reproduce the above. I think it can also be done using the firewall, but it's a little trickier there. Check your firewall rules to see if it is set explicitly there. (if it is, then you should see rules that are similar to the entries in the routing table in terms of content). Cheers, TAA ----------------------------------------------------- Tony Abou-Assaleh Email: taa@acm.org Web site: http://taa.eits.ca ----------------------[THE END]---------------------- From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 28 08:05:14 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 21E1A16A4E9 for ; Fri, 28 Jul 2006 08:05:14 +0000 (UTC) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7156143D4C for ; Fri, 28 Jul 2006 08:05:10 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from localhost (unknown [88.158.112.6]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 999C424C654 for ; Fri, 28 Jul 2006 09:27:45 +0200 (CEST) Date: Fri, 28 Jul 2006 11:05:14 +0300 From: vladone X-Mailer: The Bat! (v3.80.03) Professional X-Priority: 3 (Normal) Message-ID: <367935308.20060728110514@spaingsm.com> To: ipfw@freebsd.org In-Reply-To: <44C7F4BE.2080805@elaconta.com> References: <44C7C55E.3090907@elaconta.com> <44C7F4BE.2080805@elaconta.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Subject: Re[2]: FreeBSD Gateway to replace old Linux gateway X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jul 2006 08:05:14 -0000 Hello elaconta.com, Thursday, July 27, 2006, 2:03:26 AM, you wrote: > Tony Abou-Assaleh wrote: >> I would like to see a reference that shows that it is not possible to ha= ve >> two networks with the same subnet IP ranges. In fact, your working linux >> PC is a good example that it can be done. >> >> You need to be careful not to use the same full IP address on both sides >> of the network, that's about it. The rest can be handled with a proper >> configuration of the routing table. >> >> take a look at your routing table (using route) and see if you can >> reproduce it on FreeBSD. If you run into problems on the freebsd, report >> them, and someone might recognize something. >> >> Cheers, >> >> TAA >> >> ----------------------------------------------------- >> Tony Abou-Assaleh >> Email: taa@acm.org >> Web site: http://taa.eits.ca >> ----------------------[THE END]---------------------- >> >> On Wed, 26 Jul 2006, elaconta.com Webmaster wrote: >> >> =20 >>> Howdy >>> >>> We have here an old (Mandrake Linux 8 - yeah i know...) PC with two NICs >>> which serves as a firewall for our LAN and runs a Bind caching nameserv= er. >>> Although the machine is getting old, it still works well. Thing is, i'm >>> having a hard time trying to reproduce it, that is, getting another PC >>> to do exactly the same thing this PC is doing. It was configured by a >>> guy that left the company, so i can't simply ask him how he configured >>> it configured. >>> It's a precautionary measure, if the machine breaks down we need another >>> one to go in its place. >>> So while am at it i would love to replace the crusty old thing with a >>> new one running FreeBSD. >>> The networking scheme is: >>> >>> Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122) >>> <-> (192.168.1.0/24) LAN >>> >>> Now, thing is, the Linux firewall has two NICs: >>> >>> NIC 1: 192.168.1.121 >>> NIC 2: 192.168.1.122 >>> >>> The two NICs on the Linux box are configured with 192.168.1.121 and >>> 192.168.1.122, both interfaces on the same subnet. 