|
General software and network General OS-independent software and network questions, X11, MTA, routing, etc. |
|
Thread Tools | Display Modes |
|
|||
My first Gateway and LAN having issues
Hello BSD people,
For the past few week, this is my first attempt at actually hooking computers together in any kind of fashion. I read a lots of examples and no matter what I tried my set-up would not working completely and this is the best I came up with so far ... From my internel Windows LAN machine I can ping the Gateway but I CANNOT ping any website by name or number (ping yahoo.com or 67.195.145.137). I also cannot surf the INTERNET using any web-browser, IE, Opera or Firefox. On the GATEWAY machine I can ping to the out-side by name or number but I CANNOT ping my own internal Windows LAN machine. At one point I could not even ping a website by name because of my packet filter rules (I know nothing, just using something I found) so I disconnected pf by way of rc.conf to see how far I could get. As you see I been stopped again and I have ran out of ideas for trial and error by adding or disconnecting stuff. It's like the only thing available to do is pull-the-plug and call it quits Kind of long but here's all the info I could find. If there is more related files I would really like to know where FreeBSD put them so I can add it to this list. Could someone please tell me what am I'm doing wrong or what did I forget to do? Networking is not as hard as I once thought but I am shock after all of these days of reading and what-nots, I'm stuck. Thanks in advance ........................ From Gateway machine numeric IP addresses will ........................ ping but named IP addresses will not ping. ........................ Code:
bash-4.1# ping -c 4 yahoo.com ping: cannot resolve yahoo.com: Host name lookup failure bash-4.1# ping -c 4 67.195.145.137 PING 67.195.145.137 (67.195.145.137): 56 data bytes 64 bytes from 67.195.145.137: icmp_seq=0 ttl=57 time=94.823 ms 64 bytes from 67.195.145.137: icmp_seq=1 ttl=57 time=93.725 ms 64 bytes from 67.195.145.137: icmp_seq=2 ttl=57 time=91.254 ms 64 bytes from 67.195.145.137: icmp_seq=3 ttl=57 time=85.232 ms --- 67.195.145.137 ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 85.232/91.258/94.823/3.712 ms bash-4.1# ........................ /etc/rc.conf ........................ NOTE: I tried pf commented-out ........................ or not and it still can't ping by (IP) name ........................ Code:
ifconfig_re0="DHCP" ifconfig_re1="inet 10.0.10.2 netmask 255.255.255.248" gateway_enable="YES" ## pf_enable="YES" ## pf_rules="/etc/pf.conf" ## pf_flags="" ## pflog_enable="YES" ## pflog_logfile="/var/log/pflog" ## pflog_flags="" natd_enable="YES" natd_interface="re0" natd_flags="-dynamic" ........................ /etc/hosts ........................ Code:
::1 localhost localhost.my.domain 127.0.0.1 localhost Computer-0.jj.my.com ........................ /etc/host.conf ........................ Code:
# Auto-generated from nsswitch.conf hosts dns ........................ /etc/resolv.conf ........................ Code:
search gateway.2wire.net nameserver 192.168.1.254 ........................ /var/db/dhclient.leases.re0 ........................ Code:
lease { interface "re0"; fixed-address 192.168.1.35; option subnet-mask 255.255.255.0; option routers 192.168.1.254; option domain-name-servers 192.168.1.254; option domain-name "gateway.2wire.net"; option dhcp-lease-time 86400; option dhcp-message-type 5; option dhcp-server-identifier 192.168.1.254; option dhcp-renewal-time 43200; option dhcp-rebinding-time 75600; renew 1 2010/6/28 03:54:24; rebind 1 2010/6/28 12:54:24; expire 1 2010/6/28 15:54:24; } lease { interface "re0"; fixed-address 192.168.1.35; option subnet-mask 255.255.255.0; option routers 192.168.1.254; option domain-name-servers 192.168.1.254; option domain-name "gateway.2wire.net"; option dhcp-lease-time 86400; option dhcp-message-type 5; option dhcp-server-identifier 192.168.1.254; option dhcp-renewal-time 43200; option dhcp-rebinding-time 75600; renew 1 2010/6/28 04:22:52; rebind 1 2010/6/28 13:22:52; expire 1 2010/6/28 16:22:52; } ........................ so I guest pf is running ........................ Code:
device pf device pflog device pfsync options ALTQ options ALTQ_CBQ # Class Bases Queuing (CBQ) options ALTQ_RED # Random Early Detection (RED) options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) options ALTQ_PRIQ # Priority Queuing (PRIQ) options ALTQ_NOPCC # Required for SMP build ........................ Both ethernet cards are active. ........................ but pf is commented-out in the rc.conf ........................ commented-out or not, still can't ping by name Code:
