LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   *BSD (https://www.linuxquestions.org/questions/%2Absd-17/)
-   -   Adding route and making ifconfig permanent (https://www.linuxquestions.org/questions/%2Absd-17/adding-route-and-making-ifconfig-permanent-232044/)

gani 09-18-2004 12:56 AM
Adding route and making ifconfig permanent
 
Hi everybody!

I'm just finished installing OpenBSD 3.5 and I was able to configure both my Realtek (rl0) and Linksys (dc0) NICs. Could anybody help me make these settings I made via ifconfig permanent? When I rebooted my box, the configurations got lost. In slackware this is so easy by just putting the settings in rc.inet1.conf. Is there a file where I can place these as with Slackware? I'm sure there is, I just don't know right at this time where that file is.

Right now this box is triple booting with XP, Slackware and this BSD and I want also to make this a NAT when I'm in BSD for the rest of my XP machines. Could anybody give me hints how will I configure this as a NAT with bits of simple ip filtering and also adding my ISP's gateway to the routing table? My internet connection is a dedicated ADSL.

Thanks in advance.

chort 09-18-2004 03:53 AM
For the first issue of configuring interfaces automatically at boot, read the man page for hostname.if. It has exactly what you're looking for.

Second question about setting up a NAT configuration, that is covered in the PF Users' Guide

gani 09-18-2004 05:58 AM
Thanks!

Actually I just printed the man pages for hostname.if and pf.conf.

gani 09-18-2004 09:59 AM
I made it!

Actually I'm typing this reply within OpenBSD running KDE desktop.

I've noticed that my Realtek NIC has "hostname.rl0" and I just look at it and followed its format to create for dc0 (Linksys). Besides I added this in "hostname.rl0": !route -n add -net default my_isp_gateway.

Thanks for the info. I just printed more than half of the PF Filtering howto to study this weekend and hopefully to make some of it working on Monday.

Thanks once again!

chort 09-19-2004 04:55 PM
No problem. By the way, you can also specify the default gateway by placing it in the /etc/mygate file (no need to use a route statement in your interface initialization). Both ways work perfectly fine, though.

gani 09-20-2004 07:29 AM
Thanks chort once again!

I'm now typing this reply in one of my XP machines via shared Internet connection from my OpenBSD box.

I never thought that pf is very easy to learn than iptables without confusions and endless web searchings for answers that will make you (-j) DROP instead and not the packets plus that the OpenBSD's website is complete of FAQs that you need to make it running. I will definitely use only OpenBSD for my firewall needs.

OpenBSD was first introduced to me by a review I read from the web that highlighted its utmost strength when it comes to security. Then finally, during an open source conference here in Manila, a Cebu based (down south in the Visayas) company (www.infoweapons.com) that specializes on open source security discussed this stuff once again. This has really pushed me to get this OS tested and tried. The owner of this company in Cebu is an American now leaving here.

chort 09-20-2004 12:50 PM
Yes, the great strength of the BSD family of packet filters (IPF, IPFW, PF) is that they're all written in "natural language", i.e. the tokens for the configuration are meaningful English words. Arguably IPF and PF are a little more intuitive than IPFW.

One of the horrible, horrible failings of Netfilter is that it's userland configuration tools (IPtables) is almost unusable due to confusing syntax. Someone should really write a better userland utility to interface with Netfilter, which should be completely possible since Netfilter is the kernel portion while IPtables is the userland portion. It shouldn't be that difficult (although very time-consuming) to write an alternative utility to IPtables.

User Interface not withstanding, PF has some native features that Netfilter isn't even close to having yet, namely pfsync and CARP. This will allow you to synchronize state tables with other PF firewalls and automatically fail over (just like high-end commercial firewalls). All this is available by default without any third-party patches or add-ons.

Oh, and yet one more advantage of PF is that it has a hash table structure for very long lists of IP addresses, something I was not able to find with Netfilter/IPtables. When the company I work for was evaluating the use of IPtables in our product to dynamically block IPs, we noticed a huge performance degradation after adding several thousand IPs to a list. With OpenBSD and PF these could have been added to a table and tests have shown that tables are usable with tens of thousands of entries without severely degrading performance of PF.

gani 09-20-2004 10:54 PM
I've noticed that, compared with the performance of my netfilter running as NAT in Slackware, it's faster for my XP machines accessing the internet.

