Date: Fri, 20 Jun 2003 09:44:01 -0400 From: "Joseph" <jolt@nicholasofmyra.org> To: "agent dero" <dero@bluhayz.org>, <freebsd-net@freebsd.org> Subject: Re: FreeBSD = Router, and vice versa Message-ID: <00e601c33732$04940d90$ee64010a@compops5> References: <20030619190103.8F10D37B404@hub.freebsd.org> <20030619233434.M7791@bluhayz.org>
next in thread | previous in thread | raw e-mail | index | archive | help
There are probably a couple of things you will need to do for everything to
... just work.
I agree with Julian Elischer, you should run ipfw with a basic firewall rule
set, because you will need natd running. However, this will have it's own
set of problems.
First, if you use ipfw, you will need a way to dynamically determine the IP
address for the rules. I use:
IPADDR=`/sbin/ifconfig sis0 | grep inet | awk '{print $2}'`
in my firewall script to get the address of the external interface "sis0".
There may be a better way, but this works for me.
Second, you will need a way to reload firewall rules if the address changes.
I rerun the firewall rule set in /etc/dhclient-exit-hooks. I added this:
#!/bin/sh
UPTIME=`/usr/bin/uptime | awk '{print $4}'`
IP_FILE='/var/run/dhclient.oldip'
CUR_IP=`/sbin/ifconfig sis0 | grep inet | awk '{print $2}'`
OLD_IP=`cat $IP_FILE`
if [ x$CUR_IP != x$OLD_IP ]; then
echo New IP [$CUR_IP]
echo $CUR_IP > $IP_FILE
# If we have only been up for seconds, then we just rebooted, and
don't need to rerun firewall script.
if [ "$UPTIME" != "secs," ]; then
# Fix firewall
/etc/rc.firewall.custom
fi
fi
echo $CUR_IP > $IP_FILE
Check out man for dhclient-script for more info on the exit hooks. The
script will run every time the computer tries to get an IP address, even if
the same one is given. So, this script will only rerun rules if the address
changes while the PC is running. It doesn't need to rerun on a reboot. I
can't remember what prompted that test, but I do remember I had problems
until I tested for it.
Third, is there a DHCP server running on the destination network? That DHCP
server will need to update the default route on all of the clients. For
that reason, it may be better to set a static IP address for the default
gateway (LAN interface). If there is not one running, you can configure the
computer you are sending to be a DHCP server. You could use DHCP on the
internal interface as long as you are updating the DNS records dynamically.
Forth, you need a way to get the IP address of the machine you are giving
them. You may need to tweak it a bit when it gets there. I would suggest
using http://www.dyndns.org/ or another comparable service. The advantage
of this one is that it is free. You can use the port
/usr/ports/net/ddclient/ to update the dns record. I use this at home and
it works great!
Last, I agree with JD, you need some kind of access. I would suggest
opening up ssh to the server via ipfw. It would be best if you have a
static IP where you are ssh'ing from. If you do, only allow that address to
connect to the sshd on the external interface. I would further suggest
setting the protocol to 2 in /etc/ssh/sshd_config. If you have to tweak the
firewall rules through that, be careful, you can cut yourself off if you are
not. I always update rules in a copy of the firewall rules I use. Run it
with "rc.firewall.copy >/tmp/rules &". You can check the output by looking
at /tmp/rules. If you don't add "&" and you get cut off, the script will
not complete and may leave you in an unpredictable state. As long as you
are editing a copy of the rules, if something goes wrong, you just get
someone to reboot the computer, it will use the original rule set. To
minimize getting cut off, move your sshd rules of the external interface to
as close to the top as you can.
One other note if you are using securelevel. You may have trouble with dhcp
if you use securelevel 3. I have my home firewall set to reboot to
securelevel -1, then every so often, as a cron job, increase the securelevel
to 2. If you have to tweak things, you can reboot, tweak before the timed
securelevel increase. This is not the most secure way of doing it, but it
allows you to work with a firewall that isn't physically accessible. If you
don't expect the IP address to change, and are willing to reboot if it does,
you can increase the securelevel to 3.
Hope this helps,
Joseph
----- Original Message -----
From: "agent dero" <dero@bluhayz.org>
To: <freebsd-net@freebsd.org>
Sent: Thursday, June 19, 2003 7:41 PM
Subject: FreeBSD = Router, and vice versa
> I guess this is a simple question, but I have never done something like
this
> before, so I figure I'll ask. I have been using FBSD for a while, but now
I
> need to ship a FBSD server half way across america, and have a newbie
press
> the power button, plug in two network cards, and have it work.
>
> I have already setup the two network cards on the machine, both with DHCP,
> meaning when plugged in interface fxp0 will receive via DHCP an IP from
the
> broadband provider, and then on interface dc0, the client computers will
> retreive a LAN IP address. I also configured the rc.conf so that it is
> enabled as a gateway. But is that all I need to do?
>
> Help appreciated.
> -dero
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00e601c33732$04940d90$ee64010a>