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST ,WOL_MCAST,WOL_MAGIC> ether 00:14:d1:1a:22:35 inet 192.168.1.35 netmask 0xffffff00 broadcast 192.168.1.255 media: Ethernet autoselect (1000baseT <full-duplex>) status: active re1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST ,WOL_MCAST,WOL_MAGIC> ether 00:14:d1:1b:19:62 inet 10.0.10.2 netmask 0xfffffff8 broadcast 10.0.10.7 media: Ethernet autoselect (1000baseT <full-duplex>) status: active plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=3<RXCSUM,TXCSUM> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 pflog0: flags=0<> metric 0 mtu 33200 pfsync0: flags=0<> metric 0 mtu 1460 syncpeer: 224.0.0.240 maxupd: 128 ..................... ..................... ..................... ........................ From Windows LAN machine I can ping Gateway ........................ but I cannot surf the INTERNET with any ........................ web-browser I tried to use. Code:
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>ping 10.0.10.2 Pinging 10.0.10.2 with 32 bytes of data: Reply from 10.0.10.2: bytes=32 time=7ms TTL=64 Reply from 10.0.10.2: bytes=32 time=2ms TTL=64 Reply from 10.0.10.2: bytes=32 time=2ms TTL=64 Reply from 10.0.10.2: bytes=32 time=2ms TTL=64 Ping statistics for 10.0.10.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 2ms, Maximum = 7ms, Average = 3ms C:\WINDOWS\system32> WINDOWS TCP/IP PROPERTIES Code:
IP address: 10.0.10.3 Subnet mask: 255.255.255.248 Default gateway: 10.0.10.2 Computer Name: Computer-1 So I set the Sygate firewall on the Windows machine to Allow-All and it still fail. This is what I get from Sygate. Lucky I have it insstalled or I would see no info. Code:
126310 10.0.10.7 137 10.0.10.3 137 Outgoing allowed ntoskrnl.exe 126311 10.0.10.3 137 10.0.10.7 137 Incoming Allowed ndisuio.sys 126312 10.0.10.3 137 10.0.10.7 137 Incoming Allowed 126313 10.0.10.7 137 10.0.10.3 137 Outgoing Allowed ntoskrnl.exe 126314 10.0.10.3 137 10.0.10.7 137 Incoming Allowed ndisuio.sys 126315 10.0.10.3 137 10.0.10.7 137 Incoming Allowed 126316 10.0.10.7 137 10.0.10.3 137 Outgoing Allowed ntoskrnl.exe 126317 10.0.10.3 137 10.0.10.7 137 Incoming Allowed ndisuio.sys 126318 10.0.10.3 137 10.0.10.7 137 Incoming Allowed Here is the ipconfig information from the Windows LAN machine. Code:
C:\WINDOWS\system32>ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 10.0.10.3 Subnet Mask . . . . . . . . . . . : 255.255.255.248 Default Gateway . . . . . . . . . : 10.0.10.2 C:\WINDOWS\system32> Code:
C:\WINDOWS\system32>netstat -an Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 10.0.10.3:139 0.0.0.0:0 LISTENING TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING UDP 0.0.0.0:445 *:* UDP 0.0.0.0:500 *:* UDP 0.0.0.0:1025 *:* UDP 0.0.0.0:4500 *:* UDP 10.0.10.3:123 *:* UDP 10.0.10.3:137 *:* UDP 10.0.10.3:138 *:* UDP 10.0.10.3:1900 *:* UDP 127.0.0.1:123 *:* UDP 127.0.0.1:1900 *:* C:\WINDOWS\system32> |
|
|||
checklist
I just pin-pointed for sure that GATEWAY cannot ping WWW by name when pf_enabled ="YES" (and nothing else pf) Also I re-installed Windows-XP, I uninstall the firewall, Windows update and such. I updated the TCP/IP setting to same as listed above. I plug into the Netgear switch and to my surprise the Gateway can now ping the client. But client situation has not change. The client can ping Gateway but not the WWW. I'm beginning to believe this is normal. I am really new at this. Hands-on is differences than reading a pack of documentation and difference ideas all over the INTERNET and never remembering much because you never had the chance to try, and when you do, half the stuff don't work for your setup or machine anyway. Now I think it's the pf rules that is holding me back. I found these examples on the net and like them so much because it has lots of stuff to learn from. I need some experienced people to comment out or add what is needed for my small LAN which consist of one FreeBSD gateway, one XP machine for surfing the INTERNET and one FreeBSD/Arch-Linux machine for building routers and firewalls and such (more on the learning side)and maybe a one more machine running a webserver for practice. Here is the rule set. May I ask that I would like it Stealth ready, but not Stealth enabled. The first half is difference but I save it to be included with-in the bottom half if possible. Could some of you guys make changes and post a few comments on why it should be use. If it end with only 3 rules that works, I'll still be happy. I saved more than a dozen of pf examples but I never knew what to do with them. It been hard enough just learning FreeBSD and Arch-Linux command-line mode. I been working at it all day and night and I don't have it correct yet. How do you guys do it? Thanks again Hope someone who know-how come to read all of this. It's kind of lonely down here in the networking department. I may have to change my career plans. Code:
