|
FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|
|||
Couple of network questions (NAT, firewalls)
First to say hello - I've been redirected here from bsdforums...
I'm a recent FreeBSD 7 user and I want to do in FreeBSD things I've done on Linux Let's start with firewalls. I've compiled my kernel to support both ipfw and ipf. The first surprise was loosing all networks upon reboot, but I understood that this is default policy of these firewalls. I solved that for ipfw with following FIREWALL_SCRIPT Code:
ipfw add 65000 allow ip from any to any Code:
ipf -D Issue number 2 - NAT. I succeeded running natd and a simple divert rule for ipfw did the job: Code:
ipfw add 500 divert natd all from any to any via re0 Code:
pfw add 500 divert natd all from 192.168.0.5 to any via re0 pfw add 500 divert natd all from any to 192.168.0.5 via re0 OK that is interesting. I was logged in from 192.168.0.5 and after I changed the divert rule I lost connection from 192.168.0.5 to the server (which is 1 meter away and doesn't have any other rules in the firewall list exept pass all). Why is that happening? I'm sshing directly to the internal address - 192.168.0.1 which is an alias of re0, which doesn't care of what NAT state is. It should be pingable even if no NAT is established. Right? The second thing I tried is to pass some options to the natd daemon (like -redirect_address). For the purpose of that I first killed the natd daemon, and guess what - the secondary machine got cutoff again. So what is that connection between nat and ssh? I'm doing a simple peer to peer connection and there is nothing wrong with the IP settings. Am I going into the right way with -redirect_address? I didn't manage to try this out after the connection was cut. And how can I redirect a public address if my ISP have provided several? Is it with that -redirect_address option? |
|
||||
Quote:
things like these should usually placed in /etc/rc.local if they don't warrant (for you) the creation of rc.d scripts. The fact that you shouldn't have to disable something you want to use on boot, brings to mind: Why did you compile support for it into the kernel if you don't want IPF? *I don't use ipf so I wouldn't know if there are any rc.d scripts shipped
__________________
My Journal Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''. |
|
|||
I thought I have to do 'options IPFILTER' in order to have ipf working Silly me, that was written in the howto
Okay, so IPF is old stuff, what about PF? I'm wondering which of the two - ipfw and pf is better as a packet filter and NAT? I have reviewed IPFW and it remains me of iptables in linux - not so hard to get used to it, but I haven't checked PF yet. Is there a major difference between them, like "IPFW can do *that* and PF can't do it" or vice verca? |
|
||||
Quote:
Quote:
IPFW is more free-form. It uses rule numbers, so you can add/delete individual rules without affecting the rest of the rules. Until FreeBSD 7, all NAT was done in user space, now you can choose userspace or kernel-space. IPFW uses a "first matching rule wins" mode. IPFW supports divert rules that can send packets to any program that listens on a socket. The syntax has grown organically over the years, and can look really messy when doing the really advanced stuff. It uses dummynet for traffic shaping/prioritising, although it can also use the ALTQ framework. Both are good packet filters. Both have rules syntax that resembles English sentences. Both can be either very simple to use, or very complex to use. Both are under active development. IPFW is only used by FreeBSD and its derivatives. PF is used by all the BSDs. I'm not sure which MacOS X uses by default. Oh, and please don't ever compare ipfw to iptables. That's like comparing a Rolls Royce to a golf cart. |
|
|||
I would suggest pf, because it is very actively supported by the OpenBSD team.
For more information, see the pf section of http://daemonforums.org/showthread.php?t=108
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
That's nice, but I can't find the pf program. It isn't in ports either.
Code:
[ivanatora] /usr/src# pf pf: Command not found. [ivanatora] /usr/src# cd /usr/ports/*/pf /usr/ports/*/pf: No match. [ivanatora] /usr/src# pkg_add -r pf Error: FTP Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.0-release/Latest/pf.tbz: File unavailable (e.g., file not found, no access) pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.0-release/Latest/pf.tbz' by URL |
|
|||
There is no "pf" command, and it's not a port either... it's a kernel-level firewall.
Related man pages: pf(4) pfctl(8) pf.conf(5) |
|
|||
I do believe Apple opted for IPFW for reasons unknown....
|
|
|||
Sorry about iptables - this was the only term I can come with for that moment
I just get into pf and it rocks - got up nat running for my second PC in less than a minute, *without* running any extra daemons like natd That 'last matching rule wins' is a bit confusing (like reading the rules file backwards), but at least there is the 'quick' word. I'm going to read the documentation more in-depth. Thanks for your tips! ------------------------------ Portion of another questions is comming This thime I'm trying to do some very basic traffic shaping - ALTQ. For beginning I want just to restrict HTTP downloading speed (which is port 80) to a fixed number... lets say 100Kbps. I'm on ADSL line providing me 12Mb down / 2Mb up, but for now let's concentrate only on limiting downloading speed. I've read some tutorials and I've reached to the following code: Code:
### Queueing # I'm not sure what to set up for a total bandwidth - 100Mb for the carrier media (Cat5 cables) or 12Mb for the provided bandwidth altq on re0 cbq bandwidth 100Mb queue {restrict, fast} # This queue 'restrict' should get the shaped traffic queue restrict bandwidth 100Kb cbq(default) # This 'fast' queue should take some fast traffic, DNS requests for example. queue fast bandwidth 500Kb priority 4 ### Translation # This is for my other PC and I don't think it plays a role here nat pass on re0 from 192.168.0.5 to any -> 10.10.10.21 ### Filtering # Restrict traffic on port 80. This is my IP. pass in on re0 proto tcp from any port 80 to 10.10.10.21 queue restrict # Pass DNS requests on the 'fast' queue pass in on re0 proto { udp, tcp } from any port 53 to 10.10.10.21 queue fast altq on re0 cbq bandwidth *100Mb* queue {restrict, fast} But changing that did not reflected in any way - the downloads went on 3Mb. Second problem - how to build the rule for queuing the other PC's NATed bandwidth? I tried Code:
pass on re0 from any to 192.168.0.5 queue restrict Last edited by ivanatora; 21st July 2008 at 07:23 PM. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Some Questions ?? | ultranothing | OpenBSD Security | 6 | 4th September 2009 04:59 PM |
Questions about BSD (in general) | fbsduser | FreeBSD General | 16 | 21st January 2009 02:41 PM |
FTP ruleset questions | hitete | OpenBSD Security | 2 | 25th November 2008 05:30 PM |
rc.conf questions | starbuck | FreeBSD General | 2 | 29th July 2008 06:16 PM |
A couple of errors, which I believe are associated with the BIOS | Johnny2Bad | FreeBSD Installation and Upgrading | 1 | 15th May 2008 03:58 AM |