[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

2.9 router/firewall woes



Hi all,

Firstly apologies if some of you are seeing this for the second time, 
I posted it to comp.unix.bsd.openbsd.misc but the thread has fizzled
out.

I have a BT business ADSL account, this provides a 4 port ethernet
router with a /29 and currently I have 2 machines hooked directly to
it (using Tiny Personal Firewall for safetys sake)

What I want I want is my new OpenBSD 2.9 box to be the only machine
directly connected to the ADSL and a second NIC to be connected to my
LinkSys switch. I want to use ipf and NAT so the windoze boxes are sat
in a 10.0.0/8 subnet and can surf etc from within this. The OpenBSD
box will run headless.

The 2.9 install went fine, I have it connected to the ADSL and the
switch, 
but I still can't surf from within the 10/8. The 2.9 box has 2 SMC EZ
Card 
10/100 NICs in it.

Windows box config is from dhcp on the 2.9 box.

In my paranoia the first 3 octets of the ip address(es) below are
replaced 
by x.y.z and the domain is mydomain.com.

2.9 box files:

hostname.rl0
------------

inet x.y.z.46 255.255.255.248 NONE 

hostname.rl1
------------

inet 10.0.0.1 255.0.0.0 NONE 

ipf.rules
---------

pass in from any to any
pass out from any to any

ipnat.rules
-----------

# $OpenBSD: ipnat.rules,v 1.2 1999/05/08 16:33:10 jason Exp $
#
# See /usr/share/ipf/nat.1 for examples.
# edit the ipnat= line in /etc/rc.conf to enable Network Address
Translation

map rl1 10.0.0.0/8 -> x.y.z.46/32 portmap tcp/udp 10000:60000
map rl1 10.0.0.0/8 -> x.y.z.46/32

rc.conf
-------

#!/bin/sh -
#
#	$OpenBSD: rc.conf,v 1.57 2001/04/19 04:00:15 deraadt Exp $

# set these to "NO" to turn them off.  otherwise, they're used as flags
routed_flags=NO		# for normal use: "-q"
mrouted_flags=NO	# for normal use: "", if activated
			# be sure to enable multicast_router below.
rarpd_flags=NO		# for normal use: "-a"
bootparamd_flags=NO	# for normal use: ""
rbootd_flags=NO		# for normal use: ""
sshd_flags=""		# for normal use: ""
sendmail_flags="-q30m"	# for normal use: "-bd -q30m"
smtpfwdd_flags=NO	# for normal use: "", and no "-bd" above.
named_flags=NO		# for normal use: ""
rdate_flags=NO		# for normal use: name of RFC868 timeserver
timed_flags=NO		# for normal use: ""
ntpdate_flags=NO	# for normal use: NTP server; run before ntpd starts
photurisd_flags=NO	# for normal use: ""
isakmpd_flags=NO	# for normal use: ""
mopd_flags=NO		# for normal use: "-a"
httpd_flags=NO		# for normal use: "" (or "-DSSL" after reading ssl(8))
apmd_flags=NO		# for normal use: ""
dhcpd_flags="-q"	# for normal use: "-q"
rtadvd_flags=NO		# for normal use: list of interfaces
			# be sure to set net.inet6.ip6.forwarding=1
route6d_flags=NO	# for normal use: ""
			# be sure to set net.inet6.ip6.forwarding=1
rtsold_flags=NO		# for normal use: interface
			# be sure to set net.inet6.ip6.forwarding=0
			# be sure to set net.inet6.ip6.accept_rtadv=1

# Set to NO if ftpd is running out of inetd
ftpd_flags=NO		# for non-inetd use: "-D"

# Set to NO if identd is running out of inetd
identd_flags=NO		# for non-inetd use: "-b -u nobody -elo"

# On some architectures, you must also disable console getty in
/etc/ttys
xdm_flags=NO		# for normal use: ""

# For enabling console mouse support (i386 architecture only)
moused_flags=NO		# for ps/2 try: "-p /dev/psm0", serial: "-p /dev/cua00"

