February 2013

Setup a pfSense 2.0 firewall when default gateway is on a different subnet

  • Published in Pfsense
  • February 12, 2013

http://blog.magiksys.net/pfsense-firewall-default-gateway-different-subnet

 

 

I have written a better article, using the firewall in transparent mode here .

This article has been updated for pfSense 2.0. The original article about pfSense 1.2.X has moved here.

News: It looks like the OVH gateway works like an universal ARP proxy or Captive portal. I means my OVH gateway replies to any ARP request. This means that for any given a.b.c.d/32 failover IP, I can setup a host or virtual host using a mask /24 (instead of /32) and my gateway a.b.c.X where X can be anything not in ( 0, 255 or d ) and it will works. And It works, at least on the Kimsufi I have tested it. And it works even for IPs in a.b.c.0/24. I think this is how OVH setup some (maybe all) of their routers to be able to support migration of failover IP or block without too much headache. What is fun is totraceroute some IPs in a.b.c.* and see how they are not directly attached to the WAN but are behind some routers.
OVH don't say anything about this setup and then this feature is funny but cannot be used on a production server.
Be careful if you use a wrong setup and generate a lot of unexpected ARP requests, OVH can warn you to quickly fix the problem or even disable your network link.

If you buy a VMware server and an IP block from OVH you will be surprised because the default gateway don't match the IP block. Even if this setup is unusual, it is valid and give full satisfaction if you know how to configure your firewall and hosts.

There are some advantages to use this technique for the provider/WEB hoster: this make the router configuration a lot simpler (no need to setup an IP address for each underlying IP block, they can merge routes for adjacent IP blocks together) and the most important, this save one IP address in the block.

Windows host accepts this unusual configuration and just work, thanks Bill for this great job .

pf-shellcmd

Linux host requires a little trick.

[root@fc6-pmx ~]# route add default gw 192.168.23.254
SIOCADDRT: Network is unreachable

Linux refuses to add the route because it don't know how to reach the gateway itself. Add the appropriate route for the gateway, before the default route, solves the problem.

[root@fc6-pmx ~]# route add -host 192.168.23.254 dev eth0
[root@fc6-pmx ~]# route add default gw 192.168.23.254

This works !

[root@fc6-pmx ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.23.254  0.0.0.0         255.255.255.255 UH    0      0        0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         192.168.23.254  0.0.0.0         UG    0      0        0 eth0

To configure a firewall, depending of the firewall, you will have to be imaginative !

Differences with the 1.2.X config

The main ideas are the same as in the previous article , but the trick used to connect the gateway is different and finally a lot simpler. I recommend this setup !

Schema

Here is the schema I used to test this configuration.

Network schema

All IPs are from the Address Allocation for Private Internets but it is for testing ! Use the addresses you get from your provider or WEB hoster. For real, only the 172.22.22.1 and 19.168.1.0/24 can be in a private network.

  • 192.168.23.254 is the default gateway given by my provider.
  • 10.0.0.0/24 is the IP block given by my provider. I assign it to my DMZ.
  • 192.168.1.0/24 is a for a virtual LAN, to put machines that help to configure and manage the FW and servers in the DMZ.

The gateway trick

Instead of creating an ARP entry using a command line at startup, I force a route to the gateway by using the route command twice. The trick is the identical to the one used for the Linux in the previousarticle. It is not possible to create such routes using the Web interface then once more the shellcmdmodule come to rescue to setup the route at startup.

To create a route up to 192.168.23.254, on an interface having no IP in this range, I use the commands:

route add -net 192.168.23.254/32 -iface em0
route add default 192.168.23.254  

The first line tell the firewall that IP address 192.168.23.254 is on the side of the em0 interface (em0 is my WAN interface), the second one use this address as the default gateway.

This time, their is no need to found the MAC address of the gateway like in the first article. But some operations like: disable the em0 interface or setup a default gateway; can break the trick and would require to reload the route manually or reboot the firewall.

To remove the route you can use:

route del default 192.168.23.254  
route del -net 192.168.23.254/32 -iface em0

You can create the default route as soon has you have access to the firewall, using ssh, the console or by using the Command prompt in the Diagnostics menu of the Web interface. To be sure the routes are there, click the Routes option in the Diagnostic menu. An look for the two routes.

Routes

Be careful You have to remove any default route before to run these two commands !

This will not give you access to the Internet forthwith, you need some more settings.

The WAN interface

I don't want to waste an IP address, I choose a completely unrelated address 172.22.22.1, and don't setup any gateway because the job is already done by the 2 commands above.

WAN config

The DMZ interface (OPT1)

This is where the servers having a public address live. I give the 10.0.0.1 address to the firewall, this will be the default gateway for servers in the DMZ but also the public IP of the firewall on the WAN side.

