DaemonForums  

Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 28th June 2010
sharris sharris is offline
Package Pilot
 
Join Date: Jun 2010
Posts: 146
Default My first Gateway and LAN having issues

Hello BSD people,

For the past few week, this is my first attempt at actually hooking computers together in any kind of fashion. I read a lots of examples and no matter what I tried my set-up would not working completely and this is the best I came up with so far ...

From my internel Windows LAN machine I can ping the Gateway but I CANNOT ping any website by name or number (ping yahoo.com or 67.195.145.137). I also cannot surf the INTERNET using any web-browser, IE, Opera or Firefox.

On the GATEWAY machine I can ping to the out-side by name or number but I CANNOT ping my own internal Windows LAN machine.

At one point I could not even ping a website by name because of my packet filter rules (I know nothing, just using something I found) so I disconnected pf by way of rc.conf to see how far I could get. As you see I been stopped again and I have ran out of ideas for trial and error by adding or disconnecting stuff. It's like the only thing available to do is pull-the-plug and call it quits

Kind of long but here's all the info I could find. If there is more related files I would really like to know where FreeBSD put them so I can add it to this list.

Could someone please tell me what am I'm doing wrong or what did I forget to do? Networking is not as hard as I once thought but I am shock after all of these days of reading and what-nots, I'm stuck.

Thanks in advance


........................ From Gateway machine numeric IP addresses will
........................ ping but named IP addresses will not ping.
........................

Code:
bash-4.1# ping -c 4 yahoo.com
ping: cannot resolve yahoo.com: Host name lookup failure


bash-4.1# ping -c 4 67.195.145.137
PING 67.195.145.137 (67.195.145.137): 56 data bytes
64 bytes from 67.195.145.137: icmp_seq=0 ttl=57 time=94.823 ms
64 bytes from 67.195.145.137: icmp_seq=1 ttl=57 time=93.725 ms
64 bytes from 67.195.145.137: icmp_seq=2 ttl=57 time=91.254 ms
64 bytes from 67.195.145.137: icmp_seq=3 ttl=57 time=85.232 ms

--- 67.195.145.137 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 85.232/91.258/94.823/3.712 ms
bash-4.1#
........................
........................ /etc/rc.conf
........................ NOTE: I tried pf commented-out
........................ or not and it still can't ping by (IP) name
........................
Code:
ifconfig_re0="DHCP"
ifconfig_re1="inet 10.0.10.2 netmask 255.255.255.248"
gateway_enable="YES"

##  pf_enable="YES"
##  pf_rules="/etc/pf.conf"
##  pf_flags=""

##  pflog_enable="YES"
##  pflog_logfile="/var/log/pflog"
##  pflog_flags=""

natd_enable="YES"
natd_interface="re0"
natd_flags="-dynamic"
........................
........................ /etc/hosts
........................
Code:
::1             localhost       localhost.my.domain
127.0.0.1       localhost       Computer-0.jj.my.com
........................
........................ /etc/host.conf
........................
Code:
# Auto-generated from nsswitch.conf
hosts
dns
........................
........................ /etc/resolv.conf
........................
Code:
search gateway.2wire.net
nameserver 192.168.1.254
........................
........................ /var/db/dhclient.leases.re0
........................
Code:
lease {
  interface "re0";
  fixed-address 192.168.1.35;
  option subnet-mask 255.255.255.0;
  option routers 192.168.1.254;
  option domain-name-servers 192.168.1.254;
  option domain-name "gateway.2wire.net";
  option dhcp-lease-time 86400;
  option dhcp-message-type 5;
  option dhcp-server-identifier 192.168.1.254;
  option dhcp-renewal-time 43200;
  option dhcp-rebinding-time 75600;
  renew 1 2010/6/28 03:54:24;
  rebind 1 2010/6/28 12:54:24;
  expire 1 2010/6/28 15:54:24;
}
lease {
  interface "re0";
  fixed-address 192.168.1.35;
  option subnet-mask 255.255.255.0;
  option routers 192.168.1.254;
  option domain-name-servers 192.168.1.254;
  option domain-name "gateway.2wire.net";
  option dhcp-lease-time 86400;
  option dhcp-message-type 5;
  option dhcp-server-identifier 192.168.1.254;
  option dhcp-renewal-time 43200;
  option dhcp-rebinding-time 75600;
  renew 1 2010/6/28 04:22:52;
  rebind 1 2010/6/28 13:22:52;
  expire 1 2010/6/28 16:22:52;
}
........................ Here is what's in my re-build kernel
........................ so I guest pf is running
........................
Code:
device    pf
device    pflog
device    pfsync

options         ALTQ
options         ALTQ_CBQ        # Class Bases Queuing (CBQ)
options         ALTQ_RED        # Random Early Detection (RED)
options         ALTQ_RIO        # RED In/Out
options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)
options         ALTQ_PRIQ       # Priority Queuing (PRIQ)
options         ALTQ_NOPCC      # Required for SMP build
........................ Here is the ifconfig information
........................ Both ethernet cards are active.
........................ but pf is commented-out in the rc.conf
........................ commented-out or not, still can't ping by name

Code:
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST
,WOL_MCAST,WOL_MAGIC>
        ether 00:14:d1:1a:22:35
        inet 192.168.1.35 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
re1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST
,WOL_MCAST,WOL_MAGIC>
        ether 00:14:d1:1b:19:62
        inet 10.0.10.2 netmask 0xfffffff8 broadcast 10.0.10.7
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
pflog0: flags=0<> metric 0 mtu 33200
pfsync0: flags=0<> metric 0 mtu 1460
        syncpeer: 224.0.0.240 maxupd: 128
.....................
.....................
.....................
.....................
........................ From Windows LAN machine I can ping Gateway
........................ but I cannot surf the INTERNET with any
........................ web-browser I tried to use.
Code:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>ping 10.0.10.2

Pinging 10.0.10.2 with 32 bytes of data:
Reply from 10.0.10.2: bytes=32 time=7ms TTL=64
Reply from 10.0.10.2: bytes=32 time=2ms TTL=64
Reply from 10.0.10.2: bytes=32 time=2ms TTL=64
Reply from 10.0.10.2: bytes=32 time=2ms TTL=64

Ping statistics for 10.0.10.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 7ms, Average = 3ms

C:\WINDOWS\system32>


WINDOWS TCP/IP PROPERTIES
Code:
IP address:             10.0.10.3

Subnet mask:            255.255.255.248

Default gateway:        10.0.10.2

Computer Name:          Computer-1
When I click IE-7 on the LAN machine to go to www.google it fail.
So I set the Sygate firewall on the Windows machine to Allow-All
and it still fail. This is what I get from Sygate. Lucky I
have it insstalled or I would see no info.