192.168.1.121 acesses >>> the company router (192.168.1.120) and 192.168.1.122 acesses the company >>> LAN (192.168.1.0/24) >>> >From what i've googled, this shouldn't even be possible, everything is >>> on the same subnet. Regardless, it works great, and if i went and got an >>> FreeBSD rig to replace the old Linux rig, it would have to retain this >>> networking scheme, we can't afford to reconfigure the entire network >>> just for switching our firewall. >>> >>> I known we could use a network bridge, but we need the caching >>> nameserver functionality. >>> >>> I'm an all round Unix guy, but i'm a bit green on the routing departame= nt. >>> >>> Can an FreeBSD box be configured the same way the Linux box is so it can >>> be a drop-in replacement for the Linux box? I can of course depict in >>> further detail the configuration of the Linux box (netstat -r to show >>> the routes, ifconfig or whatever). >>> >>> I've already prepped a FreeBSD 6.1 box which already works if the NICs = in the gateway >>> are in different subnets (dc0 is 192.168.1.125 and dc1 is 192.168.0.5, = for instance), >>> i've changed a PC in the network to the 192.168.0.20 IP (instead of 192= .168.1.20) and >>> if connected without a problem to the Internet, but we have lots of app= liances which >>> depend on the 192.168.1.0 style network. We would need the two NICs in = the box to be in the same subnet... >>> >>> ----------------------------- >>> Elaconta.com Webmaster >>> ----------------------------- >>> >>> _______________________________________________ >>> freebsd-ipfw@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >>> >>> =20 >> >> >> =20 > The routing table on the Linux box, as shown per the "route" command: > [root@visao root]# route > Tabela de Roteamento IP do Kernel > Destino Roteador M=E1scaraGen. Op=E7=F5es M=E9= trica > Ref Uso Iface > 192.168.1.0 * 255.255.255.0 U 0 =20 > 0 0 eth1 > 192.168.1.0 * 255.255.255.0 U 0 =20 > 0 0 eth1 > 127.0.0.0 * 255.0.0.0 U 0 =20 > 0 0 lo > default 192.168.1.120 0.0.0.0 UG 0 =20 > 0 0 eth0 > Hum, some things in this table are in portuguese... Basically "Tabela de > Roteamento IP do Kernel" means Kernel IP Routing Table, "Destino" means > Destiny, "Roteador" means Router, "M=E1scara" means Mask. U have two simply solutions, and one a little more complicated 1. use bridge, ho suggest someoane 2. if dont' wnat to change network configuration, then change part from firewall to hub or modem or what u have. For example modem 10.1.1.1 <----> 10.1.1.2 firewall (freebsd 6.1) 192.168.1.2<------>lan 192.168.1.0/24 with simple natd config like this use_sockets yes same_ports yes interface xl0 dynamic yes assuming that in your firewall, xl0 is external interface with ip 10.1.1.2, config kernel with proper oprions, and use ipfirewall. 3. i think that is a bit more complicate with route but i don't think that can work, but u can try. I recommend u variant 2 because is very clear, and need to change only modem internal ip. --=20 Best regards, vladone mailto:vladone@spaingsm.com From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 28 08:31:40 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0D2116A4DF for ; Fri, 28 Jul 2006 08:31:40 +0000 (UTC) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6780543D53 for ; Fri, 28 Jul 2006 08:31:40 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from localhost (unknown [88.158.112.6]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id E6A6224C659 for ; Fri, 28 Jul 2006 09:54:15 +0200 (CEST) Date: Fri, 28 Jul 2006 11:31:45 +0300 From: vladone X-Mailer: The Bat! (v3.80.03) Professional X-Priority: 3 (Normal) Message-ID: <50272484.20060728113145@spaingsm.com> To: ipfw@freebsd.org In-Reply-To: <367935308.20060728110514@spaingsm.com> References: <44C7C55E.3090907@elaconta.com> <44C7F4BE.2080805@elaconta.com> <367935308.20060728110514@spaingsm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: Subject: Re[3]: FreeBSD Gateway to replace old Linux gateway X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jul 2006 08:31:40 -0000 > U have two simply solutions, and one a little more complicated > 1. use bridge, ho suggest someoane > 2. if dont' wnat to change network configuration, then change part > from firewall to hub or modem or what u have. For example > modem 10.1.1.1 <----> 10.1.1.2 firewall (freebsd 6.1) > 192.168.1.2<------>lan 192.168.1.0/24 > with simple natd config like this > use_sockets yes > same_ports yes > interface xl0 > dynamic yes > assuming that in your firewall, xl0 is external interface with > ip 10.1.1.2, config kernel with proper oprions, and use > ipfirewall. > 3. i think that is a bit more