DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 13th July 2008
ivanatora ivanatora is offline
Real Name: Ivan
Fdisk Soldier
 
Join Date: Jul 2008
Location: Bulgaria
Posts: 51
Thanked 2 Times in 1 Post
Default Couple of network questions (NAT, firewalls)

First to say hello - I've been redirected here from bsdforums...
I'm a recent FreeBSD 7 user and I want to do in FreeBSD things I've done on Linux
Let's start with firewalls.
I've compiled my kernel to support both ipfw and ipf. The first surprise was loosing all networks upon reboot, but I understood that this is default policy of these firewalls. I solved that for ipfw with following FIREWALL_SCRIPT
Code:
ipfw add 65000 allow ip from any to any
I still can't understand how to disable ipf (I don't want it currently) and I have to type after every reboot:
Code:
ipf -D
I tried with ipfilter_enable="NO" in rc.conf but this is not the way. I was told to compile ipfilter as a module and not include this into the kernel itself. How to do it? Currently I have 'options IPFILTER' at the kernel config. If I drop this out I won't have ipfilter built in, but will it automatically compile as a modul? How to mark which features I want as modules?

Issue number 2 - NAT. I succeeded running natd and a simple divert rule for ipfw did the job:
Code:
ipfw add 500 divert natd all from any to any via re0
However I want only one machine to have access to this. I tried these:
Code:
pfw add 500 divert natd all from 192.168.0.5 to any via re0 pfw add 500 divert natd all from any to 192.168.0.5 via re0
(Ofcourse after flushing rules)
OK that is interesting. I was logged in from 192.168.0.5 and after I changed the divert rule I lost connection from 192.168.0.5 to the server (which is 1 meter away and doesn't have any other rules in the firewall list exept pass all). Why is that happening? I'm sshing directly to the internal address - 192.168.0.1 which is an alias of re0, which doesn't care of what NAT state is. It should be pingable even if no NAT is established. Right?

The second thing I tried is to pass some options to the natd daemon (like -redirect_address). For the purpose of that I first killed the natd daemon, and guess what - the secondary machine got cutoff again. So what is that connection between nat and ssh? I'm doing a simple peer to peer connection and there is nothing wrong with the IP settings.
Am I going into the right way with -redirect_address? I didn't manage to try this out after the connection was cut.
And how can I redirect a public address if my ISP have provided several? Is it with that -redirect_address option?
Reply With Quote
  #2   (View Single Post)  
Old 13th July 2008
graudeejs's Avatar
graudeejs graudeejs is offline
Real Name: Aldis Berjoza
formerly killasmurf86
 
Join Date: Jul 2008
Location: Riga, Latvia
Posts: 588
Thanked 29 Times in 26 Posts
Default

IF you skip driver in kernel config (comment it or delete it)
It will be build as module and you will need to run kldload to load it.....
or write in loader.conf or something like that....
Reply With Quote
  #3   (View Single Post)  
Old 13th July 2008
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
 
Join Date: May 2008
Location: USofA
Posts: 1,547
Thanked 112 Times in 104 Posts
Default

Quote:
Originally Posted by ivanatora View Post
I still can't understand how to disable ipf (I don't want it currently) and I have to type after every reboot:
Code:
ipf -D

things like these should usually placed in /etc/rc.local if they don't warrant (for you) the creation of rc.d scripts.

The fact that you shouldn't have to disable something you want to use on boot, brings to mind: Why did you compile support for it into the kernel if you don't want IPF?



*I don't use ipf so I wouldn't know if there are any rc.d scripts shipped
__________________
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote
  #4   (View Single Post)  
Old 13th July 2008
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 699
Thanked 90 Times in 81 Posts
Default

Don't bother with IPF, it's pretty much deprecated in FreeBSD 6, there's little (if any) development on it in FreeBSD 7, and I doubt it will remain in the tree beyond FreeBSD 8. It doesn't fit into the PFIL framework, and the locking doesn't fit into the SMPng framework. It also doesn't work correctly on SMP systems.

Pretty much everyone who used IPF has switched to PF.

You also shouldn't have 2 separate packet filters in your kernel simultaneously unless you REALLY know what you are doing.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
  #5   (View Single Post)  
Old 14th July 2008
ivanatora ivanatora is offline
Real Name: Ivan
Fdisk Soldier
 
Join Date: Jul 2008
Location: Bulgaria
Posts: 51
Thanked 2 Times in 1 Post
Default

I thought I have to do 'options IPFILTER' in order to have ipf working Silly me, that was written in the howto
Okay, so IPF is old stuff, what about PF? I'm wondering which of the two - ipfw and pf is better as a packet filter and NAT? I have reviewed IPFW and it remains me of iptables in linux - not so hard to get used to it, but I haven't checked PF yet. Is there a major difference between them, like "IPFW can do *that* and PF can't do it" or vice verca?
Reply With Quote
  #6   (View Single Post)  
Old 14th July 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,135
Thanked 182 Times in 149 Posts
Default

I would suggest pf, because it is very actively supported by the OpenBSD team.
For more information, see the pf section of http://daemonforums.org/showthread.php?t=108
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #7   (View Single Post)  
Old 18th July 2008
ivanatora ivanatora is offline
Real Name: Ivan
Fdisk Soldier
 
Join Date: Jul 2008
Location: Bulgaria
Posts: 51
Thanked 2 Times in 1 Post
Default

That's nice, but I can't find the pf program. It isn't in ports either.
Code:
[ivanatora] /usr/src# pf
pf: Command not found.
[ivanatora] /usr/src# cd /usr/ports/*/pf
/usr/ports/*/pf: No match.
[ivanatora] /usr/src# pkg_add -r pf
Error: FTP Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.0-release/Latest/pf.tbz: File unavailable (e.g., file not found, no access)
pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.0-release/Latest/pf.tbz' by URL
Reply With Quote
  #8   (View Single Post)  
Old 18th July 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

There is no "pf" command, and it's not a port either... it's a kernel-level firewall.

