From owner-freebsd-stable Thu Sep 27 15:25:32 2001 Delivered-To: freebsd-stable@freebsd.org Received: from c1828785-a.saltlk1.ut.home.com (c1828785-a.saltlk1.ut.home.com [24.20.97.231]) by hub.freebsd.org (Postfix) with ESMTP id A01A737B40C for ; Thu, 27 Sep 2001 15:25:24 -0700 (PDT) Received: from there (lmrwvm@localhost [127.0.0.1]) by c1828785-a.saltlk1.ut.home.com (8.11.6/8.11.5) with SMTP id f8RMPLH02946; Thu, 27 Sep 2001 16:25:21 -0600 (MDT) (envelope-from mupi@mknet.org) Message-Id: <200109272225.f8RMPLH02946@c1828785-a.saltlk1.ut.home.com> Content-Type: text/plain; charset="iso-8859-1" From: Mike Porter To: swear@blarg.net (Gary W. Swearingen) Subject: Re: 127/8 continued Date: Thu, 27 Sep 2001 16:25:21 -0600 X-Mailer: KMail [version 1.3] Cc: freebsd-stable@FreeBSD.ORG References: <20010924094048.X5906-100000@coredump.scriptkiddie.org> <200109271411.f8REBNH02164@c1828785-a.saltlk1.ut.home.com> <4cd74ctsac.74c@localhost.localdomain> In-Reply-To: <4cd74ctsac.74c@localhost.localdomain> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thursday 27 September 2001 12:14 pm, Gary W. Swearingen wrote: > Mike, your post had some interesting and helpful info. > Here's a few comments on parts of it. > > By definition, yes. But do you mean "public" (Internet-routable)? I'm > fairly sure I was communicating with my DSL router when I had only 10.x > address on the firewall. (Had to set 10.x.x.x as gateway the in the DSL > router's route to my firewall.) I wasn't talking between my internal > computers and the Internet at that time, so I'm not sure it would work. > But nobody on the Internet needs to address my firewall, except the DSL > router which should be able to use private addresses -- especially if > my ISP would let me configure my end of the DSL router to use a private > address. But I"m not sure about their PPP/ATM stuff; it might need a > public IP address on both ends of the PPP/ATM link. > While this is possible using NAT at the DSL router (most of them support it there), as a general rule, any machine that accepts packets from the internet, and injects packets to the internet, including a firewall, needs a public ("routeable") IP. The one exception to this that I know of is OpenBSD's "transparent bridge" which allows a machine to appear to be simply a high-latency network cable. However, this is only useful, really, in conjunction with firewalling, and (from what I have heard) tends to break down if you try it with three nics. It is also fairly processor intensive, since it has to put both interfaces in promiscous mode and process EVERY packet. ( I guess FBSD supports transparent bridgeing with ipfw, but I haven't investigated it much) > I read about that in my firewalling book, but I just don't get it, even > ignoring the problem with not translating IP addresses within the > packets. How does translating IP addresses help with security, as long > as the translation is transparent? I don't see that I'm hiding anything > important, just some IP numbers nobody cares about, not things like > network structure or ports or data. The firewall rules hide those. > see kutulu's response. It is a side effect of NAT, because the external IP's do not need to correspond to any specific internal subnet. There would be no way, to use your example, for somone tracerouting your /29, to know that a.b.c.2 and a.b.c.4 are on separate subnets. If you increase the scale, in a corporate setting, those two IP's could correspond to machines in completely different offices on their own proprietary network. > > The trick should be to use a /32 > > netmask, so that ALL addresses are considered non-local, and delivered to > > the gateway. > > That's what I thought. Or to use point-to-point (given that I've seen > almost nothing about it but the little in the ifconfig man page). But > it isn't the trick. > > Though you might have to use /31. > > I'm am, but it won't work at ifconfig time. I have to use /29 (or > /30?) and then replace the /29 route with a /31 route. > )easier said, than done. > > > First, ifconfig ignores you if you try to set broadcast or (netmask) on > a configured interface, even if it is "down". > OK, then I was wrong. The broadcast is (normally) the last address in the subnet (.255 for a class C, .255 for my subnet ( with a .128 netmask, but I am in the top half. I presume that those with IP's below .129 have .127 set for a broadcast, with .128 being the other unusable address. I forget exactly what its for?) > You didn't say what the broadcast address should be, but I've tried many > and nothing works but the one created by a /29 config. > I suspect that the problem is that ifconfig CAN'T create a broadcast address with less than 4 IPs in the netmask (/30) (I guess it could use 3, but I don't think that's a valid netmask <(}:) ifconfig WILL allow you to specify aliases using a /32 netmask, I've never tried with a different value, but as mentioned previously in this thread, there appears no way to deterministicly tell the OS which IP to use as it's "primary" IP. > > > Unfortunately, doing "ifconfig xl0 down; go fishing; ifconfig xl0 up" > > > puts back the a.b.c.0/29 route, breaking my routing. > > > > This is becuase you already have the /29 netmask for xl0; if you change > > the xl0 netmask ("ifconfig xl0 netmask 255.255.255.252" as well as > > changing the rc.conf info) ifconfig xl0 up will bring back the correct > > (/31) family. > > But I can't change the netmask and if I use a /31 (you meant .254, > right?) netmask at interface setup, I can't get it to route properly. > ummm....yeah, I must have menat that <(}; Actually I think I was thinking of /30 rather than /31. > > Again, you are having conflicts with your subnets and your routing. You > > need to either get enough addresses to support a "real" subnet (including > > the two "dead" addresses per net), use bridging, or use NAT. > > Or use my awkward, non-standard kludge. > > As a reminder, my original post wasn't asking how I can set up my > network. I was bitching about what I consider a high-level design > deficiency in the OS (and all OSes, I suppose) software which makes it > awkward or impossible to efficiently and/or easily utilize a 6-IP block > of IP address for a 2-computer, 1-firewall, network which should be able > to get by with 3 addresses (or even 2 if the ISP would use a private IP > for my or both ends of the private PPP/ATM link). (I was also > complaining some about the FreeBSD network tools and documentation.) > The point is that you CAN do this, just not the way you want to do it. If you put a hub or a switch behind the firewall, then attach your sever and workstation to that, you will be fine. This is essentially my setup at home, with a "main" PC acting as a firewall/router connected to the cable modem, and on the "inside" side I have two laptops and a network printer. Granted that I use 192 addresses and NAT for the "inside" side, but it really wouldn't matter; if I had a /29 subnet (/30 wouldn't work without static routes, because there are only two useful IP's in a /30) Remeber that your /29 actually specifies 8 IP addresses, even though you can only use 6 of them. This is a limitation of IP, not of any OS. (I think kutulu said it first in this thread). If you drop the subnetting requirement, then you can use three IPs. The only thing you lose is the DMZ. > I think you're confusing gatewaying with bridging. My firewall has > gatewaying (and filtering) enabled with some the results you mention, > but not the routing part. Gatewaying just has the routing software > accept packets with non-localhost destination addresses (usually so > they can be sent on to some other network). Bridging, AFAIK so far, > makes the host seem like a cable joining two cables coming into the > host, so that two external hosts seem to be communicating over a > single network segment (eg, one cable). The bridge and its two bridged > interfaces have no IP addresses at all. That's what I understood from > my books, at least. Scott Lambert told me yesterday about this article > (not in my 4.3 docs) on filtering bridges: > Yeah, although the terminology is frequently used interchangeably. That doesn't make it right. The distinction I would draw is between transparent bridging (which is what you describe) and "normal" bridging, which is probably better referred to as "gateway" or "relay" behaviour. I think gateway or relay behaviour is more what you are after. Or "switching" behavior might be the term. Too bad we can't go back to the "good ol' days" when everyone could have a class c just for the asking....you could subnet to your heart's content <(}: Even so, IPv6, come quickly.... mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message