Date: 27 Sep 2001 11:14:35 -0700 From: swear@blarg.net (Gary W. Swearingen) To: Mike Porter <mupi@mknet.org> Cc: freebsd-stable@FreeBSD.ORG Subject: Re: 127/8 continued Message-ID: <4cd74ctsac.74c@localhost.localdomain> In-Reply-To: <200109271411.f8REBNH02164@c1828785-a.saltlk1.ut.home.com> References: <20010924094048.X5906-100000@coredump.scriptkiddie.org> <20010926134253.A65444@mushhaven.net> <i5vgi5tx0h.gi5@localhost.localdomain> <200109271411.f8REBNH02164@c1828785-a.saltlk1.ut.home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike, your post had some interesting and helpful info. Here's a few comments on parts of it. > > I also tried setting it all up on 10.x addresses with public IPs aliased > > on the server and workstation; I might have just messed up. Should > > that work? > > > That should work, but implies NAT to do the "aliasing" I meant to imply IP aliasing on the host interface using ifconfig. > Also the firewall needs an external IP as well. By definition, yes. But do you mean "public" (Internet-routable)? I'm fairly sure I was communicating with my DSL router when I had only 10.x address on the firewall. (Had to set 10.x.x.x as gateway the in the DSL router's route to my firewall.) I wasn't talking between my internal computers and the Internet at that time, so I'm not sure it would work. But nobody on the Internet needs to address my firewall, except the DSL router which should be able to use private addresses -- especially if my ISP would let me configure my end of the DSL router to use a private address. But I"m not sure about their PPP/ATM stuff; it might need a public IP address on both ends of the PPP/ATM link. > [ suggestion of 1-to-1 NAT ] > Since no two machines will ever share the same IP under > this scheme, it will work fine, while hiding your intenal network structure > from "the world". I read about that in my firewalling book, but I just don't get it, even ignoring the problem with not translating IP addresses within the packets. How does translating IP addresses help with security, as long as the translation is transparent? I don't see that I'm hiding anything important, just some IP numbers nobody cares about, not things like network structure or ports or data. The firewall rules hide those. > The trick should be to use a /32 > netmask, so that ALL addresses are considered non-local, and delivered to the > gateway. That's what I thought. Or to use point-to-point (given that I've seen almost nothing about it but the little in the ifconfig man page). But it isn't the trick. Though you might have to use /31. I'm am, but it won't work at ifconfig time. I have to use /29 (or /30?) and then replace the /29 route with a /31 route. )easier said, than done. > The other thing you need to do, > though, for this to work is set the broadcast address for each interface. I > may be wrong here, but I *think* you can set this to an arbitrary value. > Without the correct broadcast address, at least unless you have manual static > routes set up in the firewall, packets won't find their way back. First, ifconfig ignores you if you try to set broadcast or (netmask) on a configured interface, even if it is "down". You didn't say what the broadcast address should be, but I've tried many and nothing works but the one created by a /29 config. > > Unfortunately, doing "ifconfig xl0 down; go fishing; ifconfig xl0 up" > > puts back the a.b.c.0/29 route, breaking my routing. > > > This is becuase you already have the /29 netmask for xl0; if you change the > xl0 netmask ("ifconfig xl0 netmask 255.255.255.252" as well as changing the > rc.conf info) ifconfig xl0 up will bring back the correct (/31) family. But I can't change the netmask and if I use a /31 (you meant .254, right?) netmask at interface setup, I can't get it to route properly. > Again, you are having conflicts with your subnets and your routing. You need > to either get enough addresses to support a "real" subnet (including the two > "dead" addresses per net), use bridging, or use NAT. Or use my awkward, non-standard kludge. As a reminder, my original post wasn't asking how I can set up my network. I was bitching about what I consider a high-level design deficiency in the OS (and all OSes, I suppose) software which makes it awkward or impossible to efficiently and/or easily utilize a 6-IP block of IP address for a 2-computer, 1-firewall, network which should be able to get by with 3 addresses (or even 2 if the ISP would use a private IP for my or both ends of the private PPP/ATM link). (I was also complaining some about the FreeBSD network tools and documentation.) > One of the reasons there is little documentation on bridging, at least in > FBSD, is that in FBSD all that is required is "gateway_enable=YES" in > rc.conf. (you might need a kernel config tweak, I don't recall offhand. If > you are running ipfw or ipf, then you should already have whatever kernel > tweaks you need). With gateway_enable=YES, packets appearing on one > interface, get popped out the other interface (at least they did for me) > unless blocked or NAT'ed by your firewall ruleset. This lead to me suddenly > flooding my subnet with 192.168 packets by mistake at one point configuring > my own home network. (which uses NAT because I have a /32 address. <(}:) > This *should* allow everythng to work as your existing setup, using /29 for > your netmask, and everything talk to each other without fancy routing. > naturally, of course, you will want to configure your firewall rules so that > packets from workstation to server don't go out to your DSL link, and clutter > up your upstream bandwidth. I think you're confusing gatewaying with bridging. My firewall has gatewaying (and filtering) enabled with some the results you mention, but not the routing part. Gatewaying just has the routing software accept packets with non-localhost destination addresses (usually so they can be sent on to some other network). Bridging, AFAIK so far, makes the host seem like a cable joining two cables coming into the host, so that two external hosts seem to be communicating over a single network segment (eg, one cable). The bridge and its two bridged interfaces have no IP addresses at all. That's what I understood from my books, at least. Scott Lambert told me yesterday about this article (not in my 4.3 docs) on filtering bridges: http://www.freebsd.org/doc/en_US.ISO8859-1/articles/filtering-bridges/filtering-bridges-ipfirewall.html which seems to explain the details of configuring one quite well, but which doesn't introduce the concepts except a brief discussion about choosing between a bridge and a router. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4cd74ctsac.74c>