DMZ config

The LAN interface

The LAN can be used if you need additional hosts that don't need to be reachable from the Internet but are required to manage the DMZ or for any other purpose. These hosts can access the DMZ (and vice versa when required). This is where I put a virtual machine to configure this firewall. Machines in this zone can be accessed from the Internet too, see later.

LAN config

I keep the default settings of the firewall for this interface.

Setup the Proxy ARP

The 10.0.0.0/24 subnet is on the DMZ side. To allow the firewall to reply to ARP requests for these addresses on the WAN interfaces, we have to add a proxy ARP entry.

Proxy ARP

I do it for the full subnet at once, in previous article I did it address by address. This is faster but also bypass a bug or a feature in 2.0 that forbid the use of an address already used by an interface. I'm thinking here about DMZ address 10.0.0.1. It is possible to go around this by creating the Proxy ARPbefore to assign the address to the DMZ interface. But using a subnet here bypass the problem !

Masquerade the source address

For now, packets leaving the firewall have address 172.22.22.1, replies will never come back ! We need to rewrite the source address for packet leaving the firewall. I use hide NAT to give them the 10.0.0.1address. I assign this address for packet coming from the firewall, but also to masquerade the LAN zone.

Outbound NAT 1

Here are the detail for the LAN, the config for the firewall is similar.

Outbound NAT 2

Now any packets from the firewall or hosts from the LAN will leave the firewall with address 10.0.0.1

Double check the rules for the LAN, and be sure the "Default allow LAN to any rule" permit outgoing connections :

Rules LAN

Don't hesitate to be more strict, for example my second rule block port 25 to the Internet, but not to the DMZ. Here I allow all protocols except some, but the good way when configuring a firewall is to block all traffic by default and permit only some protocols.

The gateway: trick part 2

Now the firewall and the LAN have Internet access, at least after you have setup your DNS. You can now hardcode the gateway trick. You need to install the shellcmd package. The version 0.5 is for pfSense 1.0 but works well with 2.0 too. Install it from the package manager in the System menu!

Package Manager

And in the Service menu, select the Shellcmd option and setup the two commands :

Shellcmd

The DMZ zone (OPT1)

To use your DMZ you have to add filter rules to allow packets to leave the DMZ to the WAN side. Here for outgoing packets...

DMZ outgoing rule

Here I block packets to the LAN, because the DMZ is no more than a part of the Internet itself, any access to the LAN from the DMZ or the Internet must be carefully thought through.

.. and here incoming packets to my public WEB server 10.0.0.2 (the first rule)!

WAN Incoming rule

Create other rules for your other servers and services inside your DMZ !

Because we are using routing we don't need any NAT rules between WAN and DMZ !

LAN has already a full access to the DMZ because of the rule "Default allow LAN to any rule" seen previously. !

The LAN zone

If you need to access some resources inside your LAN from Internet, you can NAT some ports from address 10.0.0.1. Here I forward RDP to my 192.168.1.100 Windows host :

LAN NAT

Double check, pfSense has created the appropriate filter rules.

WAN incoming rules

That'it !

The final touch

Their is lot of other thing to say and to do, but this is not a tutorial about firewall. Anyway I was very impatient to try the new Floating tab in the Rules screen ! I have added a rule to let DMZ hosts reply to ping request. Here it is:

Allows ICMP echo request

Before the Floating tab, you add to duplicate some rules in each interface tab. This was making pfSense 1.2.X a bit unsuitable for configuration with lot of interfaces and rules !

Add IP fail-over

If you need to manage IP fail-over inside this configuration, take a look at this post

Advantages of this configuration

The biggest advantage of this configuration is the use of routing instead of NAT to forward packets. The other are:

  • this config provide a zone for your hosts in your DMZ and your LAN with usual network settings (a gateway in the same LAN subnet).
  • this config is based on routing instead of NAT, this avoid problems with NAT sensible protocol like: ftp, pptp, ...
  • NAT drops connection if no packets are going through for too long. Routing don't and don't require any keep alive plaster!
  • the hosts in your DMZ use the public IP addresses, this make things simple and avoid confusion.
  • LAN access your DMZ using public IP addresses.
  • no need to define NAT rules, only the filter rules are required.
  • reduce the MEMORY and CPU usage of the firewall.

Hope this help !

Read more...

pfsense Enable WAN using shell

  • Published in Pfsense
  • February 12, 2013

* Install pfSense  on your target machine

* Unless your WAN gets a DHCP address, you will need to manually assign the IP Address of the WAN interface:
  --> Get to the CLI (option 8 )
  --> Type "ifconfig en0 10.20.30.40 255.255.255.248" (substitute en0 for your WAN interface and use the correct IP Address/Mask)
  --> Type "route add default <default-gw-ip>"
  --> Type "pfctl -d" to temporarily disable the packet filter

* Point your browser to your WAN IP address then login as admin/pfsense

* Once you have done your initial configuration, MAKE SURE to enable the packet filter again (CLI --> "pfctl -e")

 

 

[2.0-RC1][This email address is being protected from spambots. You need JavaScript enabled to view it.n]/root(1): netstat -rn
Routing tables

Internet:
Destination        Gateway                  Flags    Refs      Use  Netif  Expire
82.53.4.204        link#2                    UHS         0        0    lo0      =>
82.53.4.204/32   link#2                      U           0        0    em1
85.37.17.57        00:0e:0c:dc:c7:d7  UHS         0        2    em1
127.0.0.1            link#5                    UH          0      131    lo0
192.168.0.0/24   link#1                      U           0      384    em0
192.168.0.253    link#1                    UHS         0        0     lo0

 

Read more...

Linux中重启的两个命令:reboot和init 6之间的区别

  • Published in CentOS 6
  • February 10, 2013

init命令用于改变操作系统的运行级别。
Init 6是重新启动机器。
reboot也是重新启动机器。
那么这两个命令到底有什么区别呢?
对这两个操作使用man命令看到的内容如下:
"init 6" 基于一系列/etc/inittab文件,并且每个应用都会有一个相应shutdown脚本。
'init 6' 调用一系列shutdown脚本(/etc/rc0.d/K*)来使系统优雅关机;
'reboot'并不执行这些过程,reboot更是一个kernel级别的命令,不对应用使用shutdown脚本。 .
我们应该在通常情况下使用 init 6.
reboot - reboot performs a sync(1M) operation on the disks, and then a
multi- user reboot is initiated. See init(1M) for details.
init 6 Stop the operating system and reboot to the
state defined by the initdefault entry in
/etc/inittab.
在出问题的状况下或强制重启时使用reboot.

Read more...

Howto disable IPv6 on Centos 6.3 or Redhat 6.3 RHEL

  • Published in CentOS 6
  • February 10, 2013

 

Howto disable IPv6 on Centos 6.3 or Redhat 6.3 RHEL

1. Check IPv6 on your Centos or RHEL Server

[root@Centos6 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:0c:29:55:52:41 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.112/24 brd 192.168.0.255 scope global eth0
inet6 fe80::20c:29ff:fe55:5241/64 scope link
valid_lft forever preferred_lft forever
[root@Centos6 ~]#

2. Disabe ipv6 on your server

[root@Centos6 ~]# vi /etc/modprobe.d/disable-ipv6.conf
install ipv6 /bin/true
[root@Centos6 ~]# vi /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=Centos6.3
GATEWAY=192.168.0.1
[root@Centos6 ~]# echo “net.ipv6.conf.all.disable_ipv6 = 1″ >> /etc/sysctl.conf
[root@Centos6 ~]# init 6

3. Check your IP Address on your server after reboot

[root@Centos6 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:55:52:41 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.112/24 brd 192.168.0.255 scope global eth0
[root@Centos6 ~]#

That’s all. Thanks for using IThelpblog.com.

 

 

 

Read more...

Centos 6 关闭 IPV6

  • Published in CentOS 6
  • February 10, 2013

 

  1. ipv6关闭方法 
  2.  
  3. 在/etc/modprobe.d/dist.conf结尾添加 
  4.  
  5. alias net-pf-10 off 
  6. alias ipv6 off 
  7. 可用vi等编辑器,也可以通过命令: 
  8. [root@localhost ~]# cat <<EOF>>/etc/modprobe.d/dist.conf 
  9. alias net-pf-10 off 
  10. alias ipv6 off 
  11. EOF
Read more...

find mtime 查找距当前时间n天以内修改的文件

  • Published in CentOS 6
  • February 3, 2013

find $PATH -mtime 0  查找距当前时间24小时以内修改的文件


     Search  for  files  in  your home directory which have been modified in the last twenty-four hours.  This command works this way because the time since each file was last modified is divided by 24 hours and  any remainder  is  discarded.   That means that to match -mtime 0, a file will have to have a modification in the past which is less than 24 hours ago.

 

find $PATH -mtime +n  查找距当前时间n天以外修改的文件

如n=2     find $PATH -mtime +2 

当前时间11-10 10:00 那么即从距离当前时间(2012-11-10 10:00)的2天前开始算起 find $PATH -mtime +2表示11-07 10:00之前修改过的所有文件都会查找出来,往更早的时间推移,如底下参考鸟哥的时间推移图片

 

find $PATH -mtime -n  查找距当前时间n天以内修改的文件

如n=2     find $PATH -mtime -2 那么即从距离当前时间(2012-11-10 10:00)的2天前开始算起 find $PATH -mtime +2表示11-07 10:00之内修改过的所有文件都会查找出来,往现在的时间推移

 

 

find $PATH  -mtime n 查询距当前时间n天之前24小时以内修改的文件

如n=2 当前时间为2012-11-10 10:00,往前推2天为2012-11-07 10:00,因此以此为时间点,24小时之内的时间为2012-11-07 10:00~2012-11-08 10:00 内修改的文件都会查找出来

 

Read more...
Subscribe to this RSS feed