### Stealthed Example: ### ext_if = "fxp0" ### int_if = "dc0" ### lan_net = "192.168.0.0/24" # Code: blocking ICMP completely stealthed to attackers # ICMP # pass out/in certain ICMP queries and keep state (ping) # state matching is done on host addresses and ICMP id (not type/code), # so replies (like 0/0 for 8/0) will match queries # ICMP error messages (which always refer to a TCP/UDP packet) are # handled by the TCP/UDP states ##### pass out on $ext inet proto icmp all icmp-type echoreq code 0 keep state ##### pass in on $ext inet proto icmp all icmp-type echoreq code 0 keep state # UDP # pass out all UDP connections and keep state ####### pass out on $ext proto udp all keep state # pass in certain UDP connections and keep state (DNS) ##pass in on $ext proto udp from any to any port $udp_in keep state # TCP # pass out all TCP connections and modulate state ####### pass out on $ext proto tcp all modulate state ## Or ####### block in all ####### block return-icmp in on $ext_if from any to $ext_ad port auth quick ####### pass in on $ext_if from any to $ext_ad port smtp quick Code:
################################################################ # define defaults and macros ################################################################# oif = "re0" # macro name for the NIC facing the public internet lif = "re1" # for NIC facing Local area network if you have one dns1 = "{69.22.11.5, 69.22.11.6.}" # my ISP's Domain name server IP address dhcp = "69.22.11.7" # my ISP's DHCP server IP address ob_state = "flags S/SA modulate state" # outbound ib_state = "flags S/SA synproxy state" # inbound ################################################################# # define run time global defaults ################################################################# set block-policy drop # Sets the default block behavior to # packet is silently dropped set state-policy if-bound # states are bound to the interface # they're created on set loginterface $oif # gather statistics on this interface scrub out on $oif all random-id scrub reassemble tcp ################################################################# # define Nat if you have LAN ################################################################# #nat on $oif from $lif to any -> ($oif) #nat on $oif from 10.0.10.0/29 to any -> ($oif) #pass quick on $lif all # No restrictions on LAN Interface pass quick on lo0 all # No restrictions on Loopback Interface ####################################################################### # Interface facing Public Internet (Outbound Section) # Interrogate session start requests originating from behind the # firewall on the private network # or from this gateway server destined for the public Internet. ####################################################################### # Allow out access to my ISP's Domain name server. # $dsn1 must be the IP address of your ISP s DNS. # Get the IP addresses from /etc/resolv.conf file pass out quick on $oif proto tcp from any to $dns1 port 53 $ob_state pass out quick on $oif proto udp from any to $dns1 port 53 keep state # Allow out access to my ISP's DHCP server for cable or DSL networks. # This rule is not needed for user ppp type connection to the # public Internet, so you can delete this whole group. pass out quick on $oif proto udp from any to $dhcp port 67 keep state # Allow out non-secure standard www function pass out quick on $oif proto tcp from any to any port 80 $ob_state # Allow out secure www function https over TLS SSL pass out quick on $oif proto tcp from any to any port 443 $ob_state # Allow out send $ get email function # pass out quick on $oif proto tcp from any to any port 110 $ob_state # pass out quick on $oif proto tcp from any to any port 25 $ob_state # Allow out Time # pass out quick on $oif proto tcp from any to any port 37 $ob_state # Allow out nntp news # pass out quick on $oif proto tcp from any to any port 119 $ob_state # Allow out secure FTP, Telnet, and SCP # This function is using SSH (secure shell) pass out quick on $oif proto tcp from any to any port 22 $ob_state # Allow out non-secure Telnet (ID/PW passed as clear text) pass out quick on $oif proto tcp from any to any port 23 $ob_state # Allow out FBSD CVSUP function pass out quick on $oif proto tcp from any to any port 5999 $ob_state # Allow out ping to public Internet pass out quick on $oif inet proto icmp from any to any icmp-type 8 keep state # Allow out whois PC to public Internet pass out quick on $oif proto tcp from any to any port 43 $ob_state # Allow out non-secure (ID/PW passed as clear text) # active FTP in responce to remote FTP client pass out quick on $oif proto tcp from any port 20 to any $ob_state # Allow out non-secure (ID/PW passed as clear text) # active FTP for gateway & LAN users # If you want to use the pkg_add command to install application packages # on your gateway system you need this rule. # pass out quick on $oif proto tcp from any to any port 21 $ob_state # Block and log everything that s trying to get out. # This rule enforces the block all by default logic. block out log quick on $oif all ################################################################# # Interface facing Public Internet (Inbound Section) # Interrogate packets originating from the public Internet # destined for this gateway server or the private network. ################################################################# # Block all inbound traffic from non-routable or reserved address spaces block in quick on $oif from 192.168.0.0/16 to any #RFC 1918 private IP block in quick on $oif from 172.16.0.0/12 to any #RFC 1918 private IP block in quick on $oif from 10.0.0.0/8 to any #RFC 1918 private IP block in quick on $oif from 127.0.0.0/8 to any #loopback block in quick on $oif from 0.0.0.0/8 to any #loopback block in quick on $oif from 169.254.0.0/16 to any #DHCP auto-config block in quick on $oif from 192.0.2.0/24 to any #reserved for doc's block in quick on $oif from 204.152.64.0/23 to any #Sun cluster connect block in quick on $oif from 224.0.0.0/3 to any #Class D $ E multicast # Block public pings block in quick on $oif inet proto icmp all icmp-type 8 # Block ident block in quick on $oif proto tcp from any to any port 113 # Block all Netbios service. 137=name, 138=datagram, 139=session # Netbios is MS/Windows sharing services. # Block MS/Windows hosts2 name server requests 81 block in log quick on $oif proto tcp from any to any port 137 block in log quick on $oif proto udp from any to any port 137 block in log quick on $oif proto tcp from any to any port 138 block in log quick on $oif proto udp from any to any port 138 block in log quick on $oif proto tcp from any to any port 139 block in log quick on $oif proto udp from any to any port 139 block in log quick on $oif proto tcp from any to any port 81 block in log quick on $oif proto udp from any to any port 81 # Allow traffic in from ISP's DHCP server. This rule must contain # the IP address of your ISP's DHCP server as it's the only # authorized source to send this packet type. Only necessary for # cable or DSL configurations. This rule is not needed for # user ppp type connection to the public Internet. # This is the same IP address you # used in the outbound section. pass in quick on $oif proto udp from $dhcp to any port 68 keep state # Allow in standard www function because I have apache server pass in quick on $oif proto tcp from any to any port 80 $ib_state # Allow in secure FTP, Telnet, and SCP from public Internet # This function is using SSH (secure shell) pass in quick on $oif proto tcp from any to any port 22 $ib_state # Allow in non-secure Telnet session from public Internet labeled # non-secure because ID/PW passed over public Internet as clear text. # Delete this sample rule if you do not have telnet server enabled. #pass in quick on $oif proto tcp from any to any port 23 $ib_state # Allow in non-secure (ID/PW passed as clear text) # active FTP from remote client pass in quick on $oif proto tcp from any to any port 21 $ib_state # Allow in non-secure (ID/PW passed as clear text) # responce to active FTP for gateway & LAN users pass in quick on dc0 proto tcp from any port 20 to any $ib_state # Block and log all remaining traffic coming into the firewall. # This rule enforces the block all by default logic. block in log quick on $oif all ################### End of rules file ############################## |
|
|||
Here it say " $dsn1 must be the IP address of your ISP s DNS.". I looked at my DSL Broadband Link, "DSL Connection Details" and there are in-fact two Domain Name Server, Primary and Secondary but below, these numbers in the same positions don't seem to work for me. This may not be a typo and is meant as the author say, but I got a feeling it could been written for his static address and not dynamic addressing. Just another guest for now, so here is what I did. ..
