Date: Sun, 20 May 2012 17:41:17 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: David Banning <david+dated+1337774837.907aca@skytracker.ca> Cc: freebsd-questions@freebsd.org Subject: Re: problems with networking and route command Message-ID: <20120520153337.Y98171@sola.nimnet.asn.au> In-Reply-To: <20120519120024.1820210657C5@hub.freebsd.org> References: <20120519120024.1820210657C5@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In freebsd-questions Digest, Vol 415, Issue 6, Message: 1 On Fri, 18 May 2012 08:07:16 -0400 David Banning <david+dated+1337774837.907aca@skytracker.ca> wrote: > > > It is machines that connect and receive via DHCP 192.168.1.2 and above that > > > can't connect to the internet though the server. I don't know a whole > > > lot about route - I have been attempting a variation of route commands > > > without success. [Chuck Swiger wrote:] > > You need to implement NAT on this box, since 192.168.0.0/16 is an > > RFC-1918 unrouteable private network range. > I previously connected to the internet using ppp with the -nat option > and now my connection has changed - so that makes sense. > > So I implemented natd. > > Unfortunately natd does not work as yet. I followed the setup as laid > out in "man natd" and also used the layout in; > > http://www.freebsddiary.org/ipfw.php I've since seen Derek's response in the archives (I get the digests) at http://lists.freebsd.org/pipermail/freebsd-questions/2012-May/241035.html and I agree that 1998 is far too old to be of much use. I differ however about advisability of referring to the Handbook IPFW page, which frankly sucks - the only section of the Handbook that does, that I know of; you will find ipfw(8) and /etc/rc.firewall to be much better friends. > Here is my natd setup > > 1. Compiled IPFIREWALL & IPDIVERT into my kernel - went fine. Didn't need to, both will load from modules from the /etc/rc.d scripts. Many these days prefer to use in-kernel NAT (firewall_nat_enable="YES") instead, but natd still works as ever; you can always switch later. > Here is my rc.conf network related entries; > > natd_enable="YES" > natd_interface="rl0" > natd_flags="-f /etc/natd.conf" > gateway_enable="YES" > ifconfig_rl0="inet 64.40.244.36 netmask 255.255.255.240" > defaultrouter="64.40.244.33" > ifconfig_vr0="DHCP" > ifconfig_vr0=up > ifconfig_vr0="inet 192.168.1.1" Only the last ifconfig_vr0 counts, but that's ok, DHCP is for clients, not where vr0 gets its address from, right? Ah, you fix that below .. > network_interfaces="rl0 vr0 lo0" > ifconfig_lo0="inet 127.0.0.1" > firewall_enable="YES" > firewall_script="/etc/firewall.rules" > firewall_type="simple" > firewall_logging="YES" firewall_type only applies where firewall_script="/etc/rc.firewall", however that would be ignored by your custom /etc/firewall.rules. > dhcpd_ifaces="vr0" > dhcpd_enable="YES" > > My firewall rules; > > ipfw add 64000 allow ip from any to any > ipfw add divert natd all from any to any via rl0 > ipfw add allow tcp from any to 192.168.2.1 139 > ipfw add allow tcp from any to 192.168.1.1 139 That won't work; after specifying the current rule as 64000, subsequent unnumbered rules will be placed at 64100, 64200 etc - so they will never be reached. If you put that 'allow all' at the end that would work, although a default policy of 'deny all' is very much safer. > ipfw add 6000 deny tcp from any to 64.40.244.36 139 > ipfw add 6010 deny tcp from any to 64.40.244.36 445 These two will now be the first rules encountered, being so numbered. You'll also want to deny an awful lot more than NETBIOS packets to your outside address, see below. > ipfw add deny tcp from any to any 139 And that will go at the end, again after everything has been allowed. Always use 'ipfw list' or 'ipfw show' to check your running ruleset. I would seriously advise you to consider using the rc.firewall 'simple' ruleset, at least as a basis, for a setup like yours. It's designed specifically to protect small networks, and particularly to place the NAT rules in just the right place between inbound and outbound anti- spoofing rules. See /etc/defaults/rc.conf for the variables you can set that should work more or less out of the box, though you may want to modify rc.firewall (or better, a copy of it, say rc.myfirewall) if you need to any add particular rules for specific services you need. It will also protect your IPv6 network, if that's relevant to you. > My /etc/natd.conf; > > interface rl0 > use_sockets yes > same_ports yes Should be ok. You already have natd_interface="rl0" in rc.conf. Consider 'unregistered_only yes', particularly if not using the anti-spoofing rules provided in rc.firewall 'simple'. > My /etc/services includes the line; > > natd 8668/divert # Network Address Translation socket > > Output of ifconfig; > > # ifconfig > fwe0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500 > ether 02:11:d8:b3:0e:43 > ch 1 dma -1 > vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 > inet6 fe80::16d6:4dff:fe47:88ae%vr0 prefixlen 64 scopeid 0x2 > ether 14:d6:4d:47:88:ae > media: Ethernet autoselect (100baseTX <full-duplex>) > status: active > rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > inet 64.40.244.36 netmask 0xfffffff0 broadcast 64.40.244.47 > inet6 fe80::211:95ff:fe66:7162%rl0 prefixlen 64 scopeid 0x3 > ether 00:11:95:66:71:62 > media: Ethernet autoselect (100baseTX <full-duplex>) > status: active > lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500 > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 > inet 127.0.0.1 netmask 0xff000000 > ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 > sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552 > faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500 > > >From my initial communication I have swapped the uses of the two network > cards - which explains the reversal of entries for devices vr0 and rl0. > Still I have server connection to the internet on rl0 and server > connection to the network on vr0 - but the network cannot connect > to the internet via rl0. > > If there are any commands that would help collect information leading > to the answer I would appreciate any feedback. rc.firewall, though not perfect, provides a good, safe basic firewall for your stated needs. The major omission in the 'simple' ruleset is that it doesn't enable 'essential' ICMP messages, allowing pings but more importantly, TCP path MTU discovery. You might add, for example: # Allow outbound pings from our net ${fwcmd} add pass icmp from any to any out icmptypes 8 keep-state # Allow essential ICMP: unreachable, source quench, TTL exceeded ${fwcmd} add pass icmp from any to any icmptypes 3,4,11 ${fwcmd} add deny icmp from any to any # or default deny all later cheers, Ian (please cc me on any response)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120520153337.Y98171>