freebsd-ipfw Digest, Vol 173, Issue 2
Loic SOUTENARE
loic.soutenare at prism.uvsq.fr
Fri Sep 1 12:19:40 UTC 2006
Hi every body,
If I undertand your linux gateway as all is nics on the same network. It's
supposed to do packet filtering and bind services at the same time. and your
question were on one hand how? and on the over one's how to make a freebsd
twin of the linux one?
ok! I'am just a student trying to learn more about network and unix, so I
won't pretend to have the best solution I will just say what I think about
it. What I have seen so far allow me to the guest that making a freebsd
bridge its a good compromise you can bridge your gateway and then alias your
internal nic with the same address that the linux on got. Pcs into your
network will believe they are connected to a switch providing the internet
et bind services.
Your LAN
/ \
/ \
bge1 (with no address) bge1.0 (192.168.1.122)
\ /
\ /
-------------------------------------------------- freeBSD Bridge
|
|
bge0(192.168.1.121)
|
Internet
this how it should look schematically and you'll be able to do filtering on
interfaces and not addresses.
A piece of my kernel conf file for example
#------------------------------------------------------------------------------#
# PARE-FEU
#
#------------------------------------------------------------------------------#
options IPFIREWALL #|
options IPFIREWALL_VERBOSE #|--->IPV4
options IPFIREWALL_VERBOSE_LIMIT=200 #|
options IPFIREWALL_FORWARD #|
#options IPFIREWALL_FORWARD_EXTENDED #|--->proxy
options IPV6FIREWALL #|
options IPV6FIREWALL_VERBOSE #|--->IPV6
options IPV6FIREWALL_VERBOSE_LIMIT=200 #|
options DUMMYNET #Management de la bande passante.
options IPDIVERT #Divert Sockets
options IPSTEALTH #Ne touche pas au ttl, pare-feu transparent au traceroute
options TCPDEBUG #Active le code qui garde les traces de l'etat TCP de la
machine
# la commande est trpt.
options TCP_DROP_SYNFIN #rejete les paquets TCP avec SYN+FIN.
options SOFTUPDATES # ameliore la rapidite du filesysteme et rend les
redemarrage brutaux moins risque
options QUOTA
options SC_DISABLE_REBOOT
# BRIGE/PONT RESEAU pare-feu transparent.
options BRIDGE
#------------------------------------------------------------------------------#
# fin PARE-FEU
#
#------------------------------------------------------------------------------#
----- Original Message -----
From: <freebsd-ipfw-request at freebsd.org>
To: <freebsd-ipfw at freebsd.org>
Sent: Thursday, July 27, 2006 2:00 PM
Subject: freebsd-ipfw Digest, Vol 173, Issue 2
> Send freebsd-ipfw mailing list submissions to
> freebsd-ipfw at freebsd.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> or, via email, send a message with subject or body 'help' to
> freebsd-ipfw-request at freebsd.org
>
> You can reach the person managing the list at
> freebsd-ipfw-owner at freebsd.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of freebsd-ipfw digest..."
>
>
> Today's Topics:
>
> 1. FreeBSD Gateway to replace old Linux gateway
> (elaconta.com Webmaster)
> 2. Re: FreeBSD Gateway to replace old Linux gateway
> (Tony Abou-Assaleh)
> 3. Re: FreeBSD Gateway to replace old Linux gateway
> (elaconta.com Webmaster)
> 4. RE: FreeBSD Gateway to replace old Linux gateway
> (DeepBlackMagic at LootHole.Com)
> 5. Re: FreeBSD Gateway to replace old Linux gateway
> (Tony Abou-Assaleh)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 26 Jul 2006 20:41:18 +0100
> From: "elaconta.com Webmaster" <webmaster at elaconta.com>
> Subject: FreeBSD Gateway to replace old Linux gateway
> To: freebsd-ipfw at freebsd.org
> Message-ID: <44C7C55E.3090907 at elaconta.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Howdy
>
> We have here an old (Mandrake Linux 8 - yeah i know...) PC with two NICs
> which serves as a firewall for our LAN and runs a Bind caching nameserver.
> Although the machine is getting old, it still works well. Thing is, i'm
> having a hard time trying to reproduce it, that is, getting another PC
> to do exactly the same thing this PC is doing. It was configured by a
> guy that left the company, so i can't simply ask him how he configured
> it configured.
