Re: IP aliasing and Postfix

2010-10-26 Thread Joe Auty 
Коньков Евгений wrote:
>
> # OUTGOING MAIL FROM IP
> smtp_bind_address=
>
>

Thanks, this is exactly what I needed!


-- 
Joe Auty, NetMusician
NetMusician helps musicians, bands and artists create beautiful,
professional, custom designed, career-essential websites that are easy
to maintain and to integrate with popular social networks.
www.netmusician.org 
j...@netmusician.org 

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: IP aliasing and Postfix

2010-10-26 Thread Dan Nelson 
In the last episode (Oct 26), Joe Auty said:
> Hello,
> 
> I have a few IP aliases setup:
> 
> em0: flags=8843 metric 0 mtu 1500
> options=9b
> ether 00:0c:29:79:d5:66
> inet  netmask 0xff80 broadcast 
> inet  netmask 0xff80 broadcast 
> inet  netmask 0xff80 broadcast 
> media: Ethernet autoselect (1000baseT )
> status: active

I usually set up aliases with a /32 netmask, which seems to be a hint to the
kernel that outgoing packets shouldn't use that IP.  I then put the correct
netmask on the "primary" ip.

-- 
Dan Nelson
dnel...@allantgroup.com
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: IP aliasing and Postfix

2010-10-26 Thread Коньков Евгений 
Здравствуйте, Joe.

Вы писали 26 октября 2010 г., 20:52:20:

JA> Hello,

JA> I have a few IP aliases setup:

JA> em0: flags=8843 metric 0 mtu 1500
JA> options=9b
JA> ether 00:0c:29:79:d5:66
JA> inet  netmask 0xff80 broadcast 
JA> inet  netmask 0xff80 broadcast 
JA> inet  netmask 0xff80 broadcast 
JA> media: Ethernet autoselect (1000baseT )
JA> status: active


JA> How do I make address3 the ifconfig default over its aliases?


JA> The problem is, as far as mail sending goes the IP address that should
JA> be used is address3, when what is presented to my relayhost is address1.
JA> My rc.conf:

JA> ifconfig_em0="inet address3  netmask 255.255.255.128"
JA> ifconfig_em0_alias0="inet address1  netmask 255.255.255.128"
JA> ifconfig_em0_alias1="inet address2  netmask 255.255.255.128"


JA> How do I get Postfix to use address3 in sending out mail? If I set
JA> Postfix's myhostname to a FQDN that resolves as address3,
JA> inet_interfaces will not work when set to:

JA> inet_interfaces = $myhostname

JA> it needs to be set to:

JA> inet_interfaces = $myhostname, localhost


JA> I see nothing in Postfix that would explain why Postfix is gleaming onto
JA> address1, which makes me think that perhaps this is a BSD ifconfig thing
JA> and it is gleaming onto the first address it finds associated with my
JA> em0 interface, which if the ifconfig and its IP order means anything, is
JA> address1? Does this make sense?

JA> Anyway to set the default here?


# OUTGOING MAIL FROM IP
smtp_bind_address=



-- 
С уважением,
 Коньков  mailto:kes-...@yandex.ru

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

IP aliasing and Postfix

2010-10-26 Thread Joe Auty 
Hello,

I have a few IP aliases setup:

em0: flags=8843 metric 0 mtu 1500
options=9b
ether 00:0c:29:79:d5:66
inet  netmask 0xff80 broadcast 
inet  netmask 0xff80 broadcast 
inet  netmask 0xff80 broadcast 
media: Ethernet autoselect (1000baseT )
status: active


How do I make address3 the ifconfig default over its aliases?


The problem is, as far as mail sending goes the IP address that should
be used is address3, when what is presented to my relayhost is address1.
My rc.conf:

ifconfig_em0="inet address3  netmask 255.255.255.128"
ifconfig_em0_alias0="inet address1  netmask 255.255.255.128"
ifconfig_em0_alias1="inet address2  netmask 255.255.255.128"


How do I get Postfix to use address3 in sending out mail? If I set
Postfix's myhostname to a FQDN that resolves as address3,
inet_interfaces will not work when set to:

inet_interfaces = $myhostname

it needs to be set to:

inet_interfaces = $myhostname, localhost


I see nothing in Postfix that would explain why Postfix is gleaming onto
address1, which makes me think that perhaps this is a BSD ifconfig thing
and it is gleaming onto the first address it finds associated with my
em0 interface, which if the ifconfig and its IP order means anything, is
address1? Does this make sense?

Anyway to set the default here?





-- 
Joe Auty, NetMusician
NetMusician helps musicians, bands and artists create beautiful,
professional, custom designed, career-essential websites that are easy
to maintain and to integrate with popular social networks.
www.netmusician.org 
j...@netmusician.org 

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Jails and IP Aliasing

2008-07-08 Thread David Allen 
On Tue, Jul 8, 2008 at 9:35 AM, Matthew Seaman
<[EMAIL PROTECTED]> wrote:
> David Allen wrote:
>
>> There was a post recently (Matthew Seaman's name comes to mind) that
>> suggested binding jails to addresses in the loopback range and then
>> using firewall rules to redirect the traffic accordingly.  There's a
>> possibility that may help in this case, but that layer of added
>> complexity isn't much of an improvement over seeing connections with
>> seemingly identical endpoints and interpreting the results in my head.
>
> Guilty as charged M'lud.

Stand up, fool, lest I be forced to lower my knee and acknowledge your presence
in a manner befitting a man as yourself.

> However what I recommended was a more-than-slightly hacky way to achieve
> three things:
>
>  * Something like a loopback address inside the jail.  It may be
>127.0.0.2 instead of 127.0.0.1 but most software can be persuaded
>to use it for loopback style things.
>
>  * The ability to map several IPs onto the jailed system by use of
>NAT and redirect within firewall rules
>
>  * The ability to have a jail with /no/ external IP for when the
>paranoia becomes unbearable[*].

It could be said that those three expand into more numerous
achievements.  I'm still debating the "more-than-slightly hacky" aspects
of such an arrangement, but undeniably it's interesting enough.

> Of course, all this will be immediately obsoleted by Marco Zec's work
> on virtualizing the IP stack.  http://imunes.tel.fer.hr/virtnet/

Promising, even exciting, but I'm having trouble deciding whether I
declare a victory for the  triumph of optimism over experience, or
offer the comment that the Real Soon Now schedule is a disappointment?
Seriously, though, jails can be seen as the greatest thing since slide bread,
but I have this nagging feeling I'm at work writing a small book that details
their niggly shortcomings, a book whose completion, I hope, will be cut
short by the addition of New and Improved features.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Jails and IP Aliasing

2008-07-08 Thread Mel 
On Tuesday 08 July 2008 11:24:33 Mel wrote:
> On Monday 07 July 2008 18:51:33 David Allen wrote:
> > Granted, everything is really happening over the loopback address, but a
> > connection originating from the jailhost to a jail should appear to be
> > using the jailhost's IP address, or so I'd like to think.  If it doesn't,
> > then the scenario is awkward at best when trying to understand or debug
> > issues.
>
> To debug this, you need to 'add jail support to sockstat'. This sounds
> hard, and it is

It's actually not that hard, though it stretches the output width. Diff 
inlined below sig, for RELENG_7. 