Code:
126310  10.0.10.7  137  10.0.10.3  137  Outgoing  allowed    ntoskrnl.exe       
126311  10.0.10.3  137  10.0.10.7  137  Incoming  Allowed    ndisuio.sys        
126312  10.0.10.3  137  10.0.10.7  137  Incoming  Allowed               
126313  10.0.10.7  137  10.0.10.3  137  Outgoing  Allowed    ntoskrnl.exe       
126314  10.0.10.3  137  10.0.10.7  137  Incoming  Allowed    ndisuio.sys        
126315  10.0.10.3  137  10.0.10.7  137  Incoming  Allowed               
126316  10.0.10.7  137  10.0.10.3  137  Outgoing  Allowed    ntoskrnl.exe
126317  10.0.10.3  137  10.0.10.7  137  Incoming  Allowed    ndisuio.sys        
126318  10.0.10.3  137  10.0.10.7  137  Incoming  Allowed

Here is the ipconfig information from the Windows LAN machine.

Code:
C:\WINDOWS\system32>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 10.0.10.3
        Subnet Mask . . . . . . . . . . . : 255.255.255.248
        Default Gateway . . . . . . . . . : 10.0.10.2

C:\WINDOWS\system32>
Here is the netstat -an information from the Windows LAN machine.

Code:
C:\WINDOWS\system32>netstat -an

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    10.0.10.3:139          0.0.0.0:0              LISTENING
  TCP    127.0.0.1:1026         0.0.0.0:0              LISTENING
  UDP    0.0.0.0:445            *:*
  UDP    0.0.0.0:500            *:*
  UDP    0.0.0.0:1025           *:*
  UDP    0.0.0.0:4500           *:*
  UDP    10.0.10.3:123          *:*
  UDP    10.0.10.3:137          *:*
  UDP    10.0.10.3:138          *:*
  UDP    10.0.10.3:1900         *:*
  UDP    127.0.0.1:123          *:*
  UDP    127.0.0.1:1900         *:*

C:\WINDOWS\system32>
... and I bet I miss the main thing needed. If so, let me know.
Reply With Quote
  #2   (View Single Post)  
Old 28th June 2010
sharris sharris is offline
Package Pilot
 
Join Date: Jun 2010
Posts: 146
Default

checklist

I just pin-pointed for sure that GATEWAY cannot ping WWW by name when pf_enabled ="YES" (and nothing else pf)

Also I re-installed Windows-XP, I uninstall the firewall, Windows update and such. I updated the TCP/IP setting to same as listed above. I plug into the Netgear switch and to my surprise the Gateway can now ping the client. But client situation has not change. The client can ping Gateway but not the WWW. I'm beginning to believe this is normal. I am really new at this. Hands-on is differences than reading a pack of documentation and difference ideas all over the INTERNET and never remembering much because you never had the chance to try, and when you do, half the stuff don't work for your setup or machine anyway.

Now I think it's the pf rules that is holding me back. I found these examples on the net and like them so much because it has lots of stuff to learn from.

I need some experienced people to comment out or add what is needed for my small LAN which consist of one FreeBSD gateway, one XP machine for surfing the INTERNET and one FreeBSD/Arch-Linux machine for building routers and firewalls and such (more on the learning side)and maybe a one more machine running a webserver for practice.

Here is the rule set.
May I ask that I would like it Stealth ready, but not Stealth enabled. The first half is difference but I save it to be included with-in the bottom half if possible. Could some of you guys make changes and post a few comments on why it should be use. If it end with only 3 rules that works, I'll still be happy. I saved more than a dozen of pf examples but I never knew what to do with them. It been hard enough just learning FreeBSD and Arch-Linux command-line mode. I been working at it all day and night and I don't have it correct yet. How do you guys do it?

Thanks again

Hope someone who know-how come to read all of this. It's kind of lonely down here in the networking department. I may have to change my career plans.



Code:
###   Stealthed Example:

###   ext_if  = "fxp0"
###   int_if  = "dc0"
###   lan_net = "192.168.0.0/24"

 # Code:  blocking ICMP completely stealthed to attackers
 # ICMP 
 # pass out/in certain ICMP queries and keep state (ping) 
 # state matching is done on host addresses and ICMP id (not type/code), 
 # so replies (like 0/0 for 8/0) will match queries 
 # ICMP error messages (which always refer to a TCP/UDP packet) are 
 # handled by the TCP/UDP states 
#####  pass out on $ext inet proto icmp all icmp-type echoreq code 0 keep state 
#####  pass in on $ext inet proto icmp all icmp-type echoreq code 0 keep state 
 
# UDP 
 # pass out all UDP connections and keep state 
#######  pass out on $ext proto udp all keep state 
 
# pass in certain UDP connections and keep state (DNS) 
 ##pass in on $ext proto udp from any to any port $udp_in keep state 
 