> It's a precautionary measure, if the machine breaks down we need another
> one to go in its place.
> So while am at it i would love to replace the crusty old thing with a
> new one running FreeBSD.
> The networking scheme is:
>
> Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122)
> <-> (192.168.1.0/24) LAN
>
> Now, thing is, the Linux firewall has two NICs:
>
> NIC 1: 192.168.1.121
> NIC 2: 192.168.1.122
>
> The two NICs on the Linux box are configured with 192.168.1.121 and
> 192.168.1.122, both interfaces on the same subnet. 192.168.1.121 acesses
> the company router (192.168.1.120) and 192.168.1.122 acesses the company
> LAN (192.168.1.0/24)
>>From what i've googled, this shouldn't even be possible, everything is
> on the same subnet. Regardless, it works great, and if i went and got an
> FreeBSD rig to replace the old Linux rig, it would have to retain this
> networking scheme, we can't afford to reconfigure the entire network
> just for switching our firewall.
>
> I known we could use a network bridge, but we need the caching
> nameserver functionality.
>
> I'm an all round Unix guy, but i'm a bit green on the routing departament.
>
> Can an FreeBSD box be configured the same way the Linux box is so it can
> be a drop-in replacement for the Linux box? I can of course depict in
> further detail the configuration of the Linux box (netstat -r to show
> the routes, ifconfig or whatever).
>
> I've already prepped a FreeBSD 6.1 box which already works if the NICs in
> the gateway
> are in different subnets (dc0 is 192.168.1.125 and dc1 is 192.168.0.5, for
> instance),
> i've changed a PC in the network to the 192.168.0.20 IP (instead of
> 192.168.1.20) and
> if connected without a problem to the Internet, but we have lots of
> appliances which
> depend on the 192.168.1.0 style network. We would need the two NICs in the
> box to be in the same subnet...
>
> -----------------------------
> Elaconta.com Webmaster
> -----------------------------
>
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 26 Jul 2006 19:16:23 -0300 (ADT)
> From: Tony Abou-Assaleh <taa at acm.org>
> Subject: Re: FreeBSD Gateway to replace old Linux gateway
> To: "elaconta.com Webmaster" <webmaster at elaconta.com>
> Cc: freebsd-ipfw at freebsd.org
> Message-ID: <Pine.GSO.4.58.0607261911170.5824 at flame.cs.dal.ca>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
>
> I would like to see a reference that shows that it is not possible to have
> two networks with the same subnet IP ranges. In fact, your working linux
> PC is a good example that it can be done.
>
> You need to be careful not to use the same full IP address on both sides
> of the network, that's about it. The rest can be handled with a proper
> configuration of the routing table.
>
> take a look at your routing table (using route) and see if you can
> reproduce it on FreeBSD. If you run into problems on the freebsd, report
> them, and someone might recognize something.
>
> Cheers,
>
> TAA
>
> -----------------------------------------------------
> Tony Abou-Assaleh
> Email: taa at acm.org
> Web site: http://taa.eits.ca
> ----------------------[THE END]----------------------
>
> On Wed, 26 Jul 2006, elaconta.com Webmaster wrote:
>
>> Howdy
>>
>> We have here an old (Mandrake Linux 8 - yeah i know...) PC with two NICs
>> which serves as a firewall for our LAN and runs a Bind caching
>> nameserver.
>> Although the machine is getting old, it still works well. Thing is, i'm
>> having a hard time trying to reproduce it, that is, getting another PC
>> to do exactly the same thing this PC is doing. It was configured by a
>> guy that left the company, so i can't simply ask him how he configured
>> it configured.
>> It's a precautionary measure, if the machine breaks down we need another
>> one to go in its place.
>> So while am at it i would love to replace the crusty old thing with a
>> new one running FreeBSD.
>> The networking scheme is:
>>
>> Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122)
>> <-> (192.168.1.0/24) LAN
>>
>> Now, thing is, the Linux firewall has two NICs:
>>
>> NIC 1: 192.168.1.121
>> NIC 2: 192.168.1.122
>>
>> The two NICs on the Linux box are configured with 192.168.1.121 and
>> 192.168.1.122, both interfaces on the same subnet. 192.168.1.121 acesses
>> the company router (192.168.1.120) and 192.168.1.122 acesses the company
>> LAN (192.168.1.0/24)
>> >From what i've googled, this shouldn't even be possible, everything is
>> on the same subnet. Regardless, it works great, and if i went and got an
>> FreeBSD rig to replace the old Linux rig, it would have to retain this
>> networking scheme, we can't afford to reconfigure the entire network
>> just for switching our firewall.
