From owner-freebsd-questions Mon Jan 27 20:39:56 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1A42B37B401 for ; Mon, 27 Jan 2003 20:39:50 -0800 (PST) Received: from nyogtha.unknownkadath.net (nyogtha.unknownkadath.net [209.153.153.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id 72CC543F75 for ; Mon, 27 Jan 2003 20:39:45 -0800 (PST) (envelope-from asenchi@asenchi.com) Received: from quai (12-245-211-155.client.attbi.com [12.245.211.155]) by nyogtha.unknownkadath.net (8.12.6/8.12.6) with SMTP id h0S4rVFF070791; Mon, 27 Jan 2003 23:53:32 -0500 (EST) From: "Asenchi" To: "Bill Moran" Cc: "freebsd-questions@FreeBSD. ORG" Subject: RE: Firewall + DHCP (STILL) Date: Mon, 27 Jan 2003 23:39:09 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal In-Reply-To: <3E36043F.8010005@potentialtech.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG >What do you mean by "not able to _keep_ a connection"? Are you saying that >your DHCP addy expires and can't be renewed? Or is there something more to >the problem (i.e., the link layer connection fails?) It won't pick up an ip from my provider. When I boot up, ifconfig in dmesg shows an ip, but nothing will connect. If I do an 'ifconfig -a' it will show up 0.0.0.0. >To clarify: >if you type: >killall dhclient >ifconfig vr0 inet 10.1.1.1 netmaks 255.0.0.0 >ifconfig >Does it display the 10.1.1.1 address, or is there still no ip addy on >vr0? Yes I can configure it for an address...I think it has something to do with dhclient. > ${fwcmd} add 0200 allow all from any to any >If this is truely the firewall rules you are using, then every rule after >this one is redundant, as this constitutes an "open" firewall, which is >almost the same as no firewall at all (except for the divert rule). Yes I am aware of this. I have it in there to try and get a connection. It normally isn't in there. >Are you trying to get DHCP addys on both interfaces? Sorry I tried switching cards and settings. Now I am sticking with vr0. Nothing happened(ens) either way. Ok, here is my rc.conf. I took your advice and configured the lo0. I included all my info again just in case, with rc.conf at the top. It is all the same info as I am on a windows machine as well. So transferring from floppy becomes a hassle. Thank you very much for your help. Curt Micol #vi /etc/rc.conf # -- sysinstall generated deltas -- # Thu Nov 14 10:01:53 2002 # Created: Thu Nov 14 10:01:53 2002 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. #Network Stuff hostname="world.attbi.com" ifconfig_vr0="DHCP" ifconfig_rl0="inet 192.168.0.1 netmask 255.255.255.0" ifconfig_lo0="inet 127.0.0.1 netmask 255.0.0.0" gateway_enable="YES" #Misc Options inetd_enable="YES" kern_securelevel_enable="NO" nfs_reserved_port_only="YES" ntpdate_enable="YES" ntpdate_flags="clock.linuxshell.net" sshd_enable="YES" sshd_flags="-4" usbd_enable="NO" syslogd_enable="YES" syslogd_flags="-ss" clear_tmp_enable="YES" icmp_drop_redirect="YES" icmp_log_redirect="YES" icmp_bmcastecho="NO" fsck_y_enable="YES" linux_enable="NO" moused_enable="NO" portmap_enable="NO" #Firewall firewall_enable="YES" #firewall_type="OPEN" firewall_type="/etc/rc.firewall" firewall_quiet="YES" firewall_logging="YES" log_in_vain="YES" #NATD natd_enable="YES" natd_interface="vr0" natd_flags="-f /etc/natd.conf" sendmail_enable="NONE" #qmail options qmail_smtp_enable="YES" qmail_pop_enable="YES" qmail_enable="YES" #uname -a FreeBSD world.attbi.com 4.7-STABLE FreeBSD 4.7-STABLE #6: Fri Jan 24 22:05:56 EST 2003 asenchi@world:/usr/obj/usr/src/sys/ASENCHI i386 #vi /etc/rc.firewall #FIREWALL RULES fwcmd="/sbin/ipfw" oif="vr0" onet="`ifconfig vr0 | grep "inet " | awk '{print $6}'`" omask="`ifconfig vr0 | grep "inet " | awk '{print $4}'`" oip="`ifconfig vr0 | grep "inet " | awk '{print $2}'`" iif="rl0" inet="192.168.0.0" imask="255.255.255.0" iip="192.168.0.1" ${fwcmd} -f flush ${fwcmd} add 0050 divert natd all from any to any via ${oif} ${fwcmd} add 0200 allow all from any to any ${fwcmd} add 0500 allow all from ${iip} to ${inet}:${imask} ${fwcmd} add 0501 allow all from ${inet}:${imask} to ${iip} ${fwcmd} add 0502 allow tcp from any to any established ${fwcmd} add 0503 deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add 0504 deny all from ${onet}:${omask} to any in via ${iif} ${fwcmd} add 0505 pass all from any to any frag ${fwcmd} add 0506 pass tcp from any to ${oip} 53 setup ${fwcmd} add 0507 pass udp from any 53 to ${oip} ${fwcmd} add 0508 pass udp from ${oip} 53 to any ${fwcmd} add 0509 pass udp from ${oip} to any 53 keep-state ${fwcmd} add 0510 allow tcp from any to any 22 setup ${fwcmd} add 0511 allow tcp from any 22 to any setup ${fwcmd} add 0550 allow udp from any to any 68 out via ${oif} ${fwcmd} add 0551 allow udp from any 68 to any out via ${oif} ${fwcmd} add 0552 allow udp from any 67 to any in via ${oif} #ps -acux USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 225 0.0 0.1 420 216 v1 R+ 10:30PM 0:00.00 ps root 1 0.0 0.1 552 316 ?? ILs 5:28PM 0:00.01 init root 2 0.0 0.0 0 0 ?? DL 5:28PM 0:00.00 pagedaemon root 3 0.0 0.0 0 0 ?? DL 5:28PM 0:00.00 vmdaemon root 4 0.0 0.0 0 0 ?? DL 5:28PM 0:00.00 bufdaemon root 5 0.0 0.0 0 0 ?? DL 5:28PM 0:00.00 vnlru root 6 0.0 0.0 0 0 ?? DL 5:28PM 0:00.01 syncer root 25 0.0 0.0 212 96 ?? Is 5:28PM 0:00.00 adjkerntz root 66 0.0 0.3 944 728 ?? Is 10:28PM 0:00.00 dhclient root 114 0.0 0.1 432 288 ?? Is 10:28PM 0:00.00 natd root 137 0.0 0.3 972 656 ?? Ss 10:28PM 0:00.08 syslogd root 145 0.0 0.3 1056 696 ?? Is 10:28PM 0:00.00 inetd root 147 0.0 0.3 1024 764 ?? Is 10:28PM 0:00.00 cron root 149 0.0 0.7 2324 1744 ?? Is 10:28PM 0:00.00 sshd qmaild 173 0.0 0.2 896 392 con- I 10:28PM 0:00.00 tcpserver root 174 0.0 0.2 896 392 con- I 10:28PM 0:00.00 tcpserver qmails 175 0.0 0.2 940 500 con- I 10:28PM 0:00.03 qmail-send qmaill 180 0.0 0.2 896 504 con- I 10:28PM 0:00.00 splogger root 181 0.0 0.2 896 476 con- I 10:28PM 0:00.00 qmail-lspawn qmailr 182 0.0 0.2 896 412 con- I 10:28PM 0:00.00 qmail-rspawn qmailq 183 0.0 0.2 884 440 con- I 10:28PM 0:00.00 qmail-clean root 184 0.0 0.3 952 644 v0 Is+ 10:28PM 0:00.00 getty root 185 0.0 0.4 1268 948 v1 Is 10:28PM 0:00.03 login root 186 0.0 0.3 952 644 v2 Is+ 10:28PM 0:00.00 getty root 187 0.0 0.3 952 644 v3 Is+ 10:28PM 0:00.00 getty root 188 0.0 0.3 952 644 v4 Is+ 10:28PM 0:00.00 getty root 189 0.0 0.3 952 644 v5 Is+ 10:28PM 0:00.00 getty root 190 0.0 0.3 952 644 v6 Is+ 10:28PM 0:00.00 getty root 191 0.0 0.3 952 644 v7 Is+ 10:28PM 0:00.00 getty asenchi 198 0.0 0.2 636 440 v1 I 10:28PM 0:00.01 sh root 209 0.0 0.4 1484 1084 v1 S 10:29PM 0:00.08 csh root 0 0.0 0.0 0 0 ?? DLs 5:28PM 0:00.00 swapper #vi /var/db/dhclient.leases lease { interface "xl0"; fixed-address 12.245.246.22; option subnet-mask 255.255.255.0; option dhcp-lease-time 3600; option routers 12.245.246.1; option dhcp-message-type 5; option dhcp-server-identifier 12.242.20.34; option domain-name-servers 63.240.76.4,204.127.198.4; option broadcast-address 255.255.255.255; option host-name "x1-6-00-04-76-c5-f4-a2"; option domain-name "attbi.com"; renew 2 2003/1/28 03:29:22; rebind 2 2003/1/28 03:58:51; expire 2 2003/1/28 04:06:21; } lease { interface "vr0"; fixed-address 12.245.228.183; option subnet-mask 255.255.255.128; option dhcp-lease-time 345600; option routers 12.245.228.129; option dhcp-message-type 5; option dhcp-server-identifier 12.242.20.34; option domain-name-servers 63.240.76.4,204.127.198.4; option broadcast-address 255.255.255.255; option domain-name "attbi.com"; renew 4 2003/1/30 01:09:35; rebind 5 2003/1/31 15:28:11; expire 6 2003/2/1 03:28:11; } #ifconfig -a vr0: flags=8843 mtu 1500 inet6 fe80::240:33ff:fe5a:748a%vr0 prefixlen 64 scopeid 0x1 inet 0.0.0.0 netmask 0xff000000 broadcast 255.255.255.255 ether 00:40:33:5a:74:8a media: Ethernet autoselect (100baseTX ) status: active xl0: flags=8802 mtu 1500 options=3 ether 00:04:76:c5:f4:a2 media: Ethernet autoselect (none) status: no carrier rl0: flags=8843 mtu 1500 inet6 fe80::250:bfff:fe90:6d98%rl0 prefixlen 64 scopeid 0x3 inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 ether 00:50:bf:90:6d:98 media: Ethernet autoselect (100baseTX) status: active faith0: flags=8002 mtu 1500 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff000000 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message