[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

2.9 router/firewall woes



Hi all,

Firstly apologies if some of you are seeing this for the second time, 
I posted it to comp.unix.bsd.openbsd.misc but the thread has fizzled
out.

I have a BT business ADSL account, this provides a 4 port ethernet
router with a /29 and currently I have 2 machines hooked directly to
it (using Tiny Personal Firewall for safetys sake)

What I want I want is my new OpenBSD 2.9 box to be the only machine
directly connected to the ADSL and a second NIC to be connected to my
LinkSys switch. I want to use ipf and NAT so the windoze boxes are sat
in a 10.0.0/8 subnet and can surf etc from within this. The OpenBSD
box will run headless.

The 2.9 install went fine, I have it connected to the ADSL and the
switch, 
but I still can't surf from within the 10/8. The 2.9 box has 2 SMC EZ
Card 
10/100 NICs in it.

Windows box config is from dhcp on the 2.9 box.

In my paranoia the first 3 octets of the ip address(es) below are
replaced 
by x.y.z and the domain is mydomain.com.

2.9 box files:

hostname.rl0
------------

inet x.y.z.46 255.255.255.248 NONE 

hostname.rl1
------------

inet 10.0.0.1 255.0.0.0 NONE 

ipf.rules
---------

pass in from any to any
pass out from any to any

ipnat.rules
-----------

# $OpenBSD: ipnat.rules,v 1.2 1999/05/08 16:33:10 jason Exp $
#
# See /usr/share/ipf/nat.1 for examples.
# edit the ipnat= line in /etc/rc.conf to enable Network Address
Translation

map rl1 10.0.0.0/8 -> x.y.z.46/32 portmap tcp/udp 10000:60000
map rl1 10.0.0.0/8 -> x.y.z.46/32

rc.conf
-------

#!/bin/sh -
#
#	$OpenBSD: rc.conf,v 1.57 2001/04/19 04:00:15 deraadt Exp $

# set these to "NO" to turn them off.  otherwise, they're used as flags
routed_flags=NO		# for normal use: "-q"
mrouted_flags=NO	# for normal use: "", if activated
			# be sure to enable multicast_router below.
rarpd_flags=NO		# for normal use: "-a"
bootparamd_flags=NO	# for normal use: ""
rbootd_flags=NO		# for normal use: ""
sshd_flags=""		# for normal use: ""
sendmail_flags="-q30m"	# for normal use: "-bd -q30m"
smtpfwdd_flags=NO	# for normal use: "", and no "-bd" above.
named_flags=NO		# for normal use: ""
rdate_flags=NO		# for normal use: name of RFC868 timeserver
timed_flags=NO		# for normal use: ""
ntpdate_flags=NO	# for normal use: NTP server; run before ntpd starts
photurisd_flags=NO	# for normal use: ""
isakmpd_flags=NO	# for normal use: ""
mopd_flags=NO		# for normal use: "-a"
httpd_flags=NO		# for normal use: "" (or "-DSSL" after reading ssl(8))
apmd_flags=NO		# for normal use: ""
dhcpd_flags="-q"	# for normal use: "-q"
rtadvd_flags=NO		# for normal use: list of interfaces
			# be sure to set net.inet6.ip6.forwarding=1
route6d_flags=NO	# for normal use: ""
			# be sure to set net.inet6.ip6.forwarding=1
rtsold_flags=NO		# for normal use: interface
			# be sure to set net.inet6.ip6.forwarding=0
			# be sure to set net.inet6.ip6.accept_rtadv=1

# Set to NO if ftpd is running out of inetd
ftpd_flags=NO		# for non-inetd use: "-D"

# Set to NO if identd is running out of inetd
identd_flags=NO		# for non-inetd use: "-b -u nobody -elo"

# On some architectures, you must also disable console getty in
/etc/ttys
xdm_flags=NO		# for normal use: ""

# For enabling console mouse support (i386 architecture only)
moused_flags=NO		# for ps/2 try: "-p /dev/psm0", serial: "-p /dev/cua00"