I just replaced it with "my" IP address from the resolv.conf like this dns1 = "192.168.1.254" and now I can ping from Gateway by name and number with this full rule set included, where before I had to comment out pf rules. So the code seems kind of backward... I'm not sure but at lease I am making some progress. Here's the link I got the tip from. It make all of this seem so easy but i still got other issues. http://www.slackbook.org/html/networ...ion-tcpip.html I'll try to re-find the link I cut-and-paste these pf rules from. I got a too many HOT web-pages saved on my hard drive. Code:
dns1 = "{69.22.11.5, 69.22.11.6.}" # my ISP's Domain name server IP address dhcp = "69.22.11.7" # my ISP's DHCP server IP address Code:
# Allow out access to my ISP's Domain name server. # $dsn1 must be the IP address of your ISP s DNS. # Get the IP addresses from /etc/resolv.conf file pass out quick on $oif proto tcp from any to $dns1 port 53 $ob_state pass out quick on $oif proto udp from any to $dns1 port 53 keep state Last edited by sharris; 28th June 2010 at 09:08 PM. |
|
|||
Quote:
I hope you recognize that the probability for success attainable with such a methodology is quite low. As for sources of information on pf(4), Hansteen's manuscript is one of the better free introductions on the subject: http://home.nuug.no/~peter/pf/ When it comes to home networking, & especially for those that are doing it the first time with no prior experience, the best rule is to start simple. Given that you are going to have multiple machines connected to the Internet through a common gateway, understand pf(4) first. No points are awarded for blind guessing. Once you are comfortable with setting up NAT on the external gateway, connect to it one machine. At this point, do all ping tests by IP address. If all internal machines are being assigned fixed IP addresses, ping between all machine will only work if you have the subnetting correct. Don't bother with pinging by names until all machines can interact with each other at the IP address (Layer 3) level. Once you can get two machines to talk to each other by IP address, add a third. Once all three can communicate as expected, add a fourth, etc. As more machines are added to the internal network, the higher the probability that subnetting problems may arise. Understand the subject well. Your posts mention problems with accesses by name. This is the last problem you should correct. It is unclear from your posts if you have your own DNS server for your internal network, or whether you are under the incorrect impression that your ISP's DNS server will allow you to communicate on your internal network by name with the same nameserver. Recognize that name resolution can also be done at the hosts(5) file level so you don't have to dedicate a machine to act as a DNS server. Also recognize that name resolution is not a requirement. If only a handful of machines are being connected together, you should be able to remember their IP addresses. Yes, it may not be as easy, but ensure that the network works before layering on name resolution. Again, start simple. Don't try to introduce name resolution until you are perfectly clear that all nodes in the network can talk to each other by their IP address only. Networking is deceptively simple given that (most likely) Category 5 cables are simply being plugged into RJ45 connectors on network cards/hubs/switches. One does need a basic understanding of the following:
|
|
|||
Hello ocicat,
Quote:
Quote:
... with here, what you really want to use is probably a rule which says pass inet proto tcp from ep1:network to any port $ports keep state to let your local net access the Internet and leave the detective work to the antispoof and scrub code. I wouldn't thought scrub code had anything to do with this even if I had knew what scrub code does. Thank you very much for the keys to it all ocicat including your post which is as great to me as Hansteen's manuscript itself... I will not be back until I get most of this my head and some. It may take me days ... Thanks again ocicat |
|
|||
Quote:
Development on pf(4) is aggressive on OpenBSD. pf(4) has undergone a number of syntax changes during recent OpenBSD versions. I expect this trend to continue indefinitely. The Book of PF is based on Hansteen's manuscript, however the book is a few years old now as a second edition will be published tentatively in August 2010. Because of this, I would not recommend the first edition. Otherwise, the first edition was one of the better sources of pf(4) information. If you have other questions about networking, it will help if you post a diagram of your network including interface names & IP addresses. This will help clarify topology & subnetting correctness. |
|
|||
I been reading all of what you suggested. The problem is each document will links you to 5-10 others. I can't help it, so I click to review them, before you know it I'm reading forums threads all over the world while never completing the first document. I did pick-up a few details in it entirety and many bits and pieces from everywhere that is locked in my head and will be there when needed but nothing that I tried gave my Window LAN machine Internet access. It's overwhelming testing working and non-working example, piecing stuff together and not having a clue if it's what you really need or not. Than you learn FreeBSD is not OpenBSD and all code don't work the same. I even believe FreeBSD 8.0 is either using a older version of PF or missing needed scripts. I found the clue and I don't have a life time to try to prove it. I did save the thread I think. And also something keep killing my moused function. You can't pin-point nothing when your in the heat of studying something else.. I hit some kind of <pfctl> with flag than latter notice my mouse is gone. I'll post the cause when I catch it. That was a many detour, now I have do a search for WHY, while the machine reboot. Nothing on the net. I bet no one even knows it exist but me or a few non-xWindows peoples learning pf the hard way. What ever the case something is not right and I don't think it's personal. My next step is to switch the rc.conf lines around and put moused at the bottom and see what happen, if I can ever get to it. I am only a member of very few forums and I like to keep it that way so I don't get confuse with tons of login-in and passwords just because I have another question I just thought of by reading their threads. So I'll break so I can work on my Network Diagram. I don't think it's perfect and it may be missing a thing or two but it should present a fairly clear picture of what I'm trying to do. Don't know if this entire thread has too much information, so here are my final questions. And yes, I'm wore out but I had a ball trying and is going back to read more after I post this long note. I think pf is the great and I hope they don't break it or that the FreeBSD kernel get an overhaul before its to late.
Question 1) It don't matter right now, but for future knowledge, what detail-information (net-numbers) are we not suppose to post since this is more about network security? Here's my topology one Gateway with pf one switch and three systems I am no good with math. I really want to start with the lowest number if possible, like 10.0.0.0 or 172.16.0.0 for the gateway so when I plug in each LAN computer I can start with number 1 to match the switch number but since I made it this far I been to afraid to try it. Working in command-line mode is not fast, fun or easy to me yet. This is based on the example I posted way above. I do wonder why it starts with 10.0.10.2 and not 10.0.0.0 or 10.0.10.0. Question 2) What is the logic behind that? Question 3) Would someone correct my diagram numbers or make it better? Question 4) Is there a strong working pf example for this type of LAN set-up? Code:
------------- -------------- The | | 2-Wire DSL | Internet | < < RJ-11 > > | Network Name | [Access-Point = 00:00:00:xx:xx:xx] WWW | | 2WIRETTT | [resolv = 192.168.1.254] ------------- -------------- v v cat-6 Patch-cables v ----------------------------------------------- | 192.168.1.35 255.255.255.0 192.168.1.255 | [re0 = 00:00:e0:xx:xx:xx] | Gateway-pf DHCP 192.168.1.254 | [machine-0] | 10.0.10.2 255.255.255.248 10.0.10.7 | [re1 = 00:00:e1:xx:xx:xx] ----------------------------------------------- v v cat-5e cross-over cable v --------------------- v | NETGEAR gigabit | v | 1 2 3 4 5< < < < --------------------- v v v v v v v v v cat-6 Patch-cables v v v v v v v v ---------------------------------- v v | ArchLinux-FreeBSD - Developer box | v v ---------------------------------- v v | IP Address 10.0.10.5 | [reX] v v | Subnet Mask 255.0.0.0 | [machine-3] v v | Gateway 10.0.10.2 | [reX = 00:00:a3:xx:xx:xx] v v ----------------------------------- v v v v v v v --------------------------------- v | Jail Web-Server - E-Mail - MySQL | v --------------------------------- v | IP Address 10.0.10.4 | [reX] v | Subnet Mask 255.0.0.0 | [machine-2] v | Gateway 10.0.10.2 | [reX = 00:00:a2:xx:xx:xx] v --------------------------------- v v v ---------------------------- | Windows XP surf Internet | ---------------------------- | IP Address 10.0.10.3 | [reX] | Subnet Mask 255.0.0.0 | [machine-1] | Gateway 10.0.10.2 | [reX = 00:00:a1:xx:xx:xx] ---------------------------- |
|
|||
No expert here...
In a search for a configuration for your
diagram above (without reading the first few posts again). I did a web search : .... pfconf pfctl 192.168 "gateway box" .... On the first page, this link: www.drones.com/openbsd.html LOTS...LOTS of information (some maybe outdated. ) You may wish to compare its setup with what you have done so far. .... The reason initially for the search was to find a very large and commented pf.conf containing 192.168... I do not know whether the search found one larger than that in the page linked above.
__________________
FreeBSD 13-STABLE |
|
|||
Quote:
drones.com is the kind of tutor I like. They talk like real people and tell their true experence instead of trying to please one group, the possible big money topic or us. As they teach they cover many other things that sometime is deeply relates to task at hand that you're interested in ... like this statement that answered the problem of what I notice all along but still had to accept what the docs or tutor instrustions say until I figure out how to ask the question so it don't get over-looked in the bunch. Now the bunch has to be answered just to get back to the main question. I have even have more question while reading pf and the rest. PPPoE Quote:
This is suppose to use DSL Primary and Secondary DNS... It don't work and only your drones.com may be explaining why WoW!!! Code:
dns1 = "{69.22.11.5, 69.22.11.6.}" # my ISP's Domain name server IP address dhcp = "69.22.11.7" # my ISP's DHCP server IP address This is backward but it caused something to start working: Code:
dns1 = "192.168.1.245" # my resolv dhcp = "68.xx.158.x" # 1 number above my Secondary DNS: Last edited by sharris; 2nd July 2010 at 10:40 PM. |
|
|||
I don't want to lose these links so I'll edit this list so they can all be found in one place. Some things are just too good to be miss. Also here is where I found the posted pf sample and where I got interested in pf:
http://www.unixguide.net/freebsd/fbsd_installguide80/ ....... ....... http://home.nuug.no/~peter/pf/ http://home.nuug.no/~peter/pf/en/long-firewall.html http://www.drones.com/openbsd.html http://www.google.com/search?hl=en&s...=Google+Search ....... ....... http://www.freebsd.org/cgi/man.cgi?q...ts&format=html http://www.openbsd.org/cgi-bin/man.c...86&format=html http://en.wikipedia.org/wiki/Private_network ....... ....... http://www.subnetmask.info/ http://www.subnet-calculator.com/subnet.php?net_class=A |
|
||||||
Quote:
Quote:
Quote:
An address of 10.0.0.0 with no explicit subnet mask implies a /8 network with a subnet mask of 255.0.0.0. Given that any IPv4 address represents a network component & host component, 10.0.0.0 has no host bits set. This situation is known as the "subnet address" & should not be assigned to any specific host. Neither should a host be assigned the address where all host bits are set to one -- in this case 10.255.255.255 -- which is used as the broadcast address for the 10.0.0.0/8 subnet.