>>
>> I known we could use a network bridge, but we need the caching
>> nameserver functionality.
>>
>> I'm an all round Unix guy, but i'm a bit green on the routing
>> departament.
>>
>> Can an FreeBSD box be configured the same way the Linux box is so it can
>> be a drop-in replacement for the Linux box? I can of course depict in
>> further detail the configuration of the Linux box (netstat -r to show
>> the routes, ifconfig or whatever).
>>
>> I've already prepped a FreeBSD 6.1 box which already works if the NICs in
>> the gateway
>> are in different subnets (dc0 is 192.168.1.125 and dc1 is 192.168.0.5,
>> for instance),
>> i've changed a PC in the network to the 192.168.0.20 IP (instead of
>> 192.168.1.20) and
>> if connected without a problem to the Internet, but we have lots of
>> appliances which
>> depend on the 192.168.1.0 style network. We would need the two NICs in
>> the box to be in the same subnet...
>>
>> -----------------------------
>> Elaconta.com Webmaster
>> -----------------------------
>>
>> _______________________________________________
>> freebsd-ipfw at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>>
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 27 Jul 2006 00:03:26 +0100
> From: "elaconta.com Webmaster" <webmaster at elaconta.com>
> Subject: Re: FreeBSD Gateway to replace old Linux gateway
> To: Tony Abou-Assaleh <taa at acm.org>
> Cc: freebsd-ipfw at freebsd.org
> Message-ID: <44C7F4BE.2080805 at elaconta.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Tony Abou-Assaleh wrote:
>> I would like to see a reference that shows that it is not possible to
>> have
>> two networks with the same subnet IP ranges. In fact, your working linux
>> PC is a good example that it can be done.
>>
>> You need to be careful not to use the same full IP address on both sides
>> of the network, that's about it. The rest can be handled with a proper
>> configuration of the routing table.
>>
>> take a look at your routing table (using route) and see if you can
>> reproduce it on FreeBSD. If you run into problems on the freebsd, report
>> them, and someone might recognize something.
>>
>> Cheers,
>>
>> TAA
>>
>> -----------------------------------------------------
>> Tony Abou-Assaleh
>> Email: taa at acm.org
>> Web site: http://taa.eits.ca
>> ----------------------[THE END]----------------------
>>
>> On Wed, 26 Jul 2006, elaconta.com Webmaster wrote:
>>
>>
>>> Howdy
>>>
>>> We have here an old (Mandrake Linux 8 - yeah i know...) PC with two NICs
>>> which serves as a firewall for our LAN and runs a Bind caching
>>> nameserver.
>>> Although the machine is getting old, it still works well. Thing is, i'm
>>> having a hard time trying to reproduce it, that is, getting another PC
>>> to do exactly the same thing this PC is doing. It was configured by a
>>> guy that left the company, so i can't simply ask him how he configured
>>> it configured.
>>> It's a precautionary measure, if the machine breaks down we need another
>>> one to go in its place.
>>> So while am at it i would love to replace the crusty old thing with a
>>> new one running FreeBSD.
>>> The networking scheme is:
>>>
>>> Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122)
>>> <-> (192.168.1.0/24) LAN
>>>
>>> Now, thing is, the Linux firewall has two NICs:
>>>
>>> NIC 1: 192.168.1.121
>>> NIC 2: 192.168.1.122
>>>
>>> The two NICs on the Linux box are configured with 192.168.1.121 and
>>> 192.168.1.122, both interfaces on the same subnet. 192.168.1.121 acesses
>>> the company router (192.168.1.120) and 192.168.1.122 acesses the company
>>> LAN (192.168.1.0/24)
>>> >From what i've googled, this shouldn't even be possible, everything is
>>> on the same subnet. Regardless, it works great, and if i went and got an
>>> FreeBSD rig to replace the old Linux rig, it would have to retain this
>>> networking scheme, we can't afford to reconfigure the entire network
>>> just for switching our firewall.
