Re: FreeBSD = Router, and vice versa

From: Joseph (jolt_at_nicholasofmyra.org)
Date: 06/20/03

  • Next message: zel_at_free.fr: "[freebsd-net] pb with nat...." 
    To: "agent dero" <dero@bluhayz.org>, <freebsd-net@freebsd.org>
Date: Fri, 20 Jun 2003 09:44:01 -0400

    There are probably a couple of things you will need to do for everything to
    ... just work.

    I agree with Julian Elischer, you should run ipfw with a basic firewall rule
    set, because you will need natd running. However, this will have it's own
    set of problems.

    First, if you use ipfw, you will need a way to dynamically determine the IP
    address for the rules. I use:

    IPADDR=`/sbin/ifconfig sis0 | grep inet | awk '{print $2}'`

    in my firewall script to get the address of the external interface "sis0".
    There may be a better way, but this works for me.

    Second, you will need a way to reload firewall rules if the address changes.
    I rerun the firewall rule set in /etc/dhclient-exit-hooks. I added this:

    #!/bin/sh
    UPTIME=`/usr/bin/uptime | awk '{print $4}'`
    IP_FILE='/var/run/dhclient.oldip'
    CUR_IP=`/sbin/ifconfig sis0 | grep inet | awk '{print $2}'`
    OLD_IP=`cat $IP_FILE`

    if [ x$CUR_IP != x$OLD_IP ]; then
            echo New IP [$CUR_IP]
            echo $CUR_IP > $IP_FILE
            # If we have only been up for seconds, then we just rebooted, and
    don't need to rerun firewall script.
            if [ "$UPTIME" != "secs," ]; then
                    # Fix firewall
                    /etc/rc.firewall.custom
            fi
    fi
    echo $CUR_IP > $IP_FILE

    Check out man for dhclient-script for more info on the exit hooks. The
    script will run every time the computer tries to get an IP address, even if
    the same one is given. So, this script will only rerun rules if the address
    changes while the PC is running. It doesn't need to rerun on a reboot. I
    can't remember what prompted that test, but I do remember I had problems
    until I tested for it.

    Third, is there a DHCP server running on the destination network? That DHCP
    server will need to update the default route on all of the clients. For
    that reason, it may be better to set a static IP address for the default
    gateway (LAN interface). If there is not one running, you can configure the
    computer you are sending to be a DHCP server. You could use DHCP on the
    internal interface as long as you are updating the DNS records dynamically.

    Forth, you need a way to get the IP address of the machine you are giving
    them. You may need to tweak it a bit when it gets there. I would suggest
    using http://www.dyndns.org/ or another comparable service. The advantage
    of this one is that it is free. You can use the port
    /usr/ports/net/ddclient/ to update the dns record. I use this at home and
    it works great!

    Last, I agree with JD, you need some kind of access. I would suggest
    opening up ssh to the server via ipfw. It would be best if you have a
    static IP where you are ssh'ing from. If you do, only allow that address to
    connect to the sshd on the external interface. I would further suggest
    setting the protocol to 2 in /etc/ssh/sshd_config. If you have to tweak the
    firewall rules through that, be careful, you can cut yourself off if you are
    not. I always update rules in a copy of the firewall rules I use. Run it
    with "rc.firewall.copy >/tmp/rules &". You can check the output by looking
    at /tmp/rules. If you don't add "&" and you get cut off, the script will
    not complete and may leave you in an unpredictable state. As long as you
    are editing a copy of the rules, if something goes wrong, you just get
    someone to reboot the computer, it will use the original rule set. To
    minimize getting cut off, move your sshd rules of the external interface to
    as close to the top as you can.

    One other note if you are using securelevel. You may have trouble with dhcp
    if you use securelevel 3. I have my home firewall set to reboot to
    securelevel -1, then every so often, as a cron job, increase the securelevel
    to 2. If you have to tweak things, you can reboot, tweak before the timed
    securelevel increase. This is not the most secure way of doing it, but it
    allows you to work with a firewall that isn't physically accessible. If you
    don't expect the IP address to change, and are willing to reboot if it does,
    you can increase the securelevel to 3.

    Hope this helps,
    Joseph

    ----- Original Message -----
    From: "agent dero" <dero@bluhayz.org>
    To: <freebsd-net@freebsd.org>
    Sent: Thursday, June 19, 2003 7:41 PM
    Subject: FreeBSD = Router, and vice versa

    > I guess this is a simple question, but I have never done something like
    this
    > before, so I figure I'll ask. I have been using FBSD for a while, but now
    I
    > need to ship a FBSD server half way across america, and have a newbie
    press
    > the power button, plug in two network cards, and have it work.
    >
    > I have already setup the two network cards on the machine, both with DHCP,
    > meaning when plugged in interface fxp0 will receive via DHCP an IP from
    the
    > broadband provider, and then on interface dc0, the client computers will
    > retreive a LAN IP address. I also configured the rc.conf so that it is
    > enabled as a gateway. But is that all I need to do?
    >
    > Help appreciated.
    > -dero
    > _______________________________________________
    > freebsd-net@freebsd.org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-net
    > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
    >

    _______________________________________________
    freebsd-net@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-net
    To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

  • Next message: zel_at_free.fr: "[freebsd-net] pb with nat...."