complicate with route but i don't think > that can work, but u can try. > I recommend u variant 2 because is very clear, and need to change > only modem internal ip. U can try and this. Put ip's how u want, and then use ipfw+natd, with natd configured how i explain at previous message. In ipfw rules u need to have an rule like: 100 natd ip from any to any Shoul be work but i think that u need to manipulate and routing table, because packets need to know where to go. For that try to set this in rc.conf (but i think that u have already set that) defaultrouter="192.168.1.2" gateway_enable="YES" where 192.168.1.2 (for example)is ip of external interface on your firewall. -- Best regards, vladone mailto:vladone@spaingsm.com From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 28 11:12:36 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1841416A4DE for ; Fri, 28 Jul 2006 11:12:36 +0000 (UTC) (envelope-from adam.egan@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6778843D6B for ; Fri, 28 Jul 2006 11:12:34 +0000 (GMT) (envelope-from adam.egan@gmail.com) Received: by nf-out-0910.google.com with SMTP id n29so147134nfc for ; Fri, 28 Jul 2006 04:12:32 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=NvIg+dVqhP+nvER9QK2dwohdzECsjVtsCERnXugKR8l6jNqXmFd55pSk7wptChK6cGlewsi1fIIKWa1yYbm1edZ4A7yPHqCxaXxNBJsXL6zjrOHN6csVOILQspuYP4M33iRA2d8fZ7OoSB7B1gxhYBaxz9YCOxE5yV1IyWKiNiI= Received: by 10.49.7.3 with SMTP id k3mr543605nfi; Fri, 28 Jul 2006 04:12:32 -0700 (PDT) Received: by 10.48.207.18 with HTTP; Fri, 28 Jul 2006 04:12:32 -0700 (PDT) Message-ID: <28745bbf0607280412tdff38dck9df78fd0fc363fff@mail.gmail.com> Date: Fri, 28 Jul 2006 12:12:32 +0100 From: "Adam Egan" To: freebsd-ipfw@freebsd.org In-Reply-To: <28745bbf0607270947i6d71369fg5c1403b2d6e36219@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <28745bbf0607270947i6d71369fg5c1403b2d6e36219@mail.gmail.com> Subject: ipfw and natd routing problems X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jul 2006 11:12:36 -0000 Hi, I've recently installed FreeBSD on a Soekris Net 4801 to act as my LAN's router. I have got natd and ipfw working fine (there was originally some trouble with getting an IP from NTL via dhcp because I hadn't allowed the cable modem's ip to talk to the router, or NTL's dhcp servers to also talk to the router). My only problem now is that although connections going out through natd work fine, natd port forwarding does not work correctly. I am not sure whether this is a problem with natd or just my ipfw rule(s), though I am more inclined to believe it is ipfw! ipfw and natd are enabled in /etc/rc.conf through the following lines: #enable firewall firewall_enable="YES" #path to rules firewall_type="/etc/fw/firewall.rules" #be non-verbose? firewall_quiet="NO" #enable natd natd_enable="YES" #natd interface natd_interface="sis0" #flags for natd natd_flags="-f /etc/fw/natd.conf" Below is my ipfw natd rule, and the natd.conf file: [ipfw] # check if incoming packets belong to a natted session, allow through if yes add 01000 divert natd ip from any to any in via sis0 add 01001 check-state [natd.conf] unregistered_only interface sis0 use_sockets dynamic punch_fw 2000:100 same_ports redirect_port tcp 192.168.0.5:80 80 redirect_port tcp 192.168.0.5:6700-6725 6700-6725 When trying to access port 80 (the httpd) externally, the connection just times out, as does any other connection. Any help would be greatly appreciated! Adam From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 28 13:38:02 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 35AC916A4E1 for ; Fri, 28 Jul 2006 13:38:02 +0000 (UTC) (envelope-from webmaster@elaconta.com) Received: from dev2.elaconta.pt (adslfixo-b3-123-116.telepac.pt [213.13.123.116]) by mx1.FreeBSD.org (Postfix) with ESMTP id A274443D67 for ; Fri, 28 Jul 2006 13:37:55 +0000 (GMT) (envelope-from webmaster@elaconta.com) Received: from 192.168.1.104 (localhost.elaconta.pt [127.0.0.1]) by dev2.elaconta.pt (Postfix) with SMTP id 4847D125667; Fri, 28 Jul 2006 14:37:53 +0100 (WEST) Received: from 192.168.1.21 (auth. user webmaster@elaconta.com@192.168.1.103) by 192.168.1.104 with HTTP; Fri, 28 Jul 2006 13:37:53 +0000 To: "vladone" Date: Fri, 28 Jul 2006 13:37:53 +0000 X-Mailer: IlohaMail/0.8.14 (On: 192.168.1.104) Message-ID: In-Reply-To: <367935308.20060728110514@spaingsm.com> From: "Webmaster Elaconta" Bounce-To: "Webmaster Elaconta" Errors-To: "Webmaster Elaconta" MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: ipfw@freebsd.org Subject: Re: Re[2]: FreeBSD Gateway to replace old Linux gateway X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jul 2006 13:38:02 -0000 Thanks for the tips everyone. I've thought about the subject and i'm going to use a bridge to solve the problem. As it is, we're nat'ing something that is already nat'ed (our router already hands out addresses in the 192.168.1.x range). Therefore, we're going with the bridge, even if it means reconfiguring all the clients in the LAN. ----------------------------------- Elaconta.com webmaster ----------------------------------- Em 7/28/2006, "vladone" escreveu: >Hello elaconta.com, > >Thursday, July 27, 2006, 2:03:26 AM, you wrote: > >> Tony Abou-Assaleh wrote: >>> I would like to see a reference that shows that it is not possible to hav= e >>> two networks with the same subnet IP ranges. In fact, your working linux >>> PC is a good example that it can be done. >>> >>> You need to be careful not to use the same full IP address on both sides >>> of the network, that's about it. The rest can be handled with a proper >>> configuration of the routing table. >>> >>> take a look at your routing table (using route) and see if you can >>> reproduce it on FreeBSD. If you run into problems on the freebsd, report >>> them, and someone might recognize something. >>> >>> Cheers, >>> >>> TAA >>> >>> ----------------------------------------------------- >>> Tony Abou-Assaleh >>> Email: taa@acm.org >>> Web site: http://taa.eits.ca >>> ----------------------[THE END]---------------------- >>> >>> On Wed, 26 Jul 2006, elaconta.com Webmaster wrote: >>> >>> =20 >>>> Howdy >>>> >>>> We have here an old (Mandrake Linux 8 - yeah i know...) PC with two NICs >>>> which serves as a firewall for our LAN and runs a Bind caching nameserve= r. >>>> Although the machine is getting old, it still works well. Thing is, i'm >>>> having a hard time trying to reproduce it, that is, getting another PC >>>> to do exactly the same thing this PC is doing. It was configured by a >>>> guy that left the company, so i can't simply ask him how he configured >>>> it configured. >>>> It's a precautionary measure, if the machine breaks down we need another >>>> one to go in its place. >>>> So while am at it i would love to replace the crusty old thing with a >>>> new one running FreeBSD. >>>> The networking scheme is: >>>> >>>> Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122) >>>> <-> (192.168.1.0/24) LAN >>>> >>>> Now, thing is, the Linux firewall has two NICs: >>>> >>>> NIC 1: 192.168.1.121 >>>> NIC 2: 192.168.1.122 >>>> >>>> The two NICs on the Linux box are configured with 192.168.1.121 and >>>> 192.168.1.122, both interfaces on the same subnet. 192.168.1.121 acesses >>>> the company router (192.168.1.120) and 192.168.1.122 acesses the company >>>> LAN (192.168.1.0/24) >>>> >From what i've googled, this shouldn't even be possible, everything is >>>> on the same subnet. Regardless, it works great, and if i went and got an >>>> FreeBSD rig to replace the old Linux rig, it would have to retain this >>>> networking scheme, we can't afford to reconfigure the entire network >>>> just for switching our firewall. >>>> >>>> I known we could use a network bridge, but we need the caching >>>> nameserver functionality. >>>> >>>> I'm an all round Unix guy, but i'm a bit green on the routing departamen= t. >>>> >>>> Can an FreeBSD box be configured the same way the Linux box is so it can >>>> be a drop-in replacement for the Linux box? I can of course depict in >>>> further detail the configuration of the Linux box (netstat -r to show >>>> the routes, ifconfig or whatever). >>>> >>>> I've already prepped a FreeBSD 6.1 box which already works if the NICs i= n the gateway >>>> are in different subnets (dc0 is 192.168.1.125 and dc1 is 192.168.0.5, f= or instance), >>>> i've changed a PC in the network to the 192.168.0.20 IP (instead of 192.