http://www.apnic.net/__data/assets/p...147/501302.pdf Note that the formatting of this paper has problems with displaying exponents. Another good introduction to subnetting is: http://www.cisco.com/web/about/ac123...addresses.html Quote:
And by the way, Hansteen discusses the fundamentals of what you need to focus on here in the beginning at the following: http://home.nuug.no/~peter/pf/en/bas...tml#GWPITFALLS Quote:
Quote:
http://www.freebsd.org/doc/en_US.ISO...ewalls-pf.html |
|
|||
Thanks you ocicat
Quote:
Actually, I went back to school to learn Web Site Development, Database and now I got this fall semester to reach Web Administration. If it was not for you motivating me to study PF the proper way, I would just be a dummy with a piece of paper, just learning how-to at somebody networking company. School is good to fire you up but what I just learned in a week would put a second year Networking professional in a state of shock. Not saying I understand it all but every night after 18 hours the computer screen text became fuzzy where I can't see it any longer until I sleep, where I read and test even more as I sleep. So yes ocicat, I been doing my home work and found other ways to skin the cat just in case. http://blog-rat.blogspot.com/2009/05...ly-vs-nat.html http://www.solwiseforum.co.uk/showth...-nat-or-bridge Anyway, I just need a small LAN to sit behind a router where one machine works as a server running Apache, MySQL and PHP and another machine to browser the web-pages from the internal server, only. This way I can do cross-browser coding in peace (no possible hacking or strange effects from the out-side world causing me confusion). I wanted a dedicated a machine to do some cron screen scraping running off of perl code but since its very little I think the GATEWAY machine may be able to do the job with no problems, I hope. The reasoning I am writing this is I just realized, THIS set-up I now have may be what I needed all along because the only machine that need to touch the INTERNET is the gateway, so no need to NAT and fight with PPPoE for a while. All of that will fall into place as I learn how to build jails under FreeBSD running Apache and such. This may send me back to NAT, but only internally, so I know I am not out the woods just yet and I don't plan to give up completely for this easy way out. Just wanted you to know and to send out a big ... Thanks You pf-2 PS: And thanks for answering those list of questions so clearly. Some things I just don't get no matter how many time I read that single founded line. I need the full translation to street english. These questions been with me like forever. The kind that get over-looked in the heat of discussion. We all read an answer like "why hide, lets share". Now it's 5, 10 or even 20 years latter when you finally get an answer. I'm a living witness to that fact. 1995: Dollar Bill, how do you divide a zero? ... 2001: A byte has 8 bits, a zero is a byte. Be back to post solutions soon Last edited by sharris; 5th July 2010 at 07:36 AM. |
|
|||
I hate to bring this up again but I'm still working with the same stuff above and having no success with firewall turn on or not. I notice every example I see on the INTERNET, every one has two numbers in their resolv.conf, but I only have one since the day I started. I even done a dd zero disk and a new install of FreeBSD 8.0 I still only get one entries. Do anyone have any idea of what this is all about or what I should do about it. I'm thinking to call tech-support but they seem to only talk Windows. I also notice the DNS numbers are not the same. I found this but I don't know what I can do with it to have normal resolv like everybody else.
192.168.1.254 - Router and Modem Default IP Address http://compnetworking.about.com/od/w...68-1-254-d.htm 68.94.156.1 - ip-adress.com/whois http://www.ip-adress.com/whois/68.94.156.1 Internet Connection Details Connection Type: PPPoE Username: me@sbcglobal.net Internet Address: xx.xxx.xxx.xxx Subnet Mask: 255.255.255.255 Default Gateway: xx.xxx.xxx.xxx Primary Domain Name Server: 68.94.156.1 Secondary Domain Name Server: 68.94.157.1 .... Configuration Server Post: Successful My resolv.conf is: search gateway.2wire.net nameserver 192.168.1.254 The rest of the world get something like: search gateway.2wire.net nameserver 1.2.3.4 nameserver 1.2.4.4 PS: Would a PPP for PPPoE configurastion setup solve the problem? I think I need a service_tag number... I been trying. Last edited by sharris; 6th July 2010 at 09:32 AM. |
|
|||
It could be that your ISP is only providing one DNS server.
|
|
|||
Not uncommon.. you don't have to stick with using your ISP's DNS server either, is a few alternatives that you can use.
http://code.google.com/speed/public-dns/ |
|
|||
BSDfan666, thanks for the link. I learn a lot there and it all came down to what ocicat said "It could be that your ISP is only providing one DNS server.". What the ... so the standards have changed on this noob clock and they did not tell FreeBSD.