>>>
>>> I known we could use a network bridge, but we need the caching
>>> nameserver functionality.
>>>
>>> I'm an all round Unix guy, but i'm a bit green on the routing
>>> departament.
>>>
>>> Can an FreeBSD box be configured the same way the Linux box is so it can
>>> be a drop-in replacement for the Linux box? I can of course depict in
>>> further detail the configuration of the Linux box (netstat -r to show
>>> the routes, ifconfig or whatever).
>>>
>>> I've already prepped a FreeBSD 6.1 box which already works if the NICs
>>> in the gateway
>>> are in different subnets (dc0 is 192.168.1.125 and dc1 is 192.168.0.5,
>>> for instance),
>>> i've changed a PC in the network to the 192.168.0.20 IP (instead of
>>> 192.168.1.20) and
>>> if connected without a problem to the Internet, but we have lots of
>>> appliances which
>>> depend on the 192.168.1.0 style network. We would need the two NICs in
>>> the box to be in the same subnet...
>>>
>>> -----------------------------
>>> Elaconta.com Webmaster
>>> -----------------------------
>>>
>>> _______________________________________________
>>> freebsd-ipfw at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>>>
>>>
>>
>>
>>
> The routing table on the Linux box, as shown per the "route" command:
>
> [root at visao root]# route
> Tabela de Roteamento IP do Kernel
> Destino Roteador MáscaraGen. Opções Métrica
> Ref Uso Iface
> 192.168.1.0 * 255.255.255.0 U 0
> 0 0 eth1
> 192.168.1.0 * 255.255.255.0 U 0
> 0 0 eth1
> 127.0.0.0 * 255.0.0.0 U 0
> 0 0 lo
> default 192.168.1.120 0.0.0.0 UG 0
> 0 0 eth0
>
> Hum, some things in this table are in portuguese... Basically "Tabela de
> Roteamento IP do Kernel" means Kernel IP Routing Table, "Destino" means
> Destiny, "Roteador" means Router, "Máscara" means Mask.
> Now the thing that strikes me in this Linux routing table are the
> asterisks (*).Are they normal, or some kind of Linux black magic?
> Is there a way to reproduce this routing table on FreeBSD? What do the
> asteriks mean?
>
> -----------------------------
> Elaconta.com Webmaster
> -----------------------------
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 26 Jul 2006 18:11:09 -0500
> From: <DeepBlackMagic at LootHole.Com>
> Subject: RE: FreeBSD Gateway to replace old Linux gateway
> To: <freebsd-ipfw at freebsd.org>
> Message-ID: <02dc01c6b108$cb620050$0a010a0a at blackice>
> Content-Type: text/plain; charset="US-ASCII"
>
> I was thinking that the interfaces could simply be bridged, and could you
> do
> a traceroute from a workstation to say google.com and see if the firewall
> appears as a hop. If it's a hop, its routing, vs if its invisible, its
> bridging. That should help guide you in the creation of a replacement.
>
> DBM
>
>
> -----Original Message-----
> From: owner-freebsd-ipfw at freebsd.org
> [mailto:owner-freebsd-ipfw at freebsd.org]
> On Behalf Of elaconta.com Webmaster
> Sent: Wednesday, July 26, 2006 2:41 PM
> To: freebsd-ipfw at freebsd.org
> Subject: FreeBSD Gateway to replace old Linux gateway
>
> Howdy
>
> We have here an old (Mandrake Linux 8 - yeah i know...) PC with two NICs
> which serves as a firewall for our LAN and runs a Bind caching nameserver.
> Although the machine is getting old, it still works well. Thing is, i'm
> having a hard time trying to reproduce it, that is, getting another PC to
> do
> exactly the same thing this PC is doing. It was configured by a guy that
> left the company, so i can't simply ask him how he configured it
> configured.
> It's a precautionary measure, if the machine breaks down we need another
> one
> to go in its place.
> So while am at it i would love to replace the crusty old thing with a new
> one running FreeBSD.