Related man pages:
pf(4)
pfctl(8)
pf.conf(5)
Reply With Quote
  #9   (View Single Post)  
Old 18th July 2008
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 699
Thanked 90 Times in 81 Posts
Default

Quote:
Originally Posted by ivanatora View Post
I thought I have to do 'options IPFILTER' in order to have ipf working Silly me, that was written in the howto
Yes, you do. But why do you have IPFILTER (ipf) and IPFIREWALL (ipfw) in the same kernel?

Quote:
Okay, so IPF is old stuff, what about PF? I'm wondering which of the two - ipfw and pf is better as a packet filter and NAT? I have reviewed IPFW and it remains me of iptables in linux - not so hard to get used to it, but I haven't checked PF yet. Is there a major difference between them, like "IPFW can do *that* and PF can't do it" or vice verca?
PF does better stateful filtering, and allows you to select from a "last-rule that matches is the action to take" mode, which is the default, and a "first rule that matches is the action to take" mode, using the quick keyword. It's also more structured in that a rules file has to follow a certain order for the different sections. PF also does all NAT in-kernel. Rulesets are loaded all at once, so changing one rule reloads them all. PF uses ALTQ for traffic shaping/prioritising.

IPFW is more free-form. It uses rule numbers, so you can add/delete individual rules without affecting the rest of the rules. Until FreeBSD 7, all NAT was done in user space, now you can choose userspace or kernel-space. IPFW uses a "first matching rule wins" mode. IPFW supports divert rules that can send packets to any program that listens on a socket. The syntax has grown organically over the years, and can look really messy when doing the really advanced stuff. It uses dummynet for traffic shaping/prioritising, although it can also use the ALTQ framework.

Both are good packet filters. Both have rules syntax that resembles English sentences. Both can be either very simple to use, or very complex to use. Both are under active development.

IPFW is only used by FreeBSD and its derivatives. PF is used by all the BSDs. I'm not sure which MacOS X uses by default.

Oh, and please don't ever compare ipfw to iptables. That's like comparing a Rolls Royce to a golf cart.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
Old 18th July 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

I do believe Apple opted for IPFW for reasons unknown....
Reply With Quote
Old 21st July 2008
ivanatora ivanatora is offline
Real Name: Ivan
Fdisk Soldier
 
Join Date: Jul 2008
Location: Bulgaria
Posts: 51
Thanked 2 Times in 1 Post
Default

Sorry about iptables - this was the only term I can come with for that moment

I just get into pf and it rocks - got up nat running for my second PC in less than a minute, *without* running any extra daemons like natd
That 'last matching rule wins' is a bit confusing (like reading the rules file backwards), but at least there is the 'quick' word. I'm going to read the documentation more in-depth.

Thanks for your tips!
------------------------------
Portion of another questions is comming This thime I'm trying to do some very basic traffic shaping - ALTQ. For beginning I want just to restrict HTTP downloading speed (which is port 80) to a fixed number... lets say 100Kbps. I'm on ADSL line providing me 12Mb down / 2Mb up, but for now let's concentrate only on limiting downloading speed.
I've read some tutorials and I've reached to the following code:
Code:
### Queueing
# I'm not sure what to set up for a total bandwidth - 100Mb for the carrier media (Cat5 cables) or 12Mb for the provided bandwidth
altq on re0 cbq bandwidth 100Mb queue {restrict, fast}
# This queue 'restrict' should get the shaped traffic
queue restrict bandwidth 100Kb cbq(default)
# This 'fast' queue should take some fast traffic, DNS requests for example.
queue fast bandwidth 500Kb priority 4
### Translation
# This is for my other PC and I don't think it plays a role here
nat pass on re0 from 192.168.0.5 to any -> 10.10.10.21

### Filtering
# Restrict traffic on port 80. This is my IP.
pass in on re0 proto tcp from any port 80 to 10.10.10.21 queue restrict
# Pass DNS requests on the 'fast' queue
pass in on re0 proto { udp, tcp } from any port 53 to 10.10.10.21 queue fast
So I see DNS resolutions are done really fast (definately faster than if they fell into the 'restricted' queue), but HTTP traffic is not going with the specified bandwidth. Instead it goes about 3Mb. First I thought it is due to wrong number here:
altq on re0 cbq bandwidth *100Mb* queue {restrict, fast}
But changing that did not reflected in any way - the downloads went on 3Mb.

Second problem - how to build the rule for queuing the other PC's NATed bandwidth?
I tried
Code:
pass on re0 from any to 192.168.0.5 queue restrict
and variations but it just didn't passed to the queue. I.e. the effect was nothing. I'm routing over only one NIC - re0 (using aliases - 10.10.10.21 and 192.168.0.5) and maybe this is wrong?

Last edited by ivanatora; 21st July 2008 at 07:23 PM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Some Questions ?? ultranothing OpenBSD Security 6 4th September 2009 04:59 PM
Questions about BSD (in general) fbsduser FreeBSD General 16 21st January 2009 02:41 PM
FTP ruleset questions hitete OpenBSD Security 2 25th November 2008 05:30 PM
rc.conf questions starbuck FreeBSD General 2 29th July 2008 06:16 PM
A couple of errors, which I believe are associated with the BIOS Johnny2Bad FreeBSD Installation and Upgrading 1 15th May 2008 03:58 AM


All times are GMT. The time now is 01:10 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick