From owner-freebsd-questions@FreeBSD.ORG Fri Jul 25 23:05:02 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 42CC0106566B for ; Fri, 25 Jul 2008 23:05:02 +0000 (UTC) (envelope-from the.real.david.allen@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.230]) by mx1.freebsd.org (Postfix) with ESMTP id 192C58FC0A for ; Fri, 25 Jul 2008 23:05:01 +0000 (UTC) (envelope-from the.real.david.allen@gmail.com) Received: by rv-out-0506.google.com with SMTP id b25so4446326rvf.43 for ; Fri, 25 Jul 2008 16:05:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=f+s5wwYBxCKD7MNsUYbPXbHUzGsQK8cfVgCe1JPb8z0=; b=dFJu/pbpj9iEw0dYQsA3etci50XkZ7uPkBnTCsQUJ+HEGWK+aA9D3gJ+kprPcs65mm TpzDhGyqWMMK8p93nVbKKDH676xlAC4i9dWEoATNqjMAl1RS3pINqD7I8EWloLlKUofI kQN4mzkseLRtRokmAOCg2w7Un4j/Noe5m0AJM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=aET9keRjBVFcPPn3RO/Bhc27oOFTLB8lr1jJBqgNITGTEedbb9iJTHHI48Xt4PybjU ERK99GKWEn/KPJeES269KsM8FbHI1+YVygbmJhhQkqOWcahzKkcWSPSpjhl7OW3sKnuv dre2G2ptvkPnUCUZIgsFyIbE+8A+qYwF2SGQY= Received: by 10.114.235.8 with SMTP id i8mr2688348wah.194.1217027101248; Fri, 25 Jul 2008 16:05:01 -0700 (PDT) Received: by 10.114.153.1 with HTTP; Fri, 25 Jul 2008 16:05:01 -0700 (PDT) Message-ID: <2daa8b4e0807251605j525d7480n5a5531188f718660@mail.gmail.com> Date: Fri, 25 Jul 2008 16:05:01 -0700 From: "David Allen" To: "Matthew Seaman" In-Reply-To: <488A0997.3090300@infracaninophile.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <9339104B-252B-49DC-9648-B59343E17E16@hughes.net> <488A0997.3090300@infracaninophile.co.uk> Cc: Chris Pratt , FreeBSD Questions Subject: Re: IP alias/routing question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jul 2008 23:05:02 -0000 On Fri, Jul 25, 2008 at 10:12 AM, Matthew Seaman wrote: > Chris Pratt wrote: > >> I'm now setting up a bind server in which the third alias >> is the address for incoming DNS queries. It appears >> it's responding but even though the queries come in >> on the third alias, they "go out" through the "primary" >> address or more specifically, the packet count is >> incremented in the Opkts total for the IP address first >> attached to the interface via ifconfig (without an alias). >> My problem appears to be that the packets really are >> coming from the first IP as the source and are getting >> blocked by my firewall as they should (the first address >> is not supposed to be answering DNS queries). > > Carefully not answering the 'why do these packets come from the > wrong address' question, but just pointing out that BIND is > actually rather more configurable in this respect than most > software. Deliberately addressing the question of 'why do these packets come from the wrong address' question which Mr. Seaman avoided (hello again, Mathew!), I'll add my two cents. Run netstat -rnfinet and examine what's in the 'Netif' column. If there was some inter-host traffic, you'll see a host entry for each of your aliases with a value of 'lo0'. Correlate all the entries in the routing table and you'll be able to determine what exits where. I'm not sure why this question doesn't come up more frequently as it can be problematic, especially in regards to jails (which are implemented using IP aliasing). I started a discussion some weeks ago on the subject that you may find interesting. To recap briefly, if a jail host sends traffic to a jail, the traffic will transit the lo0 interface, exit the jail's interface using the jail's IP address, and connect to the jail on its IP address. The end result? Traffic with identical source and destination IP addresses! Using your numbers, if named was running in a jail (192.168.0.18) and a query was made on the host (192.168.0.12), instead of seeing 192.168.0.12.3450 -> 192.168.0.18.53 192.168.0.18.53 -> 192.168.0.12.3450 you'd see the following on lo0: 192.168.0.18.3450 -> 192.168.0.18.53 192.168.0.18.53 -> 192.168.0.18.3450 You're not using jails, but what I'm describing isn't a jail issue, or a general IP aliasing issue, but a routing issue. Modifying the routing table is, of course, possible. But the results, I've found, are less than satisfactory. If you force traffic out an actual interface, the return traffic will probably still have to occur over loopback and you're back to where you started, but with some new problems. Note also that the above seems to apply irrespective of the number of network cards or networks. Tthe moral of the story? Configure named appropriately, and don't ask any more questions. ;-) On the other hand, if you insist on thinking immoral thoughts as I do, and find a more thorough explanation of any of the above, please do let me know.