> The networking scheme is:
>
> Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122) <->
> (192.168.1.0/24) LAN
>
> Now, thing is, the Linux firewall has two NICs:
>
> NIC 1: 192.168.1.121
> NIC 2: 192.168.1.122
>
> The two NICs on the Linux box are configured with 192.168.1.121 and
> 192.168.1.122, both interfaces on the same subnet. 192.168.1.121 acesses
> the
> company router (192.168.1.120) and 192.168.1.122 acesses the company LAN
> (192.168.1.0/24)
>>From what i've googled, this shouldn't even be possible, everything is
> on the same subnet. Regardless, it works great, and if i went and got an
> FreeBSD rig to replace the old Linux rig, it would have to retain this
> networking scheme, we can't afford to reconfigure the entire network just
> for switching our firewall.
>
> I known we could use a network bridge, but we need the caching nameserver
> functionality.
>
> I'm an all round Unix guy, but i'm a bit green on the routing departament.
>
> Can an FreeBSD box be configured the same way the Linux box is so it can
> be
> a drop-in replacement for the Linux box? I can of course depict in further
> detail the configuration of the Linux box (netstat -r to show the routes,
> ifconfig or whatever).
>
> I've already prepped a FreeBSD 6.1 box which already works if the NICs in
> the gateway are in different subnets (dc0 is 192.168.1.125 and dc1 is
> 192.168.0.5, for instance), i've changed a PC in the network to the
> 192.168.0.20 IP (instead of 192.168.1.20) and if connected without a
> problem
> to the Internet, but we have lots of appliances which depend on the
> 192.168.1.0 style network. We would need the two NICs in the box to be in
> the same subnet...
>
> -----------------------------
> Elaconta.com Webmaster
> -----------------------------
>
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 27 Jul 2006 00:15:44 -0300 (ADT)
> From: Tony Abou-Assaleh <taa at acm.org>
> Subject: Re: FreeBSD Gateway to replace old Linux gateway
> To: "elaconta.com Webmaster" <webmaster at elaconta.com>
> Cc: freebsd-ipfw at freebsd.org
> Message-ID: <Pine.GSO.4.58.0607262355010.5824 at flame.cs.dal.ca>
> Content-Type: TEXT/PLAIN; charset=X-UNKNOWN
>
> On Thu, 27 Jul 2006, elaconta.com Webmaster wrote:
>> The routing table on the Linux box, as shown per the "route" command:
>>
>> [root at visao root]# route
>> Tabela de Roteamento IP do Kernel
>> Destino Roteador MáscaraGen. Opções Métrica
>> Ref Uso Iface
>> 192.168.1.0 * 255.255.255.0 U 0
>> 0 0 eth1
>> 192.168.1.0 * 255.255.255.0 U 0
>> 0 0 eth1
>> 127.0.0.0 * 255.0.0.0 U 0
>> 0 0 lo
>> default 192.168.1.120 0.0.0.0 UG 0
>> 0 0 eth0
>>
>> Hum, some things in this table are in portuguese... Basically "Tabela de
>> Roteamento IP do Kernel" means Kernel IP Routing Table, "Destino" means
>> Destiny, "Roteador" means Router, "Máscara" means Mask.
>> Now the thing that strikes me in this Linux routing table are the
>> asterisks (*).Are they normal, or some kind of Linux black magic?
>> Is there a way to reproduce this routing table on FreeBSD? What do the
>> asteriks mean?
>
> In English, the headings are:
>
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
>
> Gateway is more appropriately described as 'next hop'. In your case, that
> would be the IP of your router for all outgoing external traffic. Since
> the internal traffic is connected directly (likely through an Ethernet
> hub), packets going to the LAN should be destined directly to their
> destination IP.
>
> According to your routing table, I believe there is no way to access the
> web interface of your router (if any) from your LAN, because all
> 192.168.1.* traffic will be sent on eth1, which is your LAN.
>
> You can use the route command manipulate the routing table directly and
> reproduce the above. I think it can also be done using the firewall, but
> it's a little trickier there. Check your firewall rules to see if it is
> set explicitly there. (if it is, then you should see rules that are
> similar
> to the entries in the routing table in terms of content).
>
> Cheers,
>
> TAA
>
> -----------------------------------------------------
> Tony Abou-Assaleh
> Email: taa at acm.org
> Web site: http://taa.eits.ca
> ----------------------[THE END]----------------------
>
>
> ------------------------------
>
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>
> End of freebsd-ipfw Digest, Vol 173, Issue 2
> ********************************************
>
More information about the freebsd-ipfw
mailing list