# TCP 
 # pass out all TCP connections and modulate state 
#######   pass out on $ext proto tcp all modulate state


## Or

#######  block in all
#######  block return-icmp in on $ext_if from any to $ext_ad port auth quick
#######  pass in on $ext_if from any to $ext_ad port smtp quick
Code:
################################################################ 
# define defaults and macros
################################################################# 

oif = "re0"           # macro name for the NIC facing the public internet

lif = "re1"           # for NIC facing Local area network if you have one

dns1 = "{69.22.11.5, 69.22.11.6.}" # my ISP's Domain name server IP address
dhcp = "69.22.11.7"                # my ISP's DHCP server IP address

ob_state = "flags S/SA modulate state"     # outbound

ib_state = "flags S/SA synproxy state"     # inbound

################################################################# 
# define run time global defaults
################################################################# 

set block-policy drop       # Sets the default block behavior to
                            # packet is silently dropped

set state-policy if-bound   # states are bound to the interface 
                            # they're created on

set loginterface $oif       # gather statistics on this interface

scrub out on $oif all random-id 
scrub reassemble tcp 

################################################################# 
# define Nat if you have LAN
################################################################# 

#nat on $oif from $lif to any -> ($oif)

#nat on $oif from 10.0.10.0/29 to any -> ($oif)

#pass quick on $lif all         # No restrictions on LAN Interface

pass quick on lo0 all           # No restrictions on Loopback Interface

#######################################################################
# Interface facing Public Internet (Outbound Section) 
# Interrogate session start requests originating from behind the 
# firewall on the private network 
# or from this gateway server destined for the public Internet.
#######################################################################

# Allow out access to my ISP's Domain name server.
# $dsn1 must be the IP address of your ISP s DNS.
# Get the IP addresses from /etc/resolv.conf file
pass out quick on $oif proto tcp from any to $dns1 port 53 $ob_state
pass out quick on $oif proto udp from any to $dns1 port 53 keep state

# Allow out access to my ISP's DHCP server for cable or DSL networks.
# This rule is not needed for  user ppp  type connection to the 
# public Internet, so you can delete this whole group.
pass out quick on $oif proto udp from any to $dhcp port 67 keep state

# Allow out non-secure standard www function
pass out quick on $oif proto tcp from any to any port 80 $ob_state

# Allow out secure www function https over TLS SSL
pass out quick on $oif proto tcp from any to any port 443 $ob_state

# Allow out send $ get email function
# pass out quick on $oif proto tcp from any to any port 110 $ob_state
# pass out quick on $oif proto tcp from any to any port 25 $ob_state

# Allow out Time
# pass out quick on $oif proto tcp from any to any port 37 $ob_state

# Allow out nntp news
# pass out quick on $oif proto tcp from any to any port 119 $ob_state


# Allow out secure FTP, Telnet, and SCP 
# This function is using SSH (secure shell)
pass out quick on $oif proto tcp from any to any port 22 $ob_state

# Allow out non-secure Telnet (ID/PW passed as clear text)
pass out quick on $oif proto tcp from any to any port 23 $ob_state

# Allow out FBSD CVSUP function 
pass out quick on $oif proto tcp from any to any port 5999 $ob_state

# Allow out ping to public Internet
pass out quick on $oif inet proto icmp from any to any icmp-type 8 keep state

# Allow out whois PC to public Internet
pass out quick on $oif proto tcp from any to any port 43 $ob_state

# Allow out non-secure (ID/PW passed as clear text)
# active FTP in responce to remote FTP client
pass out quick on $oif proto tcp from any port 20 to any $ob_state

# Allow out non-secure (ID/PW passed as clear text)
# active FTP for gateway & LAN users 
# If you want to use the pkg_add command to install application packages
# on your gateway system you need this rule.
# pass out quick on $oif proto tcp from any to any port 21 $ob_state

# Block and log everything that s trying to get out.
# This rule enforces the block all by default logic. 
block out log quick on $oif all

#################################################################
# Interface facing Public Internet (Inbound Section)
# Interrogate packets originating from the public Internet
# destined for this gateway server or the private network.
#################################################################

# Block all inbound traffic from non-routable or reserved address spaces
block in quick on $oif from 192.168.0.0/16 to any  #RFC 1918 private IP
block in quick on $oif from 172.16.0.0/12 to any   #RFC 1918 private IP
block in quick on $oif from 10.0.0.0/8 to any      #RFC 1918 private IP

block in quick on $oif from 127.0.0.0/8 to any     #loopback
block in quick on $oif from 0.0.0.0/8 to any       #loopback

block in quick on $oif from 169.254.0.0/16 to any  #DHCP auto-config
block in quick on $oif from 192.0.2.0/24 to any    #reserved for doc's

block in quick on $oif from 204.152.64.0/23 to any #Sun cluster connect

block in quick on $oif from 224.0.0.0/3 to any     #Class D $ E multicast


# Block public pings 
block in quick on $oif inet proto icmp all icmp-type 8

# Block ident 
block in quick on $oif proto tcp from any to any port 113

# Block all Netbios service. 137=name, 138=datagram, 139=session 
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
block in log quick on $oif proto tcp from any to any port 137
block in log quick on $oif proto udp from any to any port 137
block in log quick on $oif proto tcp from any to any port 138
block in log quick on $oif proto udp from any to any port 138
block in log quick on $oif proto tcp from any to any port 139
block in log quick on $oif proto udp from any to any port 139
block in log quick on $oif proto tcp from any to any port 81
block in log quick on $oif proto udp from any to any port 81

# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP's DHCP server as it's the only 
# authorized source to send this packet type. Only necessary for 
# cable or DSL configurations. This rule is not needed for
# user ppp  type connection to the public Internet.
# This is the same IP address you 
# used in the outbound section.
pass in quick on $oif proto udp from $dhcp to any port 68 keep state

# Allow in standard www function because I have apache server
pass in quick on $oif proto tcp from any to any port 80 $ib_state

# Allow in secure FTP, Telnet, and SCP from public Internet
# This function is using SSH (secure shell)
pass in quick on $oif proto tcp from any to any port 22 $ib_state