# set the following to "YES" to turn them on
rwhod=NO
nfs_server=NO		# see sysctl.conf for nfs client configuration
lockd=NO
gated=NO
kerberos_server=NO	# kerberos server. run 'info kth-krb' for assistance.
kerberos_slave=NO	# kerberos slave server.
amd=NO
ipfilter=YES
ipnat=YES		# for "YES" ipfilter must also be "YES"
portmap=YES		# almost always needed
inetd=YES		# almost always needed
lpd=NO			# printing daemons
check_quotas=YES	# NO may be desirable in some YP environments
ntpd=YES		# run ntpd if it exists
afs=NO			# mount and run afs

# Multicast routing configuration
# Please look at /etc/netstart for a detailed description if you change
these
multicast_host=NO	# Route all multicast packets to a single interface
multicast_router=NO	# A multicast routing daemon will be run, e.g.
mrouted

# miscellaneous other flags
# only used if the appropriate server is marked YES above
gated_flags=
ypserv_flags=			# E.g. -1 for YP v1, -d for DNS etc
yppasswdd_flags=		# "-d /etc/yp" if passwd files are in /etc/yp
nfsd_flags="-tun 4"		# Crank the 4 for a busy NFS fileserver
amd_dir=/tmp_mnt		# AMD's mount directory
amd_master=/etc/amd/master	# AMD 'master' map
ipfilter_rules=/etc/ipf.rules	# Rules for IP packet filtering
ipnat_rules=/etc/ipnat.rules	# Rules for Network Address Translation
ipmon_flags=-Ds			# To disable logging, use ipmon_flags=NO
syslogd_flags=			# add more flags, ie. "-u -a /chroot/dev/log"
named_user=named		# Named should not run as root unless necessary
named_chroot=/var/named		# Where to chroot named if not empty
afs_mount_point=/afs		# Mountpoint for AFS
afs_device=/dev/xfs0		# Device used by afsd
afsd_flags=-z			# Flags passed to afsd
shlib_dirs=			# extra directories for ldconfig

local_rcconf="/etc/rc.conf.local"

[ -f ${local_rcconf} ] && . ${local_rcconf} # Do not edit this line

sysctl.conf
-----------

#	$OpenBSD: sysctl.conf,v 1.21 2000/10/23 17:15:47 deraadt Exp $
#
# This file contains a list of sysctl options the user wants set at
# boot time.  See sysctl(3) and sysctl(8) for more information on
# the many available variables.
#
net.inet.ip.forwarding=1	# 1=Permit forwarding (routing) of packets
#net.inet6.ip6.forwarding=1	# 1=Permit forwarding (routing) of packets
#net.inet6.ip6.accept_rtadv=1	# 1=Permit IPv6 autoconf (forwarding
must be 0)
#net.inet.tcp.rfc1323=0		# 0=disable TCP RFC1323 extensions (for if
tcp is slow)
#net.inet.esp.enable=1		# 1=Enable the ESP IPSec protocol
#net.inet.ah.enable=1		# 1=Enable the AH IPSec protocol
#ddb.panic=0			# 0=Do not drop into ddb on a kernel panic
#ddb.console=1			# 1=Permit entry of ddb from the console
#fs.posix.setuid=0		# 0=Traditional BSD chown() semantics
#vm.swapencrypt.enable=1	# 1=Encrypt pages that go to swap
#vfs.nfs.iothreads=4		# number of nfsio kernel threads
#net.inet.ip.mtudisc=1		# 1=enable tcp mtu discovery
machdep.allowaperture=1		# 1=permit access to aperture driver
(XFree86)
#machdep.apmwarn=10		# battery % when apm status messages enabled
#machdep.kbdreset=1		# permit console CTRL-ALT-DEL to do a nice halt

dhcpd.conf
----------

#	$OpenBSD: dhcpd.conf,v 1.1 1998/08/19 04:25:45 form Exp $
#
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#

# Network:		192.168.1.0/255.255.255.0
# Domain name:		my.domain
# Name servers:		192.168.1.3 and 192.168.1.5
# Default router:	192.168.1.1
# Addresses:		192.168.1.32 - 192.168.1.127
#
shared-network LOCAL-NET {
	option  domain-name "mydomain.com";
	option  domain-name-servers 195.40.1.36, 193.131.248.36;

	subnet 10.0.0.0 netmask 255.0.0.0 {
		option routers 10.0.0.1;

		range 10.0.0.2 10.0.0.127;
	}
}

With this setup and the windoze laptop hooked up to the linksys
switch:

The windows box has got its IP etc from DHCP:

Windows 2000 IP Configuration

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : mydomain.com
        IP Address. . . . . . . . . . . . : 10.0.0.2
        Subnet Mask . . . . . . . . . . . : 255.0.0.0
        Default Gateway . . . . . . . . . : 10.0.0.1

>From the windows box:
I can ping *both* interfaces of the BSD box, but can't ping
www.google.com (Unknown host www.google.com.) or 216.239.35.100
(googles ip address - Destination host unreachable). I can ssh into the
external nic, but not the local one! Arghhhh!!

>From the bsd box:
I can ping google. I can ping the windows box (on 10.0.0.2). 
I can lynx www.uk.openbsd.org

netstat -nr -f inet shows:

Routing tables

Internet:
Destination        Gateway            Flags     Refs     Use    Mtu 
Interface
default            x.y.z.41           UGS         1       98   1500  
rl0
10/8               link#2             UC          0        0   1500  
rl1
10.0.0.1           127.0.0.1          UGHS        0        0  32972  
lo0
10.0.0.2           0:e0:98:8d:d1:c1   UHL         3      160   1500  
rl1
127/8              127.0.0.1          UGRS        0        0  32972  
lo0
127.0.0.1          127.0.0.1          UH          3       24  32972  
lo0
x.y.z.40/29        link#1             UC          0        0   1500  
rl0
x.y.z.41           0:20:6f:8:ba:32    UHL         1        0   1500  
rl0
x.y.z.42           0:e0:98:8d:d1:c1   UHL         0        4   1500  
rl0
224/4              127.0.0.1          URS         0        0  32972  
lo0

route - n show -inet shows:

Routing tables

Internet:
Destination      Gateway            Flags 
default          x.y.z.41           UG     
10.0.0.0         link#2             U      
10.0.0.1         127.0.0.1          UGH    
10.0.0.2         0:e0:98:8d:d1:c1   UH     
127.0.0.0        127.0.0.1          UG     
127.0.0.1        127.0.0.1          UH     
x.y.z.40         link#1             U      
x.y.z.41         0:20:6f:8:ba:32    UH     
x.y.z.42         0:e0:98:8d:d1:c1   UH     
224.0.0.0        127.0.0.1          U      

ifconfig -a inet shows:

lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 32972
	inet 127.0.0.1 netmask 0xff000000 
lo1: flags=8008<LOOPBACK,MULTICAST> mtu 32972
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	media: Ethernet autoselect (none)
	status: active
	inet x.y.z.46 netmask 0xfffffff8 broadcast x.y.z.47
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	media: Ethernet autoselect (100baseTX full-duplex)
	status: active
	inet 10.0.0.1 netmask 0xff000000 broadcast 10.255.255.255
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296
sl1: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
ppp1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
tun0: flags=10<POINTOPOINT> mtu 3000
tun1: flags=10<POINTOPOINT> mtu 3000
enc0: flags=0<> mtu 1536
bridge0: flags=0<> mtu 1500
bridge1: flags=0<> mtu 1500
gre0: flags=8010<POINTOPOINT,MULTICAST> mtu 1450
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif1: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif2: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif3: flags=8010<POINTOPOINT,MULTICAST> mtu 1280

What gives with rl0 and it's media type from ifconfig?
Have I missed something that routes between the 2 nics? a route add?

Rich (frustrated)

-- 
Richard Parker

What rolls down T3s, boosts connect fees, and makes your throughput
drag?
Makes it tough to hack, won't get off your back. 
It's logs, logs, logs, logs, logs.



Visit your host, monkey.org