Re: tricking myself w/ multihoming
From: Barney Wolff (barney_at_databus.com)
Date: 03/23/04
- Previous message: Brian Reichert: "Re: tricking myself w/ multihoming"
- In reply to: Brian Reichert: "tricking myself w/ multihoming"
- Next in thread: Brian Reichert: "Re: tricking myself w/ multihoming"
- Reply: Brian Reichert: "Re: tricking myself w/ multihoming"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 23 Mar 2004 16:47:23 -0500 To: Brian Reichert <reichert@numachi.com>
On Tue, Mar 23, 2004 at 03:30:45PM -0500, Brian Reichert wrote:
> I think I'm badly misunderstanding the interaction of ipfw and natd
> and routing in general.
>
> I have a multihomed box:
>
> rl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
> inet 198.175.254.11 netmask 0xffffff00 broadcast 198.175.254.255
> inet 198.175.254.8 netmask 0xffffffff broadcast 198.175.254.8
> ether 00:30:bd:21:e5:e9
> media: Ethernet autoselect (100baseTX <full-duplex>)
> status: active
> rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> inet 24.147.155.114 netmask 0xfffff800 broadcast 255.255.255.255
> ether 00:50:ba:8b:64:77
> media: Ethernet autoselect (100baseTX <full-duplex>)
> status: active
First question, probably irrelevant - how did you get 255.255.255.255 as
the broadcast addr on rl1?
> The rl1 interface has natd associated with it, and it behaves as expected.
>
> The default route is also on rl1:
>
> # netstat -rn | grep default
> default 24.147.152.1 UGSc 231 273474 rl1
If 198.175.254.1 is really your external gateway, why is the default
route heading inside? Are there so many inside nets that you can't
list them as explicit routes?
> So far, things are as I wanted, and they've been this way for years.
> I can get to this box from my LAN just fine, and NAT works just
> fine, and any TCP tunnels on rl1 I've opened up work fine.
>
> I've gotten it in my head that I want to run a mail server on this box,
> publically available via either interface via 198.175.254.8.
>
> I've modified my firewall rules on this box slightly:
>
> 00040 fwd 198.175.254.1 tcp from 198.175.254.8 to any 25
> 00050 divert 8668 ip from any to any via rl1
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 00300 deny ip from 127.0.0.0/8 to any
> 65000 allow ip from any to any
> 65535 deny ip from any to any
>
> (198.175.254.1 is my gateway for the public block.)
>
> This setup lets outgoing SMTP transactions go out my public block.
>
> But, seemingly, it does not allow incoming SMTP sessions to occur.
Try adding 00045 fwd 198.175.254.1 tcp from 198.175.254.8 25 to any .
But really, the problem is better solved by setting your default
route to 198.175.254.1 rather than playing ipfw games. How is DNS
working?
Oh, and please do put some more secure rules in if you're really
Internet connected.
> Tcpdump on this box shows me the incoming packets coming to
> 198.175.254.8, but I'm not seeing these replies to these packets
> going out at all, much less to 198.175.254.1.
Probably going out rl1.
-- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
- Previous message: Brian Reichert: "Re: tricking myself w/ multihoming"
- In reply to: Brian Reichert: "tricking myself w/ multihoming"
- Next in thread: Brian Reichert: "Re: tricking myself w/ multihoming"
- Reply: Brian Reichert: "Re: tricking myself w/ multihoming"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