# set the following to "YES" to turn them on
rwhod=NO
nfs_server=NO		# see sysctl.conf for nfs client configuration
lockd=NO
gated=NO
kerberos_server=NO	# kerberos server. run 'info kth-krb' for assistance.
kerberos_slave=NO	# kerberos slave server.
amd=NO
ipfilter=YES
ipnat=YES		# for "YES" ipfilter must also be "YES"
portmap=YES		# almost always needed
inetd=YES		# almost always needed
lpd=NO			# printing daemons
check_quotas=YES	# NO may be desirable in some YP environments
ntpd=YES		# run ntpd if it exists
afs=NO			# mount and run afs

# Multicast routing configuration
# Please look at /etc/netstart for a detailed description if you change
these
multicast_host=NO	# Route all multicast packets to a single interface
multicast_router=NO	# A multicast routing daemon will be run, e.g.
mrouted

# miscellaneous other flags
# only used if the appropriate server is marked YES above
gated_flags=
ypserv_flags=			# E.g. -1 for YP v1, -d for DNS etc
yppasswdd_flags=		# "-d /etc/yp" if passwd files are in /etc/yp
nfsd_flags="-tun 4"		# Crank the 4 for a busy NFS fileserver
amd_dir=/tmp_mnt		# AMD's mount directory
amd_master=/etc/amd/master	# AMD 'master' map
ipfilter_rules=/etc/ipf.rules	# Rules for IP packet filtering
ipnat_rules=/etc/ipnat.rules	# Rules for Network Address Translation
ipmon_flags=-Ds			# To disable logging, use ipmon_flags=NO
syslogd_flags=			# add more flags, ie. "-u -a /chroot/dev/log"
named_user=named		# Named should not run as root unless necessary
named_chroot=/var/named		# Where to chroot named if not empty
afs_mount_point=/afs		# Mountpoint for AFS
afs_device=/dev/xfs0		# Device used by afsd
afsd_flags=-z			# Flags passed to afsd
shlib_dirs=			# extra directories for ldconfig

local_rcconf="/etc/rc.conf.local"

[ -f ${local_rcconf} ] && . ${local_rcconf} # Do not edit this line

sysctl.conf
-----------

#	$OpenBSD: sysctl.conf,v 1.21 2000/10/23 17:15:47 deraadt Exp $
#
# This file contains a list of sysctl options the user wants set at
# boot time.  See sysctl(3) and sysctl(8) for more information on
# the many available variables.
#
net.inet.ip.forwarding=1	# 1=Permit forwarding (routing) of packets
#net.inet6.ip6.forwarding=1	# 1=Permit forwarding (routing) of packets
#net.inet6.ip6.accept_rtadv=1	# 1=Permit IPv6 autoconf (forwarding
must be 0)
#net.inet.tcp.rfc1323=0		# 0=disable TCP RFC1323 extensions (for if
tcp is slow)
#net.inet.esp.enable=1		# 1=Enable the ESP IPSec protocol
#net.inet.ah.enable=1		# 1=Enable the AH IPSec protocol
#ddb.panic=0			# 0=Do not drop into ddb on a kernel panic
#ddb.console=1			# 1=Permit entry of ddb from the console
#fs.posix.setuid=0		# 0=Traditional BSD chown() semantics
#vm.swapencrypt.enable=1	# 1=Encrypt pages that go to swap
#vfs.nfs.iothreads=4		# number of nfsio kernel threads
#net.inet.ip.mtudisc=1		# 1=enable tcp mtu discovery
machdep.allowaperture=1		# 1=permit access to aperture driver
(XFree86)
#machdep.apmwarn=10		# battery % when apm status messages enabled
#machdep.kbdreset=1		# permit console CTRL-ALT-DEL to do a nice halt

dhcpd.conf
----------

#	$OpenBSD: dhcpd.conf,v 1.1 1998/08/19 04:25:45 form Exp $
#
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#

# Network:		192.168.1.0/255.255.255.0
# Domain name:		my.domain
# Name servers:		192.168.1.3 and 192.168.1.5
# Default router:	192.168.1.1
# Addresses:		192.168.1.32 - 192.168.1.127
#
shared-network LOCAL-NET {
	option  domain-name "mydomain.com";
	option  domain-name-servers 195.40.1.36, 193.131.248.36;

	subnet 10.0.0.0 netmask 255.0.0.0 {
		option routers 10.0.0.1;

		range 10.0.0.2 10.0.0.127;
	}
}

With this setup and the windoze laptop hooked up to the linksys
switch:

The windows box has got its IP etc from DHCP:

Windows 2000 IP Configuration

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : mydomain.com
        IP Address. . . . . . . . . . . . : 10.0.0.2
        Subnet Mask . . . . . . . . . . . : 255.0.0.0
        Default Gateway . . . . . . . . . : 10.0.0.1

>From the windows box:
I can ping *both* interfaces of the BSD box, but can't ping
www.google.com (Unknown host www.google.com.) or 216.239.35.100
(googles ip address - Destination host unreachable). I can ssh into the
external nic, but not the local one! Arghhhh!!

>From the bsd box:
I can ping google. I can ping the windows box (on 10.0.0.2). 
I can lynx www.uk.openbsd.org

netstat -nr -f inet shows:

Routing tables

Internet:
Destination        Gateway            Flags     Refs     Use    Mtu 
Interface
default            x.y.z.41           UGS         1       98   1500  
rl0
10/8               link#2             UC          0        0   1500  
rl1
10.0.0.1           127.0.0.1          UGHS        0        0  32972  
lo0
10.0.0.2           0:e0:98:8d:d1:c1   UHL         3      160   1500  
rl1
127/8              127.0.0.1          UGRS        0        0  32972  
lo0
127.0.0.1          127.0.0.1          UH          3       24  32972  
lo0
x.y.z.40/29        link#1             UC          0        0   1500  
rl0
x.y.z.41           0:20:6f:8:ba:32    UHL         1        0   1500  
rl0
x.y.z.42           0:e0:98:8d:d1:c1   UHL         0        4   1500  
rl0
224/4              127.0.0.1          URS         0        0  32972  
lo0

route - n show -inet shows:

Routing tables

Internet:
Destination      Gateway            Flags 
default          x.y.z.41           UG     
10.0.0.0         link#2             U      
10.0.0.1         127.0.0.1          UGH    
10.0.0.2         0:e0:98:8d:d1:c1   UH     
127.0.0.0        127.0.0.1          UG     
127.0.0.1        127.0.0.1          UH     
x.y.z.40         link#1             U      
x.y.z.41         0:20:6f:8:ba:32    UH     
x.y.z.42         0:e0:98:8d:d1:c1   UH     
224.0.0.0        127.0.0.1          U      

ifconfig -a inet shows:

lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 32972
	inet 127.0.0.1 netmask 0xff000000 
lo1: flags=8008<LOOPBACK,MULTICAST> mtu 32972
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	media: Ethernet autoselect (none)
	status: active
	inet x.y.z.46 netmask 0xfffffff8 broadcast x.y.z.47
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	media: Ethernet autoselect (100baseTX full-duplex)
	status: active
	inet 10.0.0.1 netmask 0xff000000 broadcast 10.255.255.255
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296
sl1: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
ppp1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
tun0: flags=10<POINTOPOINT> mtu 3000
tun1: flags=10<POINTOPOINT> mtu 3000
enc0: flags=0<> mtu 1536
bridge0: flags=0<> mtu 1500
bridge1: flags=0<> mtu 1500
gre0: flags=8010<POINTOPOINT,MULTICAST> mtu 1450
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif1: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif2: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif3: flags=8010<POINTOPOINT,MULTICAST> mtu 1280

What gives with rl0 and it's media type from ifconfig?
Have I missed something that routes between the 2 nics? a route add?

Rich (frustrated)

-- 
Richard Parker

What rolls down T3s, boosts connect fees, and makes your throughput
drag?
Makes it tough to hack, won't get off your back. 
It's logs, logs, logs, logs, logs.