# Allow in non-secure Telnet session from public Internet labeled
# non-secure because ID/PW passed over public Internet as clear text.
# Delete this sample rule if you do not have telnet server enabled.
#pass in quick on $oif proto tcp from any to any port 23 $ib_state

# Allow in non-secure (ID/PW passed as clear text)
# active FTP from remote client
pass in quick on $oif proto tcp from any to any port 21 $ib_state

# Allow in non-secure (ID/PW passed as clear text)
# responce to active FTP for gateway & LAN users
pass in quick on dc0 proto tcp from any port 20 to any $ib_state

# Block and log all remaining traffic coming into the firewall.
# This rule enforces the block all by default logic.
block in log quick on $oif all
################### End of rules file ##############################
Reply With Quote
  #3   (View Single Post)  
Old 28th June 2010
sharris sharris is offline
Package Pilot
 
Join Date: Jun 2010
Posts: 146
Default

Here it say " $dsn1 must be the IP address of your ISP s DNS.". I looked at my DSL Broadband Link, "DSL Connection Details" and there are in-fact two Domain Name Server, Primary and Secondary but below, these numbers in the same positions don't seem to work for me. This may not be a typo and is meant as the author say, but I got a feeling it could been written for his static address and not dynamic addressing. Just another guest for now, so here is what I did. ..

I just replaced it with "my" IP address from the resolv.conf like this dns1 = "192.168.1.254" and now I can ping from Gateway by name and number with this full rule set included, where before I had to comment out pf rules. So the code seems kind of backward... I'm not sure but at lease I am making some progress. Here's the link I got the tip from. It make all of this seem so easy but i still got other issues.

http://www.slackbook.org/html/networ...ion-tcpip.html

I'll try to re-find the link I cut-and-paste these pf rules from. I got a too many HOT web-pages saved on my hard drive.
Code:
dns1 = "{69.22.11.5, 69.22.11.6.}" # my ISP's Domain name server IP address

dhcp = "69.22.11.7"                # my ISP's DHCP server IP address
The first line is used for:
Code:
# Allow out access to my ISP's Domain name server.
# $dsn1 must be the IP address of your ISP s DNS.
# Get the IP addresses from /etc/resolv.conf file
pass out quick on $oif proto tcp from any to $dns1 port 53 $ob_state
pass out quick on $oif proto udp from any to $dns1 port 53 keep state

Last edited by sharris; 28th June 2010 at 09:08 PM.
Reply With Quote
  #4   (View Single Post)  
Old 29th June 2010
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by sharris View Post
At one point I could not even ping a website by name because of my packet filter rules (I know nothing, just using something I found) so I disconnected...


I hope you recognize that the probability for success attainable with such a methodology is quite low.

As for sources of information on pf(4), Hansteen's manuscript is one of the better free introductions on the subject:

http://home.nuug.no/~peter/pf/

When it comes to home networking, & especially for those that are doing it the first time with no prior experience, the best rule is to start simple. Given that you are going to have multiple machines connected to the Internet through a common gateway, understand pf(4) first. No points are awarded for blind guessing.

Once you are comfortable with setting up NAT on the external gateway, connect to it one machine. At this point, do all ping tests by IP address. If all internal machines are being assigned fixed IP addresses, ping between all machine will only work if you have the subnetting correct. Don't bother with pinging by names until all machines can interact with each other at the IP address (Layer 3) level.

Once you can get two machines to talk to each other by IP address, add a third. Once all three can communicate as expected, add a fourth, etc. As more machines are added to the internal network, the higher the probability that subnetting problems may arise. Understand the subject well.

Your posts mention problems with accesses by name. This is the last problem you should correct. It is unclear from your posts if you have your own DNS server for your internal network, or whether you are under the incorrect impression that your ISP's DNS server will allow you to communicate on your internal network by name with the same nameserver. Recognize that name resolution can also be done at the hosts(5) file level so you don't have to dedicate a machine to act as a DNS server. Also recognize that name resolution is not a requirement. If only a handful of machines are being connected together, you should be able to remember their IP addresses. Yes, it may not be as easy, but ensure that the network works before layering on name resolution.

Again, start simple. Don't try to introduce name resolution until you are perfectly clear that all nodes in the network can talk to each other by their IP address only.

Networking is deceptively simple given that (most likely) Category 5 cables are simply being plugged into RJ45 connectors on network cards/hubs/switches. One does need a basic understanding of the following:
  • cabling -- straight versus cross-over.
  • subnetting.
  • NAT.
Putting it together requires being methodical in a very disciplined approach, & build in very small incremental steps.
Reply With Quote
  #5   (View Single Post)  
Old 30th June 2010
sharris sharris is offline
Package Pilot
 
Join Date: Jun 2010
Posts: 146
Default

Hello ocicat,

Quote:
I hope you recognize that the probability for success attainable with such a methodology is quite low.
I see your point. For me, I learn better by examples. Windows Programming sample code is one size fits all, compile and run it, than make it smaller and faster once you understand how it works. But Networking code is another story. Difference rules for difference things and many things are still experimental/growing. So I can't just expect anything to run unless it's customized for a particular networking environment. That was really silly of me to think any difference but I am so excited about Networking and FreeBSD, I even post every possible file before anyone ask "post your ..."

Quote:
As for sources of information on pf(4), Hansteen's manuscript is one of the better free introductions on the subject:
I am a little slow by nature, but I did tried to read quite a few packet filtering tutors and examples found on the INTERNET but all I understood was bits and pieces and thought I would stumble on the magic bullet but I did not for the first time. This is one excellent tutor and it had the magic bullet I been looking for.

... with here, what you really want to use is probably a rule which says
pass inet proto tcp from ep1:network to any port $ports keep state
to let your local net access the Internet and leave the detective work to the antispoof and scrub code.

I wouldn't thought scrub code had anything to do with this even if I had knew what scrub code does.