= 168.1.20) and >>>> if connected without a problem to the Internet, but we have lots of appl= iances which >>>> depend on the 192.168.1.0 style network. We would need the two NICs in t= he box to be in the same subnet... >>>> >>>> ----------------------------- >>>> Elaconta.com Webmaster >>>> ----------------------------- >>>> >>>> _______________________________________________ >>>> freebsd-ipfw@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >>>> >>>> =20 >>> >>> >>> =20 >> The routing table on the Linux box, as shown per the "route" command: > >> [root@visao root]# route >> Tabela de Roteamento IP do Kernel >> Destino Roteador M=E1scaraGen. Op=E7=F5es M=E9t= rica >> Ref Uso Iface >> 192.168.1.0 * 255.255.255.0 U 0 =20 >> 0 0 eth1 >> 192.168.1.0 * 255.255.255.0 U 0 =20 >> 0 0 eth1 >> 127.0.0.0 * 255.0.0.0 U 0 =20 >> 0 0 lo >> default 192.168.1.120 0.0.0.0 UG 0 =20 >> 0 0 eth0 > >> Hum, some things in this table are in portuguese... Basically "Tabela de >> Roteamento IP do Kernel" means Kernel IP Routing Table, "Destino" means >> Destiny, "Roteador" means Router, "M=E1scara" means Mask. >U have two simply solutions, and one a little more complicated >1. use bridge, ho suggest someoane >2. if dont' wnat to change network configuration, then change part >from firewall to hub or modem or what u have. For example > modem 10.1.1.1 <----> 10.1.1.2 firewall (freebsd 6.1) > 192.168.1.2<------>lan 192.168.1.0/24 > with simple natd config like this > use_sockets yes > same_ports yes > interface xl0 > dynamic yes > assuming that in your firewall, xl0 is external interface with > ip 10.1.1.2, config kernel with proper oprions, and use > ipfirewall. >3. i think that is a bit more complicate with route but i don't think >that can work, but u can try. > > I recommend u variant 2 because is very clear, and need to change > only modem internal ip. > > >--=20 >Best regards, > vladone mailto:vladone@spaingsm.com > >_______________________________________________ >freebsd-ipfw@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 28 17:55:17 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C9FD16A4E0 for ; Fri, 28 Jul 2006 17:55:17 +0000 (UTC) (envelope-from prosa@pro.sk) Received: from ns.pro.sk (proxy.pro.sk [212.55.244.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD35643D45 for ; Fri, 28 Jul 2006 17:55:16 +0000 (GMT) (envelope-from prosa@pro.sk) Received: from [192.168.1.53] (Peter [192.168.1.53]) by ns.pro.sk (8.13.1/8.13.1) with ESMTP id k6SHtEsV021636; Fri, 28 Jul 2006 19:55:14 +0200 (CEST) (envelope-from prosa@pro.sk) Message-ID: <44CA4F80.5030009@pro.sk> Date: Fri, 28 Jul 2006 19:55:12 +0200 From: Peter Rosa User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: Adam Egan X-Priority: 1 (Highest) References: <28745bbf0607270947i6d71369fg5c1403b2d6e36219@mail.gmail.com> <28745bbf0607280412tdff38dck9df78fd0fc363fff@mail.gmail.com> In-Reply-To: <28745bbf0607280412tdff38dck9df78fd0fc363fff@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (ns.pro.sk [192.168.1.1]); Fri, 28 Jul 2006 19:55:14 +0200 (CEST) Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw and natd routing problems X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jul 2006 17:55:17 -0000 Hi, > [ipfw] > # check if incoming packets belong to a natted session, allow through if > add 01000 divert natd ip from any to any in via sis0 > add 01001 check-state Default behavior of ipfw is to *BLOCK EVERY PACKET* if you did not say in your kernel-config "options IPFIREWALL_DEFAULT_TO_ACCEPT. That's why all your connections time-out... You need to add few rules for check-state to work: add 01002 allow tcp from any to any via sis0 setup keep-state add 01003 allow udp from any to any via sis0 keep-state add 01004 allow icmp from any to any via sis0 keep-state