Date: Fri, 25 Jul 2008 09:22:31 -0700 From: Chris Pratt <eagletree@hughes.net> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: IP alias/routing question Message-ID: <9339104B-252B-49DC-9648-B59343E17E16@hughes.net>
next in thread | raw e-mail | index | archive | help
This strikes me as a noob question but in 10 years of freebsd, I've never wrapped my brain around it and it seems to be causing me problems this time. I have many aliases on many servers. Some services listening on an alias address seem to return the packets out the alias address as shown in netstat -i in the Opkt column. Others seem to return packets back out the first address specified on the system. This has not bothered me before because it seems to work and I figured I was just confused on how netstat shows the In and Out packet counts. I assumed that local lan traffic would be listed on the appropriate line and anything headed out the WAN would go to default gateway thus appear on the line with the initial address. I've noticed it on ssh often, connect in on a second or third IP yet the packets show as going out through the first configured IP in netstat. I'm now setting up a bind server in which the third alias is the address for incoming DNS queries. It appears it's responding but even though the queries come in on the third alias, they "go out" through the "primary" address or more specifically, the packet count is incremented in the Opkts total for the IP address first attached to the interface via ifconfig (without an alias). My problem appears to be that the packets really are coming from the first IP as the source and are getting blocked by my firewall as they should (the first address is not supposed to be answering DNS queries). Am I conceptualizing what I'm seeing incorrectly and have a different config error, or is it true that some services respond with a different source IP other than the what they came in on if multiple aliases are specified on a single interface and wire. In other words, is the Opkt count on the IP irrelevant to the addressing of the packet? Please let me know if this should instead go to FreeBSD-Net. Supporting info: here is an example of the netstat, in this example, dns is listening on 192.168.0.18, the first interface ifconfig'd is 0.12. If I read it correctly, it goes out the default gateway which is somehow tied to the 0.12. This machine is not a gateway, has no FWDs in ipfw, and isn't running natd. $ netstat -i Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll rl0 1500 <Link#1> 00:10:b5:76:ce:20 631 0 1 0 0 rl0 1500 192.168.252.0 192.168.252.11 0 - 0 - - rl1 1500 <Link#2> 00:14:2a:02:bd:64 22628 0 7833 0 0 rl1 1500 192.168.0.0 192.168.0.12 11 - 7450 - - rl1 1500 192.168.0.11 192.168.0.11 1482 - 278 - - rl1 1500 192.168.0.18 192.168.0.18 1243 - 0 - -
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9339104B-252B-49DC-9648-B59343E17E16>