Thank you very much for the keys to it all ocicat including your post which is as great to me as Hansteen's manuscript itself... I will not be back until I get most of this my head and some. It may take me days ...

Thanks again ocicat
Reply With Quote
  #6   (View Single Post)  
Old 30th June 2010
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by sharris View Post
This is one excellent tutor and it had the magic bullet I been looking for.
Recognize that the version of pf(4) found on FreeBSD is usually a generation or two older than what is available on OpenBSD. Hansteen acknowledges this, but other less informative Internet sources don't. pf(4) is not the same across the *BSD family.

Development on pf(4) is aggressive on OpenBSD. pf(4) has undergone a number of syntax changes during recent OpenBSD versions. I expect this trend to continue indefinitely.

The Book of PF is based on Hansteen's manuscript, however the book is a few years old now as a second edition will be published tentatively in August 2010. Because of this, I would not recommend the first edition. Otherwise, the first edition was one of the better sources of pf(4) information.

If you have other questions about networking, it will help if you post a diagram of your network including interface names & IP addresses. This will help clarify topology & subnetting correctness.
Reply With Quote
  #7   (View Single Post)  
Old 2nd July 2010
sharris sharris is offline
Package Pilot
 
Join Date: Jun 2010
Posts: 146
Default

I been reading all of what you suggested. The problem is each document will links you to 5-10 others. I can't help it, so I click to review them, before you know it I'm reading forums threads all over the world while never completing the first document. I did pick-up a few details in it entirety and many bits and pieces from everywhere that is locked in my head and will be there when needed but nothing that I tried gave my Window LAN machine Internet access. It's overwhelming testing working and non-working example, piecing stuff together and not having a clue if it's what you really need or not. Than you learn FreeBSD is not OpenBSD and all code don't work the same. I even believe FreeBSD 8.0 is either using a older version of PF or missing needed scripts. I found the clue and I don't have a life time to try to prove it. I did save the thread I think. And also something keep killing my moused function. You can't pin-point nothing when your in the heat of studying something else.. I hit some kind of <pfctl> with flag than latter notice my mouse is gone. I'll post the cause when I catch it. That was a many detour, now I have do a search for WHY, while the machine reboot. Nothing on the net. I bet no one even knows it exist but me or a few non-xWindows peoples learning pf the hard way. What ever the case something is not right and I don't think it's personal. My next step is to switch the rc.conf lines around and put moused at the bottom and see what happen, if I can ever get to it. I am only a member of very few forums and I like to keep it that way so I don't get confuse with tons of login-in and passwords just because I have another question I just thought of by reading their threads. So I'll break so I can work on my Network Diagram. I don't think it's perfect and it may be missing a thing or two but it should present a fairly clear picture of what I'm trying to do. Don't know if this entire thread has too much information, so here are my final questions. And yes, I'm wore out but I had a ball trying and is going back to read more after I post this long note. I think pf is the great and I hope they don't break it or that the FreeBSD kernel get an overhaul before its to late.

Question 1)
It don't matter right now, but for future knowledge, what detail-information (net-numbers) are we not suppose to post since this is more about network security?

Here's my topology
one Gateway with pf
one switch
and three systems

I am no good with math. I really want to start with the lowest number if possible, like 10.0.0.0 or 172.16.0.0 for the gateway so when I plug in each LAN computer I can start with number 1 to match the switch number but since I made it this far I been to afraid to try it. Working in command-line mode is not fast, fun or easy to me yet. This is based on the example I posted way above. I do wonder why it starts with 10.0.10.2 and not 10.0.0.0 or 10.0.10.0.

Question 2)
What is the logic behind that?

Question 3)
Would someone correct my diagram numbers or make it better?

Question 4)
Is there a strong working pf example for this type of LAN set-up?


Code:
-------------                 --------------
     The     |               |  2-Wire DSL  |
  Internet   | < < RJ-11 > > | Network Name | [Access-Point = 00:00:00:xx:xx:xx]
     WWW     |               |   2WIRETTT   | [resolv = 192.168.1.254]
-------------                 --------------
                                   v
                                   v   cat-6 Patch-cables
                                   v
            -----------------------------------------------
           | 192.168.1.35   255.255.255.0    192.168.1.255 |  [re0 = 00:00:e0:xx:xx:xx]
           | Gateway-pf     DHCP             192.168.1.254 |  [machine-0]
           | 10.0.10.2      255.255.255.248  10.0.10.7     |  [re1 = 00:00:e1:xx:xx:xx]
            -----------------------------------------------
                                  v
                                  v cat-5e cross-over cable
                                  v
      ---------------------       v
     | NETGEAR gigabit     |      v
     |  1    2    3   4   5< < <  <
      ---------------------
        v    v    v
        v    v    v
        v    v    v   cat-6 Patch-cables
        v    v    v
        v    v    v
        v    v    ----------------------------------
        v    v  |  ArchLinux-FreeBSD - Developer box |
        v    v    ----------------------------------
        v    v  |  IP Address    10.0.10.5           |  [reX]
        v    v  |  Subnet Mask   255.0.0.0           |  [machine-3]
        v    v  |  Gateway       10.0.10.2           |  [reX = 00:00:a3:xx:xx:xx]
        v    v   -----------------------------------
        v    v
        v    v
        v    v
        v    ---------------------------------
        v  | Jail Web-Server - E-Mail - MySQL |
        v    ---------------------------------
        v  | IP Address    10.0.10.4          |  [reX]
        v  | Subnet Mask   255.0.0.0          |  [machine-2]
        v  | Gateway       10.0.10.2          |  [reX = 00:00:a2:xx:xx:xx]
        v   ---------------------------------
        v
        v
        v
        ----------------------------
      | Windows XP    surf Internet |
        ----------------------------
      | IP Address    10.0.10.3     |  [reX]
      | Subnet Mask   255.0.0.0     |  [machine-1]
      | Gateway       10.0.10.2     |  [reX = 00:00:a1:xx:xx:xx]
        ----------------------------
Reply With Quote
  #8   (View Single Post)  
Old 2nd July 2010
jb_daefo jb_daefo is offline
Spam Deminer
 
Join Date: May 2008
Posts: 303
Default No expert here...