Anyway, after failing to configure PPPoE (don't know why I ended up there) I finally went back to OpenBSD and FreeBSD pf documentation with BSDfan666 find in mind and after testing everything possible with a smaller rule set I came to find I was using all the wrong numbers. I thought it was my syntax. Internet Connection Details Code:
Connection Type: PPPoE Username: me@sbcglobal.net Internet Address: xx.xxx.xxx.xxx : not for me but the freaking ISP IP address Subnet Mask: 255.255.255.255 Default Gateway: xx.xxx.xxx.xxx : I thought this was the freaking modem/router Primary Domain Name Server: 68.94.156.1 : the real DNS address Secondary Domain Name Server: 68.94.157.1 : and its missing DNS Code:
lease { interface "re0"; fixed-address 192.168.1.xx; : My freaking real IP address Code:
search gateway.2wire.net nameserver 192.168.1.254 : Now I got three IP addresses + a three DNS combo ............. ............. Anyway, in the end even all of what I just said is still no excuse because it was "ONLY" here where I was using all the wrong address's all along, while blindly changing things elsewhere back-to-back. Thinking I had 3 IP's and 1 DNS did kind of make things confusing and took me from dumber to DUMBER by the day Code:
pass in on $_LAN inet proto tcp from any to 10.0.0.1 port 8880 keep state pass out on $_WAN inet proto tcp from any to any port www keep state pass out on $_LAN inet proto tcp from any to 192.168.1.35 port 3389 Thanks for everything guys... I learn so much about DHCP, DNS, PPPoE and much more that I bet could land me a job with the TIA or ISO without a degree. I going to love pf .. I never understood BSD so well until now. It won't take me a life time now just to get it. Where is the SOLVE button? Or please mark this as SOLVE Thanks again |
|
|||
... but than again I may need to come back if I get trap sorting out these rules. I still want to use the one by Hermelito already posted. I might have a time sorting things out and understanding every detail. I rather for it all to be in one place for future reference.
http://www.unixguide.net/freebsd/fbsd_installguide80/ |
|
|||
# 1
http://rlworkman.net/howtos/OpenBSD_pf_guide.html I been tring to refind this for a week. I glance through it months ago. Last edited by sharris; 8th July 2010 at 12:39 PM. |
|
|||
Look at the copyright date. This document is four years old. It certainly is outdated especially when it comes to OpenBSD & most likely FreeBSD 8.0 as well.
Your questions are becoming more & more FreeBSD-centric. This is fine, & it is the consequence of moving forward, but you need to be posting in the FreeBSD sections. Many regulars do not read outside of the sections in which they have familiarity, & at this point, you need to be seeking the advice of those familiar with the terrain. |
|
|||
ocicat, I intent to. I was just hiding down here at BOOT-CAMP to learn something I always wanted to know about, pf. The members here are educated and some self-made OS professional. Network operating systems is more serious than I thought and it's very time consuming. I had to make sure I am really ready to take the dive. I realize there is no better way to understand UNIX* than to know low-level firewalling, Packet Filtering. To know it is to know the Whole Wide WEB.
It won't be long before I hit the FreeBSD General and Security forum to talk emulators, jails and such. I can't go up there acting silly, not knowing nothing like I did down here. I'm the kind of person who do well reading half of a book but with UNIX it's a difference ball-game. .. It's like you said, in a very nice way, a few times, sound to me you said "read them" .. so I did as deep as I could. When I go up stairs, I'll know more about my own topic before posting a question about it. This PF thing was from ground up. I really knew nothing, nada, zip but a dream of seeing 2 computer talk to each other. Now I even know "ALL " (well nearly) it does from the sec you click the switch. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Another gateway box question | windependence | FreeBSD General | 3 | 11th November 2008 09:15 PM |
antivirus gateway | milo974 | OpenBSD Security | 9 | 14th September 2008 04:02 AM |
FreeBSD Gateway | tad1214 | FreeBSD Ports and Packages | 4 | 11th July 2008 05:31 AM |
Problem at the install with a pc gateway | mastersabin | FreeBSD Installation and Upgrading | 1 | 4th June 2008 07:47 PM |
Dual WAN gateway. | LordZ | OpenBSD Security | 2 | 2nd June 2008 09:00 AM |