BE AWARE YOUR 'FIREWALL' IS COMPLETELY OPEN FOR ANY CONNECTION FROM INSIDE AND EVEN OUTSIDE!!! It is very well explained in man ipfw and even better in handbook: (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html) Peter Rosa From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 28 18:08:50 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E500116A4DE for ; Fri, 28 Jul 2006 18:08:49 +0000 (UTC) (envelope-from tobias@netconsultoria.com.br) Received: from srv1.netconsultoria.com.br (srv1.netconsultoria.com.br [200.230.201.252]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4E7BE43D6E for ; Fri, 28 Jul 2006 18:08:40 +0000 (GMT) (envelope-from tobias@netconsultoria.com.br) Received: from [172.16.16.99] (mailgw.netconsultoria.com.br [200.230.201.249]) (authenticated bits=0) by srv1.netconsultoria.com.br (8.13.7/8.13.3) with ESMTP id k6SI8bKO085534 for ; Fri, 28 Jul 2006 15:08:37 -0300 (BRT) (envelope-from tobias@netconsultoria.com.br) Message-ID: <44CA5293.6070505@netconsultoria.com.br> Date: Fri, 28 Jul 2006 15:08:19 -0300 From: "Tobias P. Santos" User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: multipart/mixed; boundary="------------050108030907000608040909" X-Virus-Scanned: ClamAV 0.88.2/1624/Thu Jul 27 14:11:25 2006 on srv1.netconsultoria.com.br X-Virus-Status: Clean Subject: ipfw pipe changes from 5.4 to 6.1-RELEASE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jul 2006 18:08:50 -0000 This is a multi-part message in MIME format. --------------050108030907000608040909 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hello! I've noticed some changes in ipfw, as follows: RELEASE-5.4: # ipfw pipe 1 config bw 64Kbit/s # ipfw pipe 2 config bw 512Kbit/s # ipfw pipe 3 config bw 512Kbit/s mask dst-ip 0xfffffffc # ipfw pipe show 00001: 64.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 00002: 512.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 00003: 512.000 Kbit/s 0 ms 50 sl. 0 queues (64 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0xfffffffc/0x0000 RELEASE-6.1 # ipfw pipe 1 config bw 64Kbit/s # ipfw pipe 2 config bw 512Kbit/s # ipfw pipe 3 config bw 512Kbit/s mask dst-ip 0xfffffffc # ipfw pipe show 00001: 64.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail 00002: 512.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail 00003: 512.000 Kbit/s 0 ms 50 sl. 0 queues (64 buckets) droptail In RELEASE-6.1, the line containing mask options is not shown. IMHO, it should be displayed because it's part of pipe attributes. I went to check the differences in the source code and it seems that adding IPv6 to ipfw2.c made the 'mask' line appears only when there is a flow to that pipe. I made some changes trying to revert to the previous behaviour, but as I am not keen to this kind of programming, I'd like to someone more experienced to take a look at it. It seems to work, but currently I can't check whether IPv6 masks are shown correctly. I need the 'old' behaviour because some shell scripts stopped working when we upgraded our server. Thank you, Tobias. --------------050108030907000608040909 Content-Type: text/plain; name="ipfw2.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ipfw2.diff" --- ipfw2.c.orig Fri Jul 28 09:52:04 2006 +++ ipfw2.c Fri Jul 28 12:05:29 2006 @@ -2004,9 +2004,32 @@ { int l; int index_printed, indexes = 0; - char buff[255]; + int ipv6_masks = 0; + char buff[255], buff2[255]; struct protoent *pe; + inet_ntop(AF_INET6, &(fs->flow_mask.src_ip6), + buff, sizeof(buff)); + inet_ntop(AF_INET6, &(fs->flow_mask.dst_ip6), + buff2, sizeof(buff2)); + + if (fs->flow_mask.flow_id6 != 0 || strlen(buff) > 2 || strlen(buff2) > 2) + ipv6_masks = 1; + + if (!ipv6_masks) { + printf(" " + "mask: 0x%02x 0x%08x/0x%04x -> 0x%08x/0x%04x\n", + fs->flow_mask.proto, + fs->flow_mask.src_ip, fs->flow_mask.src_port, + fs->flow_mask.dst_ip, fs->flow_mask.dst_port); + } else { + printf(" " + "mask: proto: 0x%02x, flow_id: 0x%08x, %s/0x%04x -> %s/0x%04x\n", + fs->flow_mask.proto, fs->flow_mask.flow_id6, + buff, fs->flow_mask.src_port, + buff2, fs->flow_mask.dst_port); + } + if (fs->rq_elements == 0) return; @@ -2027,11 +2050,6 @@ if (indexes > 0) /* currently a no-op */ printf("\n"); indexes++; - printf(" " - "mask: 0x%02x 0x%08x/0x%04x -> 0x%08x/0x%04x\n", - fs->flow_mask.proto, - fs->flow_mask.src_ip, fs->flow_mask.src_port, - fs->flow_mask.dst_ip, fs->flow_mask.dst_port); printf("BKT Prot ___Source IP/port____ " "____Dest. IP/port____ " @@ -2069,14 +2087,6 @@ if (indexes > 0) printf("\n"); indexes++; - printf("\n mask: proto: 0x%02x, flow_id: 0x%08x, ", - fs->flow_mask.proto, fs->flow_mask.flow_id6); - inet_ntop(AF_INET6, &(fs->flow_mask.src_ip6), - buff, sizeof(buff)); - printf("%s/0x%04x -> ", buff, fs->flow_mask.src_port); - inet_ntop( AF_INET6, &(fs->flow_mask.dst_ip6), - buff, sizeof(buff) ); - printf("%s/0x%04x\n", buff, fs->flow_mask.dst_port); printf("BKT ___Prot___ _flow-id_ " "______________Source IPv6/port_______________ " --------------050108030907000608040909-- From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 28 20:35:19 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1DF4216A4DE for ; Fri, 28 Jul 2006 20:35:19 +0000 (UTC) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 78A7243D45 for ; Fri, 28 Jul 2006 20:35:18 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from localhost (unknown [88.158.112.6]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 82D4B24C70C for ; Fri, 28 Jul 2006 21:57:49 +0200 (CEST) Date: Fri, 28 Jul 2006 23:35:14 +0300 From: vladone X-Mailer: The Bat! (v3.80.03) Professional X-Priority: 3 (Normal) Message-ID: <44756092.20060728233514@spaingsm.com> To: ipfw@freebsd.org In-Reply-To: <28745bbf0607280412tdff38dck9df78fd0fc363fff@mail.gmail.com> References: <28745bbf0607270947i6d71369fg5c1403b2d6e36219@mail.gmail.com> <28745bbf0607280412tdff38dck9df78fd0fc363fff@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: Subject: Re: ipfw and natd routing problems X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jul 2006 20:35:19 -0000 Hello Adam, Friday, July 28, 2006, 2:12:32 PM, you wrote: > Hi, > I've recently installed FreeBSD on a Soekris Net 4801 to act as my > LAN's router. I have got natd and ipfw working fine (there was > originally some trouble with getting an IP from NTL via dhcp because I > hadn't allowed the cable modem's ip to talk to the router, or NTL's > dhcp servers to also talk to the router). My only problem now is that > although connections going out through natd work fine, natd port > forwarding does not work correctly. I am not sure whether this is a > problem with natd or just my ipfw rule(s), though I am more inclined > to believe it is ipfw! > ipfw and natd are enabled in /etc/rc.conf through the following lines: > #enable firewall > firewall_enable="YES" > #path to rules > firewall_type="/etc/fw/firewall.rules" > #be non-verbose? > firewall_quiet="NO" > #enable natd > natd_enable="YES" > #natd interface > natd_interface="sis0" > #flags for natd > natd_flags="-f /etc/fw/natd.conf" > Below is my ipfw natd rule, and the natd.conf file: > [ipfw] > # check if incoming packets belong to a natted session, allow through if yes > add 01000 divert natd ip from any to any in via sis0 > add 01001 check-state > [natd.conf] > unregistered_only > interface sis0 > use_sockets > dynamic > punch_fw 2000:100 > same_ports > redirect_port tcp 192.168.0.5:80 80 > redirect_port tcp 192.168.0.5:6700-6725 6700-6725 > When trying to access port 80 (the httpd) externally, the connection > just times out, as does any other connection. Any help would be > greatly appreciated! > Adam > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" U need to add an natd rules and for outgoing packets, not only for for incoming. So u need an rule like this at the end of rules add 05000 divert natd ip from any to any out via sis0 With two rules for natd (one for incoming and another for outgoing) u can control more exactly traffic flow. Else u can us an single natd rule at begining like this add 1000 divert natd all from any to any via sis0 -- Best regards, vladone mailto:vladone@spaingsm.com