In a search for a configuration for your
diagram above (without reading the first
few posts again). I did a web search :
....
pfconf pfctl 192.168 "gateway box"
....
On the first page, this link:
www.drones.com/openbsd.html
LOTS...LOTS of information (some maybe
outdated. ) You may wish to compare its
setup with what you have done so far.
....
The reason initially for the search was to find a
very large and commented pf.conf containing
192.168... I do not know whether the search
found one larger than that in the page linked
above.
__________________
FreeBSD 13-STABLE
Reply With Quote
  #9   (View Single Post)  
Old 2nd July 2010
sharris sharris is offline
Package Pilot
 
Join Date: Jun 2010
Posts: 146
Default

Quote:
No expert here...
It takes an expert to come-up with the combination of keywords like you just demonstrated. I thought I was good at it but now I know better ways.

drones.com is the kind of tutor I like. They talk like real people and tell their true experence instead of trying to please one group, the possible big money topic or us. As they teach they cover many other things that sometime is deeply relates to task at hand that you're interested in ... like this statement that answered the problem of what I notice all along but still had to accept what the docs or tutor instrustions say until I figure out how to ask the question so it don't get over-looked in the bunch. Now the bunch has to be answered just to get back to the main question. I have even have more question while reading pf and the rest.

PPPoE
Quote:
Yes, again more stupid special cases for PPPoE. For one thing, your IP address from the outside keeps changing so all the stuff about dsl.rev doesn't apply.
Yes this one really had me because dsl.rev made me relate the statement to dns1 which did not work but it did work when I replaced it with the resolv address given. No one told the author that and how was he to know in the first place when phone and cable companies play against the rules to keep the money flowing. He did not read drones.com nor did the document writer of pf. How can these authors notice everything that can change at any given time.

This is suppose to use DSL Primary and Secondary DNS... It don't work and only your drones.com may be explaining why WoW!!!
Code:
dns1 = "{69.22.11.5, 69.22.11.6.}" # my ISP's Domain name server IP address
dhcp = "69.22.11.7"                # my ISP's DHCP server IP address
This was my temporary fix that may been my problem all along but how am I to know when now it's running but maybe "not REALLY" I know it sounds crazy, but better it than me ... Thank you jb_daefo .. I did not read it all but those few lines is about to tell me the whole story. What ever the case, it is somehow related even if only increase of imagination of how, why, when and what to do about it. How lucky can one get.

This is backward but it caused something to start working:
Code:
dns1 = "192.168.1.245"  # my resolv
dhcp = "68.xx.158.x"    # 1 number above my Secondary DNS:
Thanks again jb_daefo, you made my day. Making coffee now for a great night of reading.

Last edited by sharris; 2nd July 2010 at 10:40 PM.
Reply With Quote
Old 3rd July 2010
sharris sharris is offline
Package Pilot
 
Join Date: Jun 2010
Posts: 146
Default

I don't want to lose these links so I'll edit this list so they can all be found in one place. Some things are just too good to be miss. Also here is where I found the posted pf sample and where I got interested in pf:

http://www.unixguide.net/freebsd/fbsd_installguide80/

.......
.......
http://home.nuug.no/~peter/pf/

http://home.nuug.no/~peter/pf/en/long-firewall.html

http://www.drones.com/openbsd.html

http://www.google.com/search?hl=en&s...=Google+Search

.......
.......
http://www.freebsd.org/cgi/man.cgi?q...ts&format=html

http://www.openbsd.org/cgi-bin/man.c...86&format=html

http://en.wikipedia.org/wiki/Private_network

.......
.......
http://www.subnetmask.info/

http://www.subnet-calculator.com/subnet.php?net_class=A
Reply With Quote
Old 4th July 2010
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by sharris View Post
I even believe FreeBSD 8.0 is either using a older version of PF...
I warned you of this upfront.
Quote:
...what detail-information (net-numbers) are we not suppose to post since this is more about network security?
Public addresses. Posting private RFC1918 addresses should be inconsequential.
Quote:
I do wonder why it starts with 10.0.10.2 and not 10.0.0.0 or 10.0.10.0.
The answer to this question comes from comprehending basic subnetting.

An address of 10.0.0.0 with no explicit subnet mask implies a /8 network with a subnet mask of 255.0.0.0. Given that any IPv4 address represents a network component & host component, 10.0.0.0 has no host bits set. This situation is known as the "subnet address" & should not be assigned to any specific host. Neither should a host be assigned the address where all host bits are set to one -- in this case 10.255.255.255 -- which is used as the broadcast address for the 10.0.0.0/8 subnet.
  • One of the reasons why this isn't allowed comes from the RIP version 1 routing protocol.
  • Other artifactual reasons can be found from studying the early RFC's.
One of the most referred to introductions to IPv4 subnetting is the following:

http://www.apnic.net/__data/assets/p...147/501302.pdf

Note that the formatting of this paper has problems with displaying exponents.

Another good introduction to subnetting is:

http://www.cisco.com/web/about/ac123...addresses.html
Quote:
Is there a strong working pf example for this type of LAN set-up?
"Strong working pf example" is a myth. Again, it appears you are wanting a canned solution which can be dropped into place without thought. If you continue playing in the Open Source world, you will find that doing lots of research & experimentation is the norm. Why? Because at some point, you will want to do something a little different, change something, & things will break. You will be the only one who can pick up the pieces, & doing so will require working knowledge of the fundamentals. By your own admission, you have only put in a week of trying to put together a network. Really understanding the fundamentals will take time. Lots of it, with a great deal of critical pondering.