-- 
Mel

Problem with today's modular software: they start with the modules
and never get to the software part.

Index: sockstat.c
===
RCS file: /home/ncvs/src/usr.bin/sockstat/sockstat.c,v
retrieving revision 1.17
diff -u -r1.17 sockstat.c
--- sockstat.c  16 Jun 2007 20:24:55 -  1.17
+++ sockstat.c  8 Jul 2008 19:40:11 -
@@ -94,6 +94,11 @@
struct sock *next;
 };
 
+struct procinfo {
+   const char *procname;
+   int jid;
+};
+
 #define HASHSIZE 1009
 static struct sock *sockhash[HASHSIZE];
 
@@ -513,13 +518,16 @@
return xprintf("%s:%d", addrstr, port);
 }
 
-static const char *
-getprocname(pid_t pid)
+static int
+getprocinfo(pid_t pid, struct procinfo *pi_ptr)
 {
static struct kinfo_proc proc;
size_t len;
int mib[4];
 
+   if( pi_ptr == NULL )
+   return -1;
+
mib[0] = CTL_KERN;
mib[1] = KERN_PROC;
mib[2] = KERN_PROC_PID;
@@ -529,9 +537,12 @@
/* Do not warn if the process exits before we get its name. */
if (errno != ESRCH)
warn("sysctl()");
-   return ("??");
+   return -1;
}
-   return (proc.ki_comm);
+   pi_ptr->procname = proc.ki_comm;
+   pi_ptr->jid = proc.ki_jid;
+
+   return (0);
 }
 
 static int
@@ -564,11 +575,12 @@
struct passwd *pwd;
struct xfile *xf;
struct sock *s;
+   struct procinfo pi;
void *p;
int hash, n, pos;
 
-   printf("%-8s %-10s %-5s %-2s %-6s %-21s %-21s\n",
-   "USER", "COMMAND", "PID", "FD", "PROTO",
+   printf("%-8s %-10s %-5s %-5s %-2s %-6s %-21s %-21s\n",
+   "USER", "COMMAND", "PID", "JID", "FD", "PROTO",
"LOCAL ADDRESS", "FOREIGN ADDRESS");
setpassent(1);
for (xf = xfiles, n = 0; n < nxfiles; ++n, ++xf) {
@@ -583,33 +595,41 @@
if (!check_ports(s))
continue;
pos = 0;
+   if( -1 == getprocinfo(xf->xf_pid, &pi) )
+   {
+   pi.procname = "??";
+   pi.jid = -1;
+   }
if ((pwd = getpwuid(xf->xf_uid)) == NULL)
pos += xprintf("%lu", (u_long)xf->xf_uid);
else
pos += xprintf("%s", pwd->pw_name);
while (pos < 9)
pos += xprintf(" ");
-   pos += xprintf("%.10s", getprocname(xf->xf_pid));
+   pos += xprintf("%.10s", pi.procname);
while (pos < 20)
pos += xprintf(" ");
pos += xprintf("%lu", (u_long)xf->xf_pid);
while (pos < 26)
pos += xprintf(" ");
+   pos += xprintf("%u", pi.jid);
+   while (pos < 32)
+   pos += xprintf(" ");
pos += xprintf("%d", xf->xf_fd);
-   while (pos < 29)
+   while (pos < 35)
pos += xprintf(" ");
pos += xprintf("%s", s->protoname);
if (s->vflag & INP_IPV4)
pos += xprintf("4");
if (s->vflag & INP_IPV6)
pos += xprintf("6");
-   while (pos < 36)
+   while (pos < 42)
pos += xprintf(" ");
switch (s->family) {
case AF_INET:
case AF_INET6:
pos += printaddr(s->family, &s->laddr);
-   while (pos < 58)
+   while (pos < 64)
pos += xprintf(" ");
pos += printaddr(s->family, &s->faddr);
break;
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Jails and IP Aliasing

2008-07-08 Thread Chris St Denis 

Daniel Gerzo wrote:

Hello,

  

   * Something like a loopback address inside the jail.  It may be
 127.0.0.2 instead of 127.0.0.1 but most software can be persuaded
 to use it for loopback style things.

   * The ability to map several IPs onto the jailed system by use of
 NAT and redirect within firewall rules

   * The ability to have a jail with /no/ external IP for when the
 paranoia becomes unbearable[*].



Most of this is actually implemented by [EMAIL PROTECTED] You can find some 
patches
at http://sources.zabbadoz.net/freebsd/jail.html 
  
These patches (in various forms) have been around since version 4.x. Why 
has none of this functionality ever been committed to head?

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Jails and IP Aliasing

2008-07-08 Thread Daniel Gerzo 

Hello,

>* Something like a loopback address inside the jail.  It may be
>  127.0.0.2 instead of 127.0.0.1 but most software can be persuaded
>  to use it for loopback style things.
> 
>* The ability to map several IPs onto the jailed system by use of
>  NAT and redirect within firewall rules
> 
>* The ability to have a jail with /no/ external IP for when the
>  paranoia becomes unbearable[*].

Most of this is actually implemented by [EMAIL PROTECTED] You can find some 
patches
at http://sources.zabbadoz.net/freebsd/jail.html 

-- 
Best regards,
  Daniel Gerzo

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Jails and IP Aliasing

2008-07-08 Thread Matthew Seaman 

David Allen wrote:


There was a post recently (Matthew Seaman's name comes to mind) that
suggested binding jails to addresses in the loopback range and then
using firewall rules to redirect the traffic accordingly.  There's a
possibility that may help in this case, but that layer of added
complexity isn't much of an improvement over seeing connections with
seemingly identical endpoints and interpreting the results in my head.


Guilty as charged M'lud.

However what I recommended was a more-than-slightly hacky way to achieve 
three things:


  * Something like a loopback address inside the jail.  It may be
127.0.0.2 instead of 127.0.0.1 but most software can be persuaded
to use it for loopback style things.

  * The ability to map several IPs onto the jailed system by use of
NAT and redirect within firewall rules

  * The ability to have a jail with /no/ external IP for when the
paranoia becomes unbearable[*].

Of course, all this will be immediately obsoleted by Marco Zec's work
on virtualizing the IP stack.  http://imunes.tel.fer.hr/virtnet/

Cheers,

Matthew

[*] Combine this with a Hardware Load Balancer that does Direct Server
Return and you can have a publicly accessible jailed server with /no 
external IP address/.  


--
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
 Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature

Re: Jails and IP Aliasing

2008-07-08 Thread David Allen 
On Tue, Jul 8, 2008 at 2:24 AM, Mel <[EMAIL PROTECTED]> wrote:
> On Monday 07 July 2008 18:51:33 David Allen wrote:
>
>> Granted, everything is really happening over the loopback address, but a
>> connection originating from the jailhost to a jail should appear to be
>> using the jailhost's IP address, or so I'd like to think.  If it doesn't,
>> then the scenario is awkward at best when trying to understand or debug
>> issues.
>
> To debug this, you need to 'add jail support to sockstat'. This sounds hard,
> and it is, but you can fake it, since sockstat gives you the PID. With a
> little creative scripting, you can call `ps -o state' for each PID in the
> list, look for the capital 'J' and if it is, add the 'J' to the line.

Been there and done that.  When I first stated working with jails, I
discovered that most standard utilities didn't offer any support for
jails, and chaining commands got to be really old fast.   I ended up
writing a few Perl scripts and routinely use those instead.  IIRC,
there's a jail-related port that offers a collection of something
similar.

Still, we're talking about a very limited subset of tools and
functionality.  What about tcpdump?  Or firewall rules?  Or any other
network tool?

There was a post recently (Matthew Seaman's name comes to mind) that
suggested binding jails to addresses in the loopback range and then
using firewall rules to redirect the traffic accordingly.  There's a
possibility that may help in this case, but that layer of added
complexity isn't much of an improvement over seeing connections with
seemingly identical endpoints and interpreting the results in my head.

>> The thought occurred to me, however, that I could add a new network card
>> and reserve that for the IP aliases needed by the jails.  But I'm not sure
>> whether that will work in telling me who's who, or whether I'll discover
>> another gotcha.  ;-)
>
> It will add more gotcha's, unless you put each network card in a different
> network. With the IP's given here, you tell the host that 10.0.1.0/24 is on
> fxp0, so it will never go to fxp1 for 10.0.1.4.

You're probably right.  I'm wondering, though, if by moving the jails
into their own network space and adding routing into the mix, the end
result may be more satisfactory?

Setting aside the fun of mental gymnastics, the conclusion seems to be
don't run anything on the jail host that would initiate a connection
to a service running inside a jail.  Unless, of course, you don't mind
being confused (at least from a networking perspective) by WTF you're
seeing.  ;-)

Either way, thanks very much for the input.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Jails and IP Aliasing

2008-07-08 Thread David Allen 
On Mon, Jul 7, 2008 at 2:01 PM, George Hartzell <[EMAIL PROTECTED]> wrote:
>
> Did you take the necessary steps to restrict the IP addresses on which
> sendmail on the host and the jail listen?  The jail man page only
> says:

I don't think anyone would get too far with jails in general if the
jail host wasn't properly configured beforehand.  To answer your
question, sendmail on the jail host is listening to the loopback
address only.  And to the extent it's not redundant or meaningless,
within each jail, sendmail is configured to listen to the jail's IP
address only.

Regrettably, the problem isn't specific to sendmail or any other
service, as an ssh connection would exhibit identical behaviour.  Put
simply, all connections from the jail host to any jail are reported as
using that jail's IP address only.  Doesn't matter if your viewing the
state from the perspective of the jail host, or from within the jail
itself.   Both ends of the connection have the same IP address.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Jails and IP Aliasing

2008-07-08 Thread Ivailo Tanusheff 
No, I am right.
Try it yourself and you will see that solves the issue. I have several 
jails on different machines and this way the system works without any 
error or problem.
Try it and see it :)

Regards,

Ivailo Tanusheff




Mel <[EMAIL PROTECTED]> 
Sent by: [EMAIL PROTECTED]
08.07.2008 12:38

To
freebsd-questions@freebsd.org
cc

Subject
Re: Jails and IP Aliasing






On Tuesday 08 July 2008 11:13:04 Ivailo Tanusheff wrote:
> Hi,
>
> I guess the problem is with your netmask and respectivly the broadcast
> adrresses for the jails.
> It should be:
>
> inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255
> inet 10.0.1.3 netmask 0xff00 broadcast 10.0.1.255
> inet 10.0.1.4 netmask 0xff00 broadcast 10.0.1.255

You guess wrong. Aliases SHOULD (as in IETF RFC should) have 
255.255.255.255 
netmask.

-- 
Mel

Problem with today's modular software: they start with the modules
and never get to the software part.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
"[EMAIL PROTECTED]"

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Jails and IP Aliasing

2008-07-08 Thread Mel 
On Tuesday 08 July 2008 11:13:04 Ivailo Tanusheff wrote:
> Hi,
>
> I guess the problem is with your netmask and respectivly the broadcast
> adrresses for the jails.
> It should be:
>
> inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255
> inet 10.0.1.3 netmask 0xff00 broadcast 10.0.1.255
> inet 10.0.1.4 netmask 0xff00 broadcast 10.0.1.255

You guess wrong. Aliases SHOULD (as in IETF RFC should) have 255.255.255.255 
netmask.

-- 
Mel

Problem with today's modular software: they start with the modules
and never get to the software part.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Jails and IP Aliasing

2008-07-08 Thread Mel 
On Monday 07 July 2008 18:51:33 David Allen wrote:

> Granted, everything is really happening over the loopback address, but a
> connection originating from the jailhost to a jail should appear to be
> using the jailhost's IP address, or so I'd like to think.  If it doesn't,
> then the scenario is awkward at best when trying to understand or debug
> issues.

To debug this, you need to 'add jail support to sockstat'. This sounds hard, 
and it is, but you can fake it, since sockstat gives you the PID. With a 
little creative scripting, you can call `ps -o state' for each PID in the 
list, look for the capital 'J' and if it is, add the 'J' to the line.

> The thought occurred to me, however, that I could add a new network card
> and reserve that for the IP aliases needed by the jails.  But I'm not sure
> whether that will work in telling me who's who, or whether I'll discover
> another gotcha.  ;-)

It will add more gotcha's, unless you put each network card in a different 
network. With the IP's given here, you tell the host that 10.0.1.0/24 is on 
fxp0, so it will never go to fxp1 for 10.0.1.4.

-- 
Mel

Problem with today's modular software: they start with the modules
and never get to the software part.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Jails and IP Aliasing

2008-07-08 Thread Ivailo Tanusheff 
Hi,

I guess the problem is with your netmask and respectivly the broadcast 
adrresses for the jails.
It should be:

inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255
inet 10.0.1.3 netmask 0xff00 broadcast 10.0.1.255
inet 10.0.1.4 netmask 0xff00 broadcast 10.0.1.255

Regards,

Ivailo Tanusheff
Deputy Head of IT Department
ProCredit Bank (Bulgaria) AD




Jason Morgan <[EMAIL PROTECTED]> 
Sent by: [EMAIL PROTECTED]
07.07.2008 21:01

To
FreeBSD Questions 
cc

Subject
Re: Jails and IP Aliasing






Hello,

On 2008.07.07 09:51:33, David Allen wrote:
> Unless I'm losing my mind, I'm encountering what seems to yet another
> gotcha with jails.  The following has been dumbed down for clarity and
> brevity.
> 
> -
> # hostname
> jailhost.example.org
> 
> # host jailhost
> jailhost.example.org has address 10.0.1.2
> 
> # ifconfig fxp0
> fxp0: flags=8843 metric 0 mtu 
1500
> options=b
> ether 00:07:e9:c8:2e:32
> inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255
> inet 10.0.1.3 netmask 0x broadcast 10.0.1.3
> inet 10.0.1.4 netmask 0x broadcast 10.0.1.4
> media: Ethernet autoselect (100baseTX )
> status: active

This is the output for my jail interface. Notice that your jail
aliases are broadcasting on the jail's IP. I don't know if this is an
issue or not (my jails run on i386 FBSD 6.3), but it's something to
look at. How are you setting the aliases?

sk0: flags=8843 mtu 1500
 options=b
 inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255
 inet 10.0.0.101 netmask 0xff00 broadcast 10.0.0.255
 inet 10.0.0.201 netmask 0xff00 broadcast 10.0.0.255
 ether xx:xx:xx:xx:xx:xx
 media: Ethernet autoselect (1000baseTX )
 status: active

Cheers,
~Jason
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
"[EMAIL PROTECTED]"

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Jails and IP Aliasing

2008-07-07 Thread Matthew Seaman 

Jason Morgan wrote:

On 2008.07.07 12:16:44, David Allen wrote:



# grep fxp0 /etc/rc.conf
ifconfig_fxp0="inet 10.0.1.2 netmask 0xff00"
ifconfig_fxp0_alias0="10.0.1.3 netmask 0x"
ifconfig_fxp0_alias1="10.0.1.4 netmask 0x"
ifconfig_fxp0_alias2="10.0.1.5 netmask 0x"

My understanding from the handbook is that the mask should be set to all
ones if the alias is for an address that's part of the same network.  For
a different segment, it's the first alias that should be set to the real
netmask, with any additional aliases using a netmask of all ones.

Granted, the broadcast addresses looks odd.  If I my programming skills
were better, I'd just read through the code and understand what's really
happening, but for now, I'm just taking the FreeBSD folks at their word at
following instructions.  That's a roundabout way of saying I think your
aliases are set up incorrectly.  ;-)


That it quite possible (I do notice the newer documentation calling
for netmask 0x). But I have never had any trouble over the
last three years so, you know how it is, if it ain't (too) broke ...


Using a /32 netmask for aliases in the same network as the primary
address used to be mandatory until sometime during the 6.x RELEASE
series.  It is still recommended in the various documentation, and
it does make it clear to the administrator which is the primary
address when looking at ifconfig output, when that distinction is
important[*].

Using the 'natural' netmask for the network the aliases are part of
has worked for several years: this seems to be what most new users
expect and it's familiar for users of other operating systems.  As
far as I know, there is no technical or performance reason to prefer
one style over the other -- just a matter of administrator preference.

Cheers,

Matthew

[*] ie. which is the source address used for connection /from/ the
server.  If all the aliases are used for jails, or all your software
is configured to bind to one or other of the addresses this doesn't
come into play.

--
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
 Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature

Re: Jails and IP Aliasing

2008-07-07 Thread George Hartzell 

Did you take the necessary steps to restrict the IP addresses on which
sendmail on the host and the jail listen?  The jail man page only
says:

 To configure sendmail(8), it is necessary to modify
 /etc/mail/sendmail.cf.

but you'll probably end up adjusting the DAEMON_OPTIONS lines of your
sendmail.mc (freebsd.mc, freebsd.submit.mc) and recreating your cf
files.

g.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Jails and IP Aliasing

2008-07-07 Thread Jason Morgan 
On 2008.07.07 12:16:44, David Allen wrote:
> On Mon, Jul 7, 2008 at 10:54 AM, Jason Morgan
> <[EMAIL PROTECTED]> wrote:
> > On 2008.07.07 09:51:33, David Allen wrote:
> >> Unless I'm losing my mind, I'm encountering what seems to yet another
> >> gotcha with jails.  The following has been dumbed down for clarity and
> >> brevity.
> >>
> >> -
> >> # hostname
> >> jailhost.example.org
> >>
> >> # host jailhost
> >> jailhost.example.org has address 10.0.1.2
> >>
> >> # ifconfig fxp0
> >> fxp0: flags=8843 metric 0 mtu 1500
> >> options=b
> >> ether 00:07:e9:c8:2e:32
> >> inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255
> >> inet 10.0.1.3 netmask 0x broadcast 10.0.1.3
> >> inet 10.0.1.4 netmask 0x broadcast 10.0.1.4
> >> media: Ethernet autoselect (100baseTX )
> >> status: active
> >
> > This is the output for my jail interface. Notice that your jail
> > aliases are broadcasting on the jail's IP. I don't know if this is an
> > issue or not (my jails run on i386 FBSD 6.3), but it's something to
> > look at. How are you setting the aliases?
> >
> > sk0: flags=8843 mtu 1500
> > options=b
> > inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255
> > inet 10.0.0.101 netmask 0xff00 broadcast 10.0.0.255
> > inet 10.0.0.201 netmask 0xff00 broadcast 10.0.0.255
> > ether xx:xx:xx:xx:xx:xx
> > media: Ethernet autoselect (1000baseTX )
> > status: active
> 
> My own aliases:
> 
> # grep fxp0 /etc/rc.conf
> ifconfig_fxp0="inet 10.0.1.2 netmask 0xff00"
> ifconfig_fxp0_alias0="10.0.1.3 netmask 0x"
> ifconfig_fxp0_alias1="10.0.1.4 netmask 0x"
> ifconfig_fxp0_alias2="10.0.1.5 netmask 0x"
> 
> My understanding from the handbook is that the mask should be set to all
> ones if the alias is for an address that's part of the same network.  For
> a different segment, it's the first alias that should be set to the real
> netmask, with any additional aliases using a netmask of all ones.
> 
> Granted, the broadcast addresses looks odd.  If I my programming skills
> were better, I'd just read through the code and understand what's really
> happening, but for now, I'm just taking the FreeBSD folks at their word at
> following instructions.  That's a roundabout way of saying I think your
> aliases are set up incorrectly.  ;-)

That it quite possible (I do notice the newer documentation calling
for netmask 0x). But I have never had any trouble over the
last three years so, you know how it is, if it ain't (too) broke ...

> If you're not seeing the behaviour I'm seeing, do let me know.  But to
> clarify with a concrete example, the following is what I see on the
> jailhost (10.0.1.2) when it connects to port 25 on one of the
> jails (10.0.1.5).
> 
> # tcpdump -nqti lo0 port 25
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on lo0, link-type NULL (BSD loopback), capture size 96 bytes
> IP 10.0.1.5.62110 > 10.0.1.5.25: tcp 0
> IP 10.0.1.5.25 > 10.0.1.5.62110: tcp 0
> IP 10.0.1.5.62110 > 10.0.1.5.25: tcp 0
> IP 10.0.1.5.25 > 10.0.1.5.62110: tcp 89
> IP 10.0.1.5.62110 > 10.0.1.5.25: tcp 0
> 
> # netstat -nf inet
> Active Internet connections
> Proto Recv-Q Send-Q  Local Address  Foreign Address(state)
> tcp4   0  0  10.0.1.5.2510.0.1.5.62110 ESTABLISHED
> tcp4   0  0  10.0.1.5.62110 10.0.1.5.25ESTABLISHED
> 
> # sockstat -4 -p 25
> USER COMMANDPID   FD PROTO  LOCAL ADDRESS FOREIGN ADDRESS
> root sendmail   16594 1  tcp4   10.0.1.5:25   10.0.1.5:62110
> root sendmail   16594 4  tcp4   10.0.1.5:25   10.0.1.5:62110
> root sendmail   16594 7  tcp4   10.0.1.5:25   10.0.1.5:62110
> root telnet 16593 3  tcp4   10.0.1.5:6211010.0.1.5:25
> 
> Why the jailhost is suddenly using the jail's IP address is beyond me.

I am actually getting the same results when telnetting to port 25 on
my mailserver jail. Someone else here should be able to offer better
advice. Sorry, I couldn't help.

Good luck,
~Jason
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Jails and IP Aliasing

2008-07-07 Thread David Allen 
On Mon, Jul 7, 2008 at 10:54 AM, Jason Morgan
<[EMAIL PROTECTED]> wrote:
> On 2008.07.07 09:51:33, David Allen wrote:
>> Unless I'm losing my mind, I'm encountering what seems to yet another
>> gotcha with jails.  The following has been dumbed down for clarity and
>> brevity.
>>
>> -
>> # hostname
>> jailhost.example.org
>>
>> # host jailhost
>> jailhost.example.org has address 10.0.1.2
>>
>> # ifconfig fxp0
>> fxp0: flags=8843 metric 0 mtu 1500
>> options=b
>> ether 00:07:e9:c8:2e:32
>> inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255
>> inet 10.0.1.3 netmask 0x broadcast 10.0.1.3
>> inet 10.0.1.4 netmask 0x broadcast 10.0.1.4
>> media: Ethernet autoselect (100baseTX )
>> status: active
>
> This is the output for my jail interface. Notice that your jail
> aliases are broadcasting on the jail's IP. I don't know if this is an
> issue or not (my jails run on i386 FBSD 6.3), but it's something to
> look at. How are you setting the aliases?
>
> sk0: flags=8843 mtu 1500
> options=b
> inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255
> inet 10.0.0.101 netmask 0xff00 broadcast 10.0.0.255
> inet 10.0.0.201 netmask 0xff00 broadcast 10.0.0.255
> ether xx:xx:xx:xx:xx:xx
> media: Ethernet autoselect (1000baseTX )
> status: active

My own aliases:

# grep fxp0 /etc/rc.conf
ifconfig_fxp0="inet 10.0.1.2 netmask 0xff00"
ifconfig_fxp0_alias0="10.0.1.3 netmask 0x"
ifconfig_fxp0_alias1="10.0.1.4 netmask 0x"
ifconfig_fxp0_alias2="10.0.1.5 netmask 0x"

My understanding from the handbook is that the mask should be set to all
ones if the alias is for an address that's part of the same network.  For
a different segment, it's the first alias that should be set to the real
netmask, with any additional aliases using a netmask of all ones.

Granted, the broadcast addresses looks odd.  If I my programming skills
were better, I'd just read through the code and understand what's really
happening, but for now, I'm just taking the FreeBSD folks at their word at
following instructions.  That's a roundabout way of saying I think your
aliases are set up incorrectly.  ;-)

If you're not seeing the behaviour I'm seeing, do let me know.  But to
clarify with a concrete example, the following is what I see on the
jailhost (10.0.1.2) when it connects to port 25 on one of the
jails (10.0.1.5).

# tcpdump -nqti lo0 port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo0, link-type NULL (BSD loopback), capture size 96 bytes
IP 10.0.1.5.62110 > 10.0.1.5.25: tcp 0
IP 10.0.1.5.25 > 10.0.1.5.62110: tcp 0
IP 10.0.1.5.62110 > 10.0.1.5.25: tcp 0
IP 10.0.1.5.25 > 10.0.1.5.62110: tcp 89
IP 10.0.1.5.62110 > 10.0.1.5.25: tcp 0

# netstat -nf inet
Active Internet connections
Proto Recv-Q Send-Q  Local Address  Foreign Address(state)
tcp4   0  0  10.0.1.5.2510.0.1.5.62110 ESTABLISHED
tcp4   0  0  10.0.1.5.62110 10.0.1.5.25ESTABLISHED

# sockstat -4 -p 25
USER COMMANDPID   FD PROTO  LOCAL ADDRESS FOREIGN ADDRESS
root sendmail   16594 1  tcp4   10.0.1.5:25   10.0.1.5:62110
root sendmail   16594 4  tcp4   10.0.1.5:25   10.0.1.5:62110
root sendmail   16594 7  tcp4   10.0.1.5:25   10.0.1.5:62110
root telnet 16593 3  tcp4   10.0.1.5:6211010.0.1.5:25

Why the jailhost is suddenly using the jail's IP address is beyond me.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Jails and IP Aliasing

2008-07-07 Thread Jason Morgan 
Hello,

On 2008.07.07 09:51:33, David Allen wrote:
> Unless I'm losing my mind, I'm encountering what seems to yet another
> gotcha with jails.  The following has been dumbed down for clarity and
> brevity.
> 
> -
> # hostname
> jailhost.example.org
> 
> # host jailhost
> jailhost.example.org has address 10.0.1.2
> 
> # ifconfig fxp0
> fxp0: flags=8843 metric 0 mtu 1500
> options=b
> ether 00:07:e9:c8:2e:32
> inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255
> inet 10.0.1.3 netmask 0x broadcast 10.0.1.3
> inet 10.0.1.4 netmask 0x broadcast 10.0.1.4
> media: Ethernet autoselect (100baseTX )
> status: active

This is the output for my jail interface. Notice that your jail
aliases are broadcasting on the jail's IP. I don't know if this is an
issue or not (my jails run on i386 FBSD 6.3), but it's something to
look at. How are you setting the aliases?

sk0: flags=8843 mtu 1500
 options=b
 inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255
 inet 10.0.0.101 netmask 0xff00 broadcast 10.0.0.255
 inet 10.0.0.201 netmask 0xff00 broadcast 10.0.0.255
 ether xx:xx:xx:xx:xx:xx
 media: Ethernet autoselect (1000baseTX )
 status: active

Cheers,
~Jason
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Jails and IP Aliasing

2008-07-07 Thread David Allen 
Unless I'm losing my mind, I'm encountering what seems to yet another
gotcha with jails.  The following has been dumbed down for clarity and
brevity.

-
# hostname
jailhost.example.org

# host jailhost
jailhost.example.org has address 10.0.1.2

# ifconfig fxp0
fxp0: flags=8843 metric 0 mtu 1500
options=b
ether 00:07:e9:c8:2e:32
inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255
inet 10.0.1.3 netmask 0x broadcast 10.0.1.3
inet 10.0.1.4 netmask 0x broadcast 10.0.1.4
media: Ethernet autoselect (100baseTX )
status: active

# grep jail /etc/rc.conf
...
jail_ns_hostname="ns.example.org"
jail_ns_ip="10.0.1.3"
...
jail_mail_hostname="mail.example.org"
jail_mail_ip="10.0.1.4"

# sockstat -4l
USER COMMANDPID   FD PROTO  LOCAL ADDRESS FOREIGN ADDRESS
root sendmail   11556 4  tcp4   10.0.1.4:25   *:*
root syslogd10591 6  udp4   10.0.1.4:514  *:*
root sendmail   10438 4  tcp4   10.0.1.3:25   *:*
bind named  4011  20 udp4   10.0.1.3:53   *:*
bind named  4011  21 tcp4   10.0.1.3:53   *:*
bind named  4011  22 tcp4   10.0.1.3:953  *:*
root syslogd897   6  udp4   10.0.1.3:514  *:*
root sshd   715   3  tcp4   10.0.1.2:22   *:*
root syslogd563   6  udp4   127.0.0.1:514 *:*
root sendmail   489   4  tcp4   127.0.0.1:25  *:*

-

If I telnet from the jailhost to mail.example.org 25, for example, both
outgoing and incoming connections appear to sockstat, tcpdump, etc. on the
jailhost as using the jail's IP address!  Similarly, if I perform a DNS
lookup on the jailhost (using the ns.example.org jail for resolution),
both incoming and outgoing connections occur on the jail's IP address.

Granted, everything is really happening over the loopback address, but a
connection originating from the jailhost to a jail should appear to be
using the jailhost's IP address, or so I'd like to think.  If it doesn't,
then the scenario is awkward at best when trying to understand or debug
issues.

The thought occurred to me, however, that I could add a new network card
and reserve that for the IP aliases needed by the jails.  But I'm not sure
whether that will work in telling me who's who, or whether I'll discover
another gotcha.  ;-)

Comments, questions and complaints all welcomed.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: IP Aliasing

2008-04-10 Thread Jon Radel 
David Allen wrote:
> This may be a dumb question, but I'm puzzled by the following (taken
> from the Virtual Hosts section in the Handbook):
> 
>   For example, consider the case where the fxp0 interface is connected
>   to two networks, the 10.1.1.0 network with a netmask of
>   255.255.255.0 and the 202.0.75.16 network with a netmask of
>       255.255.255.240.
> 
> IP aliasing I get, but two different networks on the same interface?
> What would this be plugged into to make that work?

Ethernet most likely these days.

In a perfect world, where ipv4 addresses flowed like water, everyone
managed to forecast everything perfectly, and nobody ever had to
renumber a network, I doubt there'd be much call for it.  And I'd never
want to try make a case for it being terribly elegant.

I'm personally acquainted with a couple of cases where it comes up:

1) Multi-homed networks with ipv4 addresses assignments too small to do
something "real" like using BGP to advertise >= /24 to multiple ISPs.
So to talk via one ISP you use one address and via the other ISP you use
the other.

2) You need to migrate to new addresses but can't afford to shut
everything down long enough to change everything all at once.

There are others.

--Jon Radel


smime.p7s
Description: S/MIME Cryptographic Signature

IP Aliasing

2008-04-10 Thread David Allen 
This may be a dumb question, but I'm puzzled by the following (taken
from the Virtual Hosts section in the Handbook):

For example, consider the case where the fxp0 interface is connected
to two networks, the 10.1.1.0 network with a netmask of
255.255.255.0 and the 202.0.75.16 network with a netmask of
255.255.255.240.

IP aliasing I get, but two different networks on the same interface?
What would this be plugged into to make that work?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: IP Aliasing

2008-02-21 Thread Jerry McAllister 
On Thu, Feb 21, 2008 at 12:07:08PM +, Siraj Shaikh wrote:

> On 29/01/2008, Olivier Nicole <[EMAIL PROTECTED]> wrote:
> > > 1) is there an upper limit to configuring a number of alias addresses?
> >
> > I have a machine with 200+ IP without any problem.
> >
> >  > 2) if an interface is configured with an alias address, then what
> >  > address is shown on the traffic leaving this interface? So, for
> >  > example, if I were to ping this machine on its primary address, I
> >  > expect to get a response from the primary address of the interface.
> >  > What happens if I ping an alias address, would I get a response from
> >
> > By default exiting traffic is using the primary address (the one
> >  defined with no keyword alias in the ifconfig). I think there is a way
> >  to choose the exiting IP.
> >
> >  When a paket is responding, it use the same IP that was used in the
> >  query (else any firewall would be confused in the way).
> >
> >
> >  > 3) In the above scenario, all traffic leaving the interface
> >  > (regardless of the source IP on it) will have the same MAC address
> >  > (the one of the interface) - is that right?
> >
> >
> > Right except maybe some NIC that allow several MAC addresses? That
> >  could be used in hi availability?
> >
> >
> >  > 4) Does anyone know if there are there any other network
> >  > characteristics or behaviour by which we can distinguish a machine
> >  > having more than one IP address (primary plus alias) configued on one
> >  > of its interface?
> >
> >
> > Once you cross a router, you don't see the MAC of the machine anymore,
> >  MAC is local to your LAN anyway.
> >
> >  Olivier
> >
> >
> >
> 
> One last thing I wanted to know (sorry to email after a long delay),
> in order for me to add aliases that I want to remain configured on the
> machine at every boot, I can simply add, for exmaple, the following
> lines to the rc.conf file?
> 
> ifconfig_ed0_alias0="inet 127.0.0.251 netmask 0x"
> ifconfig_ed0_alias1="inet 127.0.0.252 netmask 0x"
> ifconfig_ed0_alias2="inet 127.0.0.253 netmask 0x"
> 

Looks right.  The main nasty thing is in the aliasnn, the nn must
start at 0 and be sequential - like you have it here.  But, you can't
just take one out of the middle without moving the others up to fill in.

> Just want to know, as I want to configure about 253 addresses as an
> alias on a single machine (along with the primary address, this will
> be 254 address, a whole C-class subnet) - and would like these entries
> to hold when I boot. Also, is there any shortcut to adding a range of
> net/host address or would I have to add a line for each address?

Not that I know of.
But, maybe someone has written something.

jerry

> 
> Thanks
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: IP Aliasing

2008-02-21 Thread Siraj Shaikh 
On 21/02/2008, Mel <[EMAIL PROTECTED]> wrote:
> On Thursday 21 February 2008 13:07:08 Siraj Shaikh wrote:
>
>  > ifconfig_ed0_alias0="inet 127.0.0.251 netmask 0x"
>  > ifconfig_ed0_alias1="inet 127.0.0.252 netmask 0x"
>  > ifconfig_ed0_alias2="inet 127.0.0.253 netmask 0x"
>  >
>  > Just want to know, as I want to configure about 253 addresses as an
>  > alias on a single machine (along with the primary address, this will
>  > be 254 address, a whole C-class subnet) - and would like these entries
>  > to hold when I boot. Also, is there any shortcut to adding a range of
>  > net/host address or would I have to add a line for each address?
>
>
> Yes and yes. Yes it needs one line per alias and yes, there's a shortcut:
>
>  for i in $(jot - 0 254); do
>   echo ifconfig_ed0_alias${i}="\"inet 127.0.0.$((i+1)) netmask 0x\""
>  done >>/etc/rc.conf
>
>  Wouldn't do this with 127.0.0 btw, but I figured you wouldn't. You'd also 
> have
>  to make a provision for the main IP, but then again, it's easier to remove
>  the specific line by hand.
>  --
>
> Mel
>

Thanks Mel - very helpful indeed

Siraj
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: IP Aliasing

2008-02-21 Thread Mel 
On Thursday 21 February 2008 13:07:08 Siraj Shaikh wrote:

> ifconfig_ed0_alias0="inet 127.0.0.251 netmask 0x"
> ifconfig_ed0_alias1="inet 127.0.0.252 netmask 0x"
> ifconfig_ed0_alias2="inet 127.0.0.253 netmask 0x"
>
> Just want to know, as I want to configure about 253 addresses as an
> alias on a single machine (along with the primary address, this will
> be 254 address, a whole C-class subnet) - and would like these entries
> to hold when I boot. Also, is there any shortcut to adding a range of
> net/host address or would I have to add a line for each address?

Yes and yes. Yes it needs one line per alias and yes, there's a shortcut:

for i in $(jot - 0 254); do
  echo ifconfig_ed0_alias${i}="\"inet 127.0.0.$((i+1)) netmask 0x\""
done >>/etc/rc.conf

Wouldn't do this with 127.0.0 btw, but I figured you wouldn't. You'd also have 
to make a provision for the main IP, but then again, it's easier to remove 
the specific line by hand.
-- 
Mel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: IP Aliasing

2008-02-21 Thread Siraj Shaikh 
On 29/01/2008, Olivier Nicole <[EMAIL PROTECTED]> wrote:
> > 1) is there an upper limit to configuring a number of alias addresses?
>
> I have a machine with 200+ IP without any problem.
>
>  > 2) if an interface is configured with an alias address, then what
>  > address is shown on the traffic leaving this interface? So, for
>  > example, if I were to ping this machine on its primary address, I
>  > expect to get a response from the primary address of the interface.
>  > What happens if I ping an alias address, would I get a response from
>
> By default exiting traffic is using the primary address (the one
>  defined with no keyword alias in the ifconfig). I think there is a way
>  to choose the exiting IP.
>
>  When a paket is responding, it use the same IP that was used in the
>  query (else any firewall would be confused in the way).
>
>
>  > 3) In the above scenario, all traffic leaving the interface
>  > (regardless of the source IP on it) will have the same MAC address
>  > (the one of the interface) - is that right?
>
>
> Right except maybe some NIC that allow several MAC addresses? That
>  could be used in hi availability?
>
>
>  > 4) Does anyone know if there are there any other network
>  > characteristics or behaviour by which we can distinguish a machine
>  > having more than one IP address (primary plus alias) configued on one
>  > of its interface?
>
>
> Once you cross a router, you don't see the MAC of the machine anymore,
>  MAC is local to your LAN anyway.
>
>  Olivier
>
>
>

One last thing I wanted to know (sorry to email after a long delay),
in order for me to add aliases that I want to remain configured on the
machine at every boot, I can simply add, for exmaple, the following
lines to the rc.conf file?

ifconfig_ed0_alias0="inet 127.0.0.251 netmask 0x"
ifconfig_ed0_alias1="inet 127.0.0.252 netmask 0x"
ifconfig_ed0_alias2="inet 127.0.0.253 netmask 0x"

Just want to know, as I want to configure about 253 addresses as an
alias on a single machine (along with the primary address, this will
be 254 address, a whole C-class subnet) - and would like these entries
to hold when I boot. Also, is there any shortcut to adding a range of
net/host address or would I have to add a line for each address?

Thanks
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

RE: IP Aliasing

2008-01-28 Thread Brent Jones 
> > 2) if an interface is configured with an alias address, then what
> > address is shown on the traffic leaving this interface? So, for
> > example, if I were to ping this machine on its primary address, I
> > expect to get a response from the primary address of the interface.
> > What happens if I ping an alias address, would I get a response from
> 
> By default exiting traffic is using the primary address (the one
> defined with no keyword alias in the ifconfig). I think there is a way
> to choose the exiting IP.
> 
> When a paket is responding, it use the same IP that was used in the
> query (else any firewall would be confused in the way).

Just a note on this question/answer:  You can configure a FreeBSD
machine to use random IP addresses from the available pool of configured
IP addresses when machines traverse the NATted firewall.  If you choose
this option, you may run into problems with people behind your
firewall/router having difficulty connecting to web sites that use
session authentication, as the IP address of the source machine will be
constantly changing with each click of links on the destination web
site.  (This caught me out for months before I realised what was
happening.)

Cheers,
Brent
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: IP Aliasing

2008-01-28 Thread Olivier Nicole 
> 1) is there an upper limit to configuring a number of alias addresses?

I have a machine with 200+ IP without any problem.

> 2) if an interface is configured with an alias address, then what
> address is shown on the traffic leaving this interface? So, for
> example, if I were to ping this machine on its primary address, I
> expect to get a response from the primary address of the interface.
> What happens if I ping an alias address, would I get a response from

By default exiting traffic is using the primary address (the one
defined with no keyword alias in the ifconfig). I think there is a way
to choose the exiting IP.

When a paket is responding, it use the same IP that was used in the
query (else any firewall would be confused in the way).

> 3) In the above scenario, all traffic leaving the interface
> (regardless of the source IP on it) will have the same MAC address
> (the one of the interface) - is that right?

Right except maybe some NIC that allow several MAC addresses? That
could be used in hi availability?

> 4) Does anyone know if there are there any other network
> characteristics or behaviour by which we can distinguish a machine
> having more than one IP address (primary plus alias) configued on one
> of its interface?

Once you cross a router, you don't see the MAC of the machine anymore,
MAC is local to your LAN anyway.

Olivier
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: IP Aliasing

2008-01-28 Thread Wojciech Puchar 


I am wondering if anyone has some experience in using it, and what I
want to know

1) is there an upper limit to configuring a number of alias addresses?


no idea, i have 37 without problems.



2) if an interface is configured with an alias address, then what
address is shown on the traffic leaving this interface? So, for
example, if I were to ping this machine on its primary address, I
expect to get a response from the primary address of the interface.
What happens if I ping an alias address, would I get a response from
this alias address (as source IP on packets?), or would I get a

yes you will get from the IP you pinged.


3) In the above scenario, all traffic leaving the interface
(regardless of the source IP on it) will have the same MAC address
(the one of the interface) - is that right?


yes.



4) Does anyone know if there are there any other network
characteristics or behaviour by which we can distinguish a machine
having more than one IP address (primary plus alias) configued on one
of its interface?


it depends how services are configured.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

IP Aliasing

2008-01-28 Thread Siraj Shaikh 
I have a query reagrding IP aliasing in FreeBSD. I have read up on it,
this has been helpful: http://freebsd.peon.net/tutorials/6/

I am wondering if anyone has some experience in using it, and what I
want to know

1) is there an upper limit to configuring a number of alias addresses?

2) if an interface is configured with an alias address, then what
address is shown on the traffic leaving this interface? So, for
example, if I were to ping this machine on its primary address, I
expect to get a response from the primary address of the interface.
What happens if I ping an alias address, would I get a response from
this alias address (as source IP on packets?), or would I get a
response from the primary address configured for the interface?

3) In the above scenario, all traffic leaving the interface
(regardless of the source IP on it) will have the same MAC address
(the one of the interface) - is that right?

4) Does anyone know if there are there any other network
characteristics or behaviour by which we can distinguish a machine
having more than one IP address (primary plus alias) configued on one
of its interface?

Thanks!