I dropped my interest to learn netfilter because of great confusions that it has entangled my brain. This is the reason that I started to pick up the copy of OpenBSD install disks that the Mr. Nice Guy of Infoweapons copied for me. I'm so surprised that in just few hours of reading (just this past weekend), I was able get things up and running unconfused and relaxed the following Monday as I've earlier told you.

By the way, I just want to make these stuffs; F, SYN, A, RST, ECE, etc; cleared in my mind, though I already have some idea, but still grasping. Is there any resource available on web or if you can brief me?

In what else (applications) is OpenBSD very useful to you?

Well if I will find this OS really great for production servers, why not stick to this and only make Slackware as desktop, as Mr. Infoweapons told me, or as server for small and non-critical systems. But I found Slackware very efficient compared with Red Hat and specially Fedora. My experience with Slackware is almost free of headaches getting things up and running than with System-V style Linux. Slackware is fast and stable even with this older PII PC that I'm using.

Hope that you will continuously give me info about the usefulness of OpenBSD that will help me convinced.

My endless thanks!

(I told a friend in the US to buy a copy of 3.6 once it is released.)

chort 09-21-2004 12:40 AM
F (FIN) is the final packet, i.e. it's one side of the TCP connection telling the other side that it's done sending information (the side that received the FIN can still continue to send data until it issues it's own FIN).

S (SYN) is for synchronize, this is the first packet of a TCP handshake. You'll often see tcp filtering rules in PF that look like this:
pass in on $interface proto tcp from $somewhere to $myserver port $someservice keep state flags S/SA
The "keep state" (or "modulate state"), as you probably already know, tells PF to create a state for this connection and remember it. The "flags S/SA" means "of the SYN and ACK flags, only SYN is set". This means it will only match the first packet of a valid handshake. This helps prevent some advanced port scanning methods that rely on strange responses to strange TCP flags. After the SYN is matched, a state is created and all subsequent traffic matching that state will be let through (even though subsequent packets won't match the S/SA, the state was already created).

A (ACK) is acknowledgement, which means "I got your message". TCP handshakes start like this:
S->
<-SA
A->

R (RST) means reset. This closes a connection immediately. It's usually seen in response to a SYN to a port that does not have a listening TCP service.

E (ECE) is used for Explicit Congestion Notification. I wasn't aware the flag was ECE until you actually posted it (usually when talking about it it's ECN). You can find more on Google.

P (PUSH), which means "move this data out of the TCP buffer and do the application immediately".

U (URG) is urgent, it means give this data immediate priority.

I'm sure there are one or two others that I'm forgetting. Read TCP/IP Illustrated volume 1: The protocols for a more in-depth explanation. Incidentally, all the early TCP/IP books written by W. Richard Stevens (and now considered to be the "Bible" of TCP/IP) used BSD/OS extensively and the reference stack implementations were taken from BSD, go figure ;)

As for what OpenBSD is useful for, it's very useful for any service connected to the Internet: E-mail server (some times just as a scanning server in front of your internal mail server), web server, DNS server, router (bgpd is by far the best Open Source router daemon available), firewall, VPN concentrator, wireless access point, you name it.

gani 09-21-2004 02:01 AM
Interestingly educational indeed! Thanks a lot!

This is how I finally understand iptables' -m state --state ESTABLISHED, RELATED -j ACCEPT parameter! I'm sure you can now write some reference books for non-geeks because you where able to simplify mind boggling things.

I will be now an OpenBSD convert. Most definitely.

Well, Slackware has still some place in my heart; specially for non-critical local servers such as SMB NT and for those who really want only Linux, loyals. But surely not on the front lines.

I will now resize my partitions from 5GB for OpenBSD to maybe 15GB and reduce my Slackware to just 10GB, taking out 10GB from Slackware and frequently booting more in OpenBSD.

Expect for new threads once I starts with postfix MTA.

You have become so helpful!


All times are GMT -5. The time now is 11:01 AM.