And by the way, Hansteen discusses the fundamentals of what you need to focus on here in the beginning at the following:

http://home.nuug.no/~peter/pf/en/bas...tml#GWPITFALLS
Quote:
It takes an expert to come-up with the combination of keywords...
The undercurrent in this statement is that the subject is too hard. It just takes time, patience, & tenacity. Developing a strong sense of curiosty & patience is required.
Quote:
Than you learn FreeBSD is not OpenBSD and all code don't work the same.
This actually is one of your best observations so far. You will need to post in the FreeBSD section asking where FreeBSD-types go for pf(4) information. I can tell you now, that studying what information can be found in the FreeBSD Handbook is a very good start:

http://www.freebsd.org/doc/en_US.ISO...ewalls-pf.html
Reply With Quote
Old 5th July 2010
sharris sharris is offline
Package Pilot
 
Join Date: Jun 2010
Posts: 146
Default

Thanks you ocicat

Quote:
"Strong working pf example" is a myth. Again, it appears you are wanting a canned solution which can be dropped into place without thought. If you continue playing in the Open Source world, you will find that doing lots of research & experimentation is the norm. Why? Because at some point, you will want to do something a little different, change something, & things will break. You will be the only one who can pick up the pieces, & doing so will require working knowledge of the fundamentals.
I learn more about networking in the past three week than I did in my recent 16 week course "CINT_ NETWORK+ Guide to Networks" which was more about the hardware and a little about the fun parts that you don't really remember, (how-to gateway, router, pfctl, netstat, etc). I got a feeling this will be the majority of the Cert questions. It's funny that our instructor held back on grading, saying, "take the Cert Exam by May 21 and pass and I will increase your final grade to an A". He had given me a B (87%) but three of my assignment still to this day have never been graded which I know I had earned an A++. Crazy... I read a document that said "students should continue their education and than work in the field for a year or two before even attempting to take an Cert Exam". It must be a money release or recognition thing going on in some colleges these days.

Actually, I went back to school to learn Web Site Development, Database and now I got this fall semester to reach Web Administration. If it was not for you motivating me to study PF the proper way, I would just be a dummy with a piece of paper, just learning how-to at somebody networking company. School is good to fire you up but what I just learned in a week would put a second year Networking professional in a state of shock. Not saying I understand it all but every night after 18 hours the computer screen text became fuzzy where I can't see it any longer until I sleep, where I read and test even more as I sleep. So yes ocicat, I been doing my home work and found other ways to skin the cat just in case.

http://blog-rat.blogspot.com/2009/05...ly-vs-nat.html

http://www.solwiseforum.co.uk/showth...-nat-or-bridge

Anyway, I just need a small LAN to sit behind a router where one machine works as a server running Apache, MySQL and PHP and another machine to browser the web-pages from the internal server, only. This way I can do cross-browser coding in peace (no possible hacking or strange effects from the out-side world causing me confusion). I wanted a dedicated a machine to do some cron screen scraping running off of perl code but since its very little I think the GATEWAY machine may be able to do the job with no problems, I hope.


The reasoning I am writing this is I just realized, THIS set-up I now have may be what I needed all along because the only machine that need to touch the INTERNET is the gateway, so no need to NAT and fight with PPPoE for a while. All of that will fall into place as I learn how to build jails under FreeBSD running Apache and such. This may send me back to NAT, but only internally, so I know I am not out the woods just yet and I don't plan to give up completely for this easy way out.

Just wanted you to know and to send out a big ...
Thanks You

pf-2


PS: And thanks for answering those list of questions so clearly. Some things I just don't get no matter how many time I read that single founded line. I need the full translation to street english. These questions been with me like forever. The kind that get over-looked in the heat of discussion. We all read an answer like "why hide, lets share". Now it's 5, 10 or even 20 years latter when you finally get an answer. I'm a living witness to that fact.

1995: Dollar Bill, how do you divide a zero? ... 2001: A byte has 8 bits, a zero is a byte.


Be back to post solutions soon

Last edited by sharris; 5th July 2010 at 07:36 AM.
Reply With Quote
Old 6th July 2010
sharris sharris is offline
Package Pilot
 
Join Date: Jun 2010
Posts: 146
Default

I hate to bring this up again but I'm still working with the same stuff above and having no success with firewall turn on or not. I notice every example I see on the INTERNET, every one has two numbers in their resolv.conf, but I only have one since the day I started. I even done a dd zero disk and a new install of FreeBSD 8.0 I still only get one entries. Do anyone have any idea of what this is all about or what I should do about it. I'm thinking to call tech-support but they seem to only talk Windows. I also notice the DNS numbers are not the same. I found this but I don't know what I can do with it to have normal resolv like everybody else.

192.168.1.254 - Router and Modem Default IP Address
http://compnetworking.about.com/od/w...68-1-254-d.htm

68.94.156.1 - ip-adress.com/whois
http://www.ip-adress.com/whois/68.94.156.1


Internet Connection Details
Connection Type: PPPoE
Username: me@sbcglobal.net
Internet Address: xx.xxx.xxx.xxx
Subnet Mask: 255.255.255.255
Default Gateway: xx.xxx.xxx.xxx
Primary Domain Name Server: 68.94.156.1
Secondary Domain Name Server: 68.94.157.1
....
Configuration Server Post: Successful


My resolv.conf is:
search gateway.2wire.net
nameserver 192.168.1.254


The rest of the world get something like:
search gateway.2wire.net
nameserver 1.2.3.4
nameserver 1.2.4.4

PS: Would a PPP for PPPoE configurastion setup solve the problem? I think I need a service_tag number... I been trying.