Siraj
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

RE: IP Aliasing Question

2004-07-08 Thread Terrence Koeman 
Have you tried using:

ifconfig vr0 alias 10.0.38.237 netmask 255.0.0.0 broadcast 10.255.255.255
ifconfig vr0 alias 10.255.38.237 netmask 255.255.255.255 broadcast
10.255.255.255

-- 
Regards,
Terrence Koeman
 
MediaMonks B.V. (www.mediamonks.com)
Please quote all replies in correspondence. 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Andrew Kilpatrick
> Sent: Thursday, July 08, 2004 18:58
> To: [EMAIL PROTECTED]
> Subject: IP Aliasing Question
> 
> Hey,
> 
> What I'm trying to do involves FreeBSD and IP aliases. 
> Hopefully someone has some ideas. Here's the general idea of 
> what I'm trying to do:
> 
> I've got vr0, which is assigned to some IP address... let's 
> say: 192.168.1.90 with a subnet mask of 255.255.255.0. This 
> is all fine, and everything works.
> 
> I'm implementing a protcol called ArtNet (which I didn't 
> design) which uses 10.x.x.x network for controlling lighting. 
> It's all UDP, and uses broadcast packets to 10.255.255.255. 
> IP addresses of hosts are determined by a sort of shitty 
> algorithm based on the MAC address, and can appear anywhere 
> in the class A. This allows: a) IPv4 (yes, I know IPv6 would 
> be better) and b) autoconfiguration without the need for a 
> DHCP server. I didn't make it up, I'm just trying to make my 
> stuff work with it.
> 
> So, here's the deal I want to add 2 aliases to vr0 so 
> that I can run 2 ArtNet services on the same machine. So, the 
> aliases would look something like this:
> 
> 10.0.38.237 netmask 255.0.0.0
> 10.255.38.237 netmask 255.0.0.0
> 
> Adding the first one like this works: ipconfig vr0 inet 
> 10.0.38.237 netmask 255.0.0.0 alias
> 
> However, adding the second fails, I'm assuming because the 
> netmasks overlap. I can understand why this is so, but for my 
> application I actually want this. 
> Because programs listening on both addresses both need to 
> receive broadcast packets sent to 10.255.255.255.
> 
> So, how can this be done? Adding a second NIC is not an option.
> 
> 
> Cheers,
> 
> Andrew
> 
> ___
> [EMAIL PROTECTED] mailing list 
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "[EMAIL PROTECTED]"
> 
> 

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

IP Aliasing Question

2004-07-08 Thread Andrew Kilpatrick 
Hey,

What I'm trying to do involves FreeBSD and IP aliases. Hopefully someone has 
some ideas. Here's the general idea of what I'm trying to do:

I've got vr0, which is assigned to some IP address... let's say: 192.168.1.90 
with a subnet mask of 255.255.255.0. This is all fine, and everything works.

I'm implementing a protcol called ArtNet (which I didn't design) which uses 
10.x.x.x network for controlling lighting. It's all UDP, and uses broadcast 
packets to 10.255.255.255. IP addresses of hosts are determined by a sort of 
shitty algorithm based on the MAC address, and can appear anywhere in the 
class A. This allows: a) IPv4 (yes, I know IPv6 would be better) and b) 
autoconfiguration without the need for a DHCP server. I didn't make it up, 
I'm just trying to make my stuff work with it.

So, here's the deal I want to add 2 aliases to vr0 so that I can run 2 
ArtNet services on the same machine. So, the aliases would look something 
like this:

10.0.38.237 netmask 255.0.0.0
10.255.38.237 netmask 255.0.0.0

Adding the first one like this works: ipconfig vr0 inet 10.0.38.237 netmask 
255.0.0.0 alias

However, adding the second fails, I'm assuming because the netmasks overlap. I 
can understand why this is so, but for my application I actually want this. 
Because programs listening on both addresses both need to receive broadcast 
packets sent to 10.255.255.255.

So, how can this be done? Adding a second NIC is not an option.


Cheers,

Andrew

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: IP Aliasing in rc.conf

2003-03-06 Thread Nigel Soon 
I think you want this instead:

ifconfig_fxp0="inet 10.0.0.201 netmask 255.0.0.0"
ifconfig_fxp0_alias0="inet 10.0.0.211 netmask 255.255.255.255"

On Thu, 06 Mar 2003, Martyn Hill wrote:

> Hi all
> 
> Can someone confirm that the following is the correct way to implement one
> IP alias (same subnet) on a single fxp NIC in rc.conf (for the purposes of
> running a "dual samba/samba-tng" installation):
> 
> ipconfig_fxp0="inet 10.0.0.201 netmask 255.0.0.0"
> ipconfig_fxp0_alias0="inet 10.0.0.211 netmask 255.255.255.255"
> 
> Regards
> Martyn Hill
> Network Administrator
> St James Independent School
> London
> 
> 
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-questions" in the body of the message

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

IP Aliasing in rc.conf

2003-03-06 Thread Martyn Hill 
Hi all

Can someone confirm that the following is the correct way to implement one
IP alias (same subnet) on a single fxp NIC in rc.conf (for the purposes of
running a "dual samba/samba-tng" installation):

ipconfig_fxp0="inet 10.0.0.201 netmask 255.0.0.0"
ipconfig_fxp0_alias0="inet 10.0.0.211 netmask 255.255.255.255"

Regards
Martyn Hill
Network Administrator
St James Independent School
London


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Re: IP aliasing with ppp

2002-11-08 Thread Lowell Gilbert 
krad <[EMAIL PROTECTED]> writes:

> hi,
>  
> I currently have a /29 assigned by my isp for my dsl. I have got my bsd box 
>connecting fine and natd is working off one off the ips. I would like to bind the 
>remaining 5 ips to the tun0 interface on the bsd box and enable static nating to 
>certain boxes behind the firewall. I am however having problems as when I use 
>ifconfig i get strange results e.g.
>  
> tun0: flags=8151 mtu 1500
> inet 123.54.67.94 --> 65.4.32.1 netmask 0xff00 
> Opened by PID 6896
> root on gateway# ifconfig tun0 alias inet 123.54.67.93
> root on gateway# ifconfig tun0
> tun0: flags=8151 mtu 1500
> inet 123.54.67.94 --> 65.4.32.1 netmask 0xff00 
> inet 192.168.0.254 --> 123.54.67.93. netmask 0xff00 
> Opened by PID 6896
> root on gateway# 
>  
> im not sure whats going on here but it certainly isnt correct. I have also tried 
>playing around with ifalias commands in ppp with no problems. Am I going about this 
>in completely the wrong way or is my syntax wrong when using ifconfig.

Well, it should include a netmask; in this case, an all-1's netask (0x).

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

IP aliasing with ppp

2002-11-07 Thread krad 
hi,
 
I currently have a /29 assigned by my isp for my dsl. I have got my bsd box connecting 
fine and natd is working off one off the ips. I would like to bind the remaining 5 ips 
to the tun0 interface on the bsd box and enable static nating to certain boxes behind 
the firewall. I am however having problems as when I use ifconfig i get strange 
results e.g.
 
tun0: flags=8151 mtu 1500
inet 123.54.67.94 --> 65.4.32.1 netmask 0xff00 
Opened by PID 6896
root on gateway# ifconfig tun0 alias inet 123.54.67.93
root on gateway# ifconfig tun0
tun0: flags=8151 mtu 1500
inet 123.54.67.94 --> 65.4.32.1 netmask 0xff00 
inet 192.168.0.254 --> 123.54.67.93. netmask 0xff00 
Opened by PID 6896
root on gateway# 
 
im not sure whats going on here but it certainly isnt correct. I have also tried 
playing around with ifalias commands in ppp with no problems. Am I going about this in 
completely the wrong way or is my syntax wrong when using ifconfig.
 
regards
 

Chris 

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message