Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 27 Jan 2003 23:39:09 -0500
From:      "Asenchi" <asenchi@asenchi.com>
To:        "Bill Moran" <wmoran@potentialtech.com>
Cc:        "freebsd-questions@FreeBSD. ORG" <freebsd-questions@FreeBSD.ORG>
Subject:   RE: Firewall + DHCP (STILL)
Message-ID:  <NHBBIMEIGLCBNPAEPGDPIEJCCJAA.asenchi@asenchi.com>
In-Reply-To: <3E36043F.8010005@potentialtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

>What do you mean by "not able to _keep_ a connection"?  Are you saying that
>your DHCP addy expires and can't be renewed?  Or is there something more to
>the problem (i.e., the link layer connection fails?)

It won't pick up an ip from my provider.  When I boot up, ifconfig in dmesg
shows an ip, but nothing will connect.  If I do an 'ifconfig -a' it will
show up 0.0.0.0.

>To clarify:
>if you type:
>killall dhclient
>ifconfig vr0 inet 10.1.1.1 netmaks 255.0.0.0
>ifconfig
>Does it display the 10.1.1.1 address, or is there still no ip addy on
>vr0?

Yes I can configure it for an address...I think it has something to do with
dhclient.

> ${fwcmd} add 0200 allow all from any to any

>If this is truely the firewall rules you are using, then every rule after
>this one is redundant, as this constitutes an "open" firewall, which is
>almost the same as no firewall at all (except for the divert rule).

Yes I am aware of this.  I have it in there to try and get a connection.  It
normally isn't in there.

>Are you trying to get DHCP addys on both interfaces?

Sorry I tried switching cards and settings.  Now I am sticking with vr0.
Nothing happened(ens) either way.

Ok, here is my rc.conf.  I took your advice and configured the lo0.  I
included all my info again just in case, with rc.conf at the top.  It is all
the same info as I am on a windows machine as well.  So transferring from
floppy becomes a hassle.

Thank you very much for your help.

Curt Micol

#vi /etc/rc.conf
# -- sysinstall generated deltas -- # Thu Nov 14 10:01:53 2002
# Created: Thu Nov 14 10:01:53 2002
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
#Network Stuff
hostname="world.attbi.com"
ifconfig_vr0="DHCP"
ifconfig_rl0="inet 192.168.0.1 netmask 255.255.255.0"
ifconfig_lo0="inet 127.0.0.1 netmask 255.0.0.0"
gateway_enable="YES"

#Misc Options
inetd_enable="YES"
kern_securelevel_enable="NO"
nfs_reserved_port_only="YES"
ntpdate_enable="YES"
ntpdate_flags="clock.linuxshell.net"
sshd_enable="YES"
sshd_flags="-4"
usbd_enable="NO"
syslogd_enable="YES"
syslogd_flags="-ss"
clear_tmp_enable="YES"
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
icmp_bmcastecho="NO"
fsck_y_enable="YES"
linux_enable="NO"
moused_enable="NO"
portmap_enable="NO"

#Firewall
firewall_enable="YES"
#firewall_type="OPEN"
firewall_type="/etc/rc.firewall"
firewall_quiet="YES"
firewall_logging="YES"
log_in_vain="YES"

#NATD
natd_enable="YES"
natd_interface="vr0"
natd_flags="-f /etc/natd.conf"

sendmail_enable="NONE"

#qmail options
qmail_smtp_enable="YES"
qmail_pop_enable="YES"
qmail_enable="YES"

#uname -a
FreeBSD world.attbi.com 4.7-STABLE FreeBSD 4.7-STABLE #6: Fri Jan 24
22:05:56 EST 2003     asenchi@world:/usr/obj/usr/src/sys/ASENCHI  i386

#vi /etc/rc.firewall
#FIREWALL RULES

fwcmd="/sbin/ipfw"

oif="vr0"
onet="`ifconfig vr0 | grep "inet " | awk '{print $6}'`"
omask="`ifconfig vr0 | grep "inet " | awk '{print $4}'`"
oip="`ifconfig vr0 | grep "inet " | awk '{print $2}'`"

iif="rl0"
inet="192.168.0.0"
imask="255.255.255.0"
iip="192.168.0.1"

${fwcmd} -f flush

${fwcmd} add 0050 divert natd all from any to any via ${oif}

${fwcmd} add 0200 allow all from any to any
${fwcmd} add 0500 allow all from ${iip} to ${inet}:${imask}
${fwcmd} add 0501 allow all from ${inet}:${imask} to ${iip}
${fwcmd} add 0502 allow tcp from any to any established
${fwcmd} add 0503 deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add 0504 deny all from ${onet}:${omask} to any in via ${iif}
${fwcmd} add 0505 pass all from any to any frag
${fwcmd} add 0506 pass tcp from any to ${oip} 53 setup
${fwcmd} add 0507 pass udp from any 53 to ${oip}
${fwcmd} add 0508 pass udp from ${oip} 53 to any
${fwcmd} add 0509 pass udp from ${oip} to any 53 keep-state
${fwcmd} add 0510 allow tcp from any to any 22 setup
${fwcmd} add 0511 allow tcp from any 22 to any setup
${fwcmd} add 0550 allow udp from any to any 68 out via ${oif}
${fwcmd} add 0551 allow udp from any 68 to any out via ${oif}
${fwcmd} add 0552 allow udp from any 67 to any in via ${oif}

#ps -acux
USER      PID %CPU %MEM   VSZ  RSS  TT  STAT STARTED      TIME COMMAND
root      225  0.0  0.1   420  216  v1  R+   10:30PM   0:00.00 ps
root        1  0.0  0.1   552  316  ??  ILs   5:28PM   0:00.01 init
root        2  0.0  0.0     0    0  ??  DL    5:28PM   0:00.00 pagedaemon
root        3  0.0  0.0     0    0  ??  DL    5:28PM   0:00.00 vmdaemon
root        4  0.0  0.0     0    0  ??  DL    5:28PM   0:00.00 bufdaemon
root        5  0.0  0.0     0    0  ??  DL    5:28PM   0:00.00 vnlru
root        6  0.0  0.0     0    0  ??  DL    5:28PM   0:00.01 syncer
root       25  0.0  0.0   212   96  ??  Is    5:28PM   0:00.00 adjkerntz
root       66  0.0  0.3   944  728  ??  Is   10:28PM   0:00.00 dhclient
root      114  0.0  0.1   432  288  ??  Is   10:28PM   0:00.00 natd
root      137  0.0  0.3   972  656  ??  Ss   10:28PM   0:00.08 syslogd
root      145  0.0  0.3  1056  696  ??  Is   10:28PM   0:00.00 inetd
root      147  0.0  0.3  1024  764  ??  Is   10:28PM   0:00.00 cron
root      149  0.0  0.7  2324 1744  ??  Is   10:28PM   0:00.00 sshd
qmaild    173  0.0  0.2   896  392 con- I    10:28PM   0:00.00 tcpserver
root      174  0.0  0.2   896  392 con- I    10:28PM   0:00.00 tcpserver
qmails    175  0.0  0.2   940  500 con- I    10:28PM   0:00.03 qmail-send
qmaill    180  0.0  0.2   896  504 con- I    10:28PM   0:00.00 splogger
root      181  0.0  0.2   896  476 con- I    10:28PM   0:00.00 qmail-lspawn
qmailr    182  0.0  0.2   896  412 con- I    10:28PM   0:00.00 qmail-rspawn
qmailq    183  0.0  0.2   884  440 con- I    10:28PM   0:00.00 qmail-clean
root      184  0.0  0.3   952  644  v0  Is+  10:28PM   0:00.00 getty
root      185  0.0  0.4  1268  948  v1  Is   10:28PM   0:00.03 login
root      186  0.0  0.3   952  644  v2  Is+  10:28PM   0:00.00 getty
root      187  0.0  0.3   952  644  v3  Is+  10:28PM   0:00.00 getty
root      188  0.0  0.3   952  644  v4  Is+  10:28PM   0:00.00 getty
root      189  0.0  0.3   952  644  v5  Is+  10:28PM   0:00.00 getty
root      190  0.0  0.3   952  644  v6  Is+  10:28PM   0:00.00 getty
root      191  0.0  0.3   952  644  v7  Is+  10:28PM   0:00.00 getty
asenchi   198  0.0  0.2   636  440  v1  I    10:28PM   0:00.01 sh
root      209  0.0  0.4  1484 1084  v1  S    10:29PM   0:00.08 csh
root        0  0.0  0.0     0    0  ??  DLs   5:28PM   0:00.00 swapper

#vi /var/db/dhclient.leases
lease {
  interface "xl0";
  fixed-address 12.245.246.22;
  option subnet-mask 255.255.255.0;
  option dhcp-lease-time 3600;
  option routers 12.245.246.1;
  option dhcp-message-type 5;
  option dhcp-server-identifier 12.242.20.34;
  option domain-name-servers 63.240.76.4,204.127.198.4;
  option broadcast-address 255.255.255.255;
  option host-name "x1-6-00-04-76-c5-f4-a2";
  option domain-name "attbi.com";
  renew 2 2003/1/28 03:29:22;
  rebind 2 2003/1/28 03:58:51;
  expire 2 2003/1/28 04:06:21;
}
lease {
  interface "vr0";
  fixed-address 12.245.228.183;
  option subnet-mask 255.255.255.128;
  option dhcp-lease-time 345600;
  option routers 12.245.228.129;
  option dhcp-message-type 5;
  option dhcp-server-identifier 12.242.20.34;
  option domain-name-servers 63.240.76.4,204.127.198.4;
  option broadcast-address 255.255.255.255;
  option domain-name "attbi.com";
  renew 4 2003/1/30 01:09:35;
  rebind 5 2003/1/31 15:28:11;
  expire 6 2003/2/1 03:28:11;
}

#ifconfig -a
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet6 fe80::240:33ff:fe5a:748a%vr0 prefixlen 64 scopeid 0x1
	inet 0.0.0.0 netmask 0xff000000 broadcast 255.255.255.255
	ether 00:40:33:5a:74:8a
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
xl0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
	options=3<rxcsum,txcsum>
	ether 00:04:76:c5:f4:a2
	media: Ethernet autoselect (none)
	status: no carrier
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet6 fe80::250:bfff:fe90:6d98%rl0 prefixlen 64 scopeid 0x3
	inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
	ether 00:50:bf:90:6d:98
	media: Ethernet autoselect (100baseTX)
	status: active
faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
	inet 127.0.0.1 netmask 0xff000000


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NHBBIMEIGLCBNPAEPGDPIEJCCJAA.asenchi>