Last edited by sharris; 6th July 2010 at 09:32 AM.
Reply With Quote
Old 6th July 2010
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by sharris View Post
II notice every example I see on the INTERNET, every one has two numbers in their resolv.conf, but I only have one since the day I started.
It could be that your ISP is only providing one DNS server.
Reply With Quote
Old 6th July 2010
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

Not uncommon.. you don't have to stick with using your ISP's DNS server either, is a few alternatives that you can use.

http://code.google.com/speed/public-dns/
Reply With Quote
Old 8th July 2010
sharris sharris is offline
Package Pilot
 
Join Date: Jun 2010
Posts: 146
Default

BSDfan666, thanks for the link. I learn a lot there and it all came down to what ocicat said "It could be that your ISP is only providing one DNS server.". What the ... so the standards have changed on this noob clock and they did not tell FreeBSD.

Anyway, after failing to configure PPPoE (don't know why I ended up there) I finally went back to OpenBSD and FreeBSD pf documentation with BSDfan666 find in mind and after testing everything possible with a smaller rule set I came to find I was using all the wrong numbers. I thought it was my syntax.

Internet Connection Details
Code:
Connection Type: PPPoE
Username: me@sbcglobal.net
Internet Address: xx.xxx.xxx.xxx             : not for me but the freaking ISP IP address
Subnet Mask: 255.255.255.255
Default Gateway: xx.xxx.xxx.xxx              : I thought this was the freaking modem/router
Primary Domain Name Server: 68.94.156.1           : the real DNS address
Secondary Domain Name Server: 68.94.157.1         : and its missing DNS
dhclient.leases.re0
Code:
 lease { interface "re0"; fixed-address 192.168.1.xx; : My freaking real IP address
resolv.conf:
Code:
search gateway.2wire.net
nameserver 192.168.1.254 : Now I got three IP addresses + a three DNS combo
To FreeBSD this is suppose to be your real DNS (not a modem/router combo) but I was also missing the Secondary DNS numbers which was so miss leading. It seem that AT&T made my modem/router the so-called IP address and my DNS also according to the info BSDfan666 posted. So 192.168.1.254 is the modem/router itself, now called my IP address by AT&T. In reality it is only a POINTER to the information found under your Internet Connection Details. They call it your IP address when they should call it a POINTER to your Internet Connection Details which contain your IP address and DNS servers. As of this year I believe all new textbooks are out of date before school begin... heehee

.............
.............
Anyway, in the end even all of what I just said is still no excuse because it was "ONLY" here where I was using all the wrong address's all along, while blindly changing things elsewhere back-to-back. Thinking I had 3 IP's and 1 DNS did kind of make things confusing and took me from dumber to DUMBER by the day
Code:
pass in on $_LAN inet proto tcp from any to 10.0.0.1 port 8880 keep state
pass out on $_WAN inet proto tcp from any to any port www keep state
pass out on $_LAN inet proto tcp from any to 192.168.1.35 port 3389
But now it's working and I can learn how to use it

Thanks for everything guys... I learn so much about DHCP, DNS, PPPoE and much more that I bet could land me a job with the TIA or ISO without a degree. I going to love pf .. I never understood BSD so well until now. It won't take me a life time now just to get it.

Where is the SOLVE button? Or please mark this as SOLVE

Thanks again
Reply With Quote
Old 8th July 2010
sharris sharris is offline
Package Pilot
 
Join Date: Jun 2010
Posts: 146
Default

... but than again I may need to come back if I get trap sorting out these rules. I still want to use the one by Hermelito already posted. I might have a time sorting things out and understanding every detail. I rather for it all to be in one place for future reference.

http://www.unixguide.net/freebsd/fbsd_installguide80/
Reply With Quote
Old 8th July 2010
sharris sharris is offline
Package Pilot
 
Join Date: Jun 2010
Posts: 146
Default

# 1

http://rlworkman.net/howtos/OpenBSD_pf_guide.html

I been tring to refind this for a week.
I glance through it months ago.

Last edited by sharris; 8th July 2010 at 12:39 PM.
Reply With Quote
Old 8th July 2010
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by sharris View Post
I been tring to refind this for a week.
Look at the copyright date. This document is four years old. It certainly is outdated especially when it comes to OpenBSD & most likely FreeBSD 8.0 as well.

Your questions are becoming more & more FreeBSD-centric. This is fine, & it is the consequence of moving forward, but you need to be posting in the FreeBSD sections. Many regulars do not read outside of the sections in which they have familiarity, & at this point, you need to be seeking the advice of those familiar with the terrain.
Reply With Quote
Old 8th July 2010
sharris sharris is offline
Package Pilot
 
Join Date: Jun 2010
Posts: 146
Default

ocicat, I intent to. I was just hiding down here at BOOT-CAMP to learn something I always wanted to know about, pf. The members here are educated and some self-made OS professional. Network operating systems is more serious than I thought and it's very time consuming. I had to make sure I am really ready to take the dive. I realize there is no better way to understand UNIX* than to know low-level firewalling, Packet Filtering. To know it is to know the Whole Wide WEB.

It won't be long before I hit the FreeBSD General and Security forum to talk emulators, jails and such. I can't go up there acting silly, not knowing nothing like I did down here. I'm the kind of person who do well reading half of a book but with UNIX it's a difference ball-game. .. It's like you said, in a very nice way, a few times, sound to me you said "read them" .. so I did as deep as I could. When I go up stairs, I'll know more about my own topic before posting a question about it. This PF thing was from ground up. I really knew nothing, nada, zip but a dream of seeing 2 computer talk to each other. Now I even know "ALL
" (well nearly) it does from the sec you click the switch.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Another gateway box question windependence FreeBSD General 3 11th November 2008 09:15 PM
antivirus gateway milo974 OpenBSD Security 9 14th September 2008 04:02 AM
FreeBSD Gateway tad1214 FreeBSD Ports and Packages 4 11th July 2008 05:31 AM
Problem at the install with a pc gateway mastersabin FreeBSD Installation and Upgrading 1 4th June 2008 07:47 PM
Dual WAN gateway. LordZ OpenBSD Security 2 2nd June 2008 09:00 AM


All times are GMT. The time now is 08:54 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick