headers
Darren Reed | 1 Apr 2005 10:14
Picon

Re: Problems with ipnat on NetBSD 2.0.2

>    In NetBSD 2.0.x, there is ipfilter 4.1.3.  On my NetBSD 2.0.x router, 
> I have
> ipfilter installing IPv6 rules, and IPv4 rules, and I have ipnat 
> configured to
> do NATing.
> 
>    Amongst the rules I have in my ipnat.conf, I have:
> 
> # Redirect outgoing HTTP queries to the squid cache
> rdr vlan1 0/0 port 80 -> 127.0.0.1 port 3128 tcp
> 
>    This works just fine for IPv4.  However, it appears that it is 
> attempting to
> do this port map, erroniously, on IPv6 as well.  My ipf6.conf logs 
> blocked out-
> going packets, and sees:
..

This has already been raised and when 4.1.8 gets imported into -current,
a fix will showup there soon.

If you plan to stick with 2.0.x then it may be necessary to roll a patch
and send that to releng.

Darren
Permalink | Reply | 0 comments |
headers
Water NB | 1 Apr 2005 15:31
Favicon

How to bind IP to MAC?

My netbsd box is i386/2.0.2
a test PC IP is 192.168.0.5, mac is 22:33:44:55:66:77
i use "arp -s 192.168.0.5 22:33:44:55:66:77" to bind it.
but when i change my test PC's IP, I found another ARP entry in my box.
and test PC still can connect netbsd box.
how can i?
Permalink | Reply | 1 comment |
headers
Chris Ross | 1 Apr 2005 16:42

Re: Problems with ipnat on NetBSD 2.0.2


On Apr 1, 2005, at 03:14, Darren Reed wrote:
>
> This has already been raised and when 4.1.8 gets imported into 
> -current,
> a fix will showup there soon.
>
> If you plan to stick with 2.0.x then it may be necessary to roll a 
> patch
> and send that to releng.

   I'm definately wanting to stick with something stable.  Once a 2.1
makes it out, I may go there, but I'll definately stay in 2.x for the
forseeable future.

   Could you direct me as to where changes need to me made?
I'd be happy to make them, and roll a PR up to get this fixed in
netbsd-2 and netbsd-2-0.

   Thanks.

                                           - Chris
Permalink | Reply | 0 comments |
headers
Miles Nordin | 1 Apr 2005 17:58

Re: How to bind IP to MAC?

>>>>> "wn" == Water NB <netbsd78 <at> 126.com> writes:

    wn> "arp -s 192.168.0.5 22:33:44:55:66:77" to bind it.  but when i
    wn> change my test PC's IP, I found another ARP entry in my box.
    wn> and test PC still can connect netbsd box.  how can i?

This arp -s ... should make it impossible for someone running ettercap
to hide 192.168.0.5's traffic from the intended recipient by
associating some other MAC address with 192.168.0.5, although I
haven't tested this.

As far as filtering incoming packets nothing will help.

As far as disabling ARP to prevent that MAC from getting assigned to
some other IP address, 'arp -s' won't do anything.  I tried to do this
myself for some hacker conference, and couldn't make it work.  The
ifconfig -arp flag does nothing.  What happens if you remove the
cloning route to the network, like 'route delete -net 192.168.0.0
-netmask 255.255.255.0'?  can you still have static link-layer routes
without that route?
Permalink | Reply | 0 comments |
headers
Julian Coleman | 2 Apr 2005 19:14
Picon

More UDP checksum trouble

In January, there was a thread entitled "UDP checksum trouble in -current"
where corrupted UDP checksums were observed on the wire.  A workround was
to set:

  sysctl -w net.inet.udp.do_loopback_cksum=1

and a possible patch was posted in:

  http://mail-index.NetBSD.org/tech-net/2005/01/20/0000.html

I see the same problem as the orignal poster but with bridge + ipf (I'm
running 3.0 beta), so I think we need something like this patch applied.

J

--

-- 
  My other computer also runs NetBSD    /        Sailing at Newbiggin
        http://www.netbsd.org/        /   http://www.newbigginsailingclub.org/
Permalink | Reply | 0 comments |
headers
David Young | 3 Apr 2005 03:18
Picon
Favicon

Teredo client/server/relay for NetBSD?

Does anybody have a Teredo client/server/relay implementation for NetBSD?
Or any other means for IPv6 to traverse NATs?

All that I have found on the web are miredo (GPL'd userland
implementation for Linux/FreeBSD) and ng_teredo (FreeBSD implementation
using netgraph).  It looks like I may have to adapt ng_teredo into a
NetBSD pseudo-interface.  (Alas, that is not a project I have time to
do right now!)

Dave

--

-- 
David Young             OJC Technologies
dyoung <at> ojctech.com      Urbana, IL * (217) 278-3933
Permalink | Reply | 7 comments |
headers
Hubert Feyrer | 3 Apr 2005 03:21
Picon
Favicon

Re: Teredo client/server/relay for NetBSD?

On Sat, 2 Apr 2005, David Young wrote:
> Or any other means for IPv6 to traverse NATs?
                          ^^^^^^^^^^^^^^^^^^^^^
What does that mean?

  - Hubert

--

-- 
NetBSD - Free AND Open!      (And of course secure, portable, yadda yadda)
Permalink | Reply | 5 comments |
headers
David Young | 3 Apr 2005 03:35
Picon
Favicon

Re: Teredo client/server/relay for NetBSD?

On Sun, Apr 03, 2005 at 03:21:47AM +0200, Hubert Feyrer wrote:
> On Sat, 2 Apr 2005, David Young wrote:
> >Or any other means for IPv6 to traverse NATs?
>                          ^^^^^^^^^^^^^^^^^^^^^
> What does that mean?

My "customers" have cheap home gateways that translate the private numbers
on their home network (192.168.x/24) to a single globally routable IPv4
number on their DSL/cable modem.  I want to assign IPv6 numbers to the
IPv6 routers at customers' homes, so that I can address them individually
and log into them with ssh from "headquarters."  Problem is, the IPv6
packets have to cross the IPv4 Internet, and they also have to cross
the customer's NAT.  Teredo is designed to do that.

Does that make any more sense?

Dave

--

-- 
David Young             OJC Technologies
dyoung <at> ojctech.com      Urbana, IL * (217) 278-3933
Permalink | Reply | 4 comments |
headers
YAMAMOTO Takashi | 3 Apr 2005 08:26
Picon

IFCAP_CSUM_xxx

hi,

if no one objects,
i'll decouple tx and rx of all IFCAP_CSUM_ flags.

eg.
	obsolete IFCAP_CSUM_IPv4
	introduce IFCAP_CSUM_IPv4_Rx and IFCAP_CSUM_IPv4_Tx instead.

YAMAMOTO Takashi
Permalink | Reply | 6 comments |
headers
Hubert Feyrer | 3 Apr 2005 12:37
Picon
Favicon

Re: Teredo client/server/relay for NetBSD?

On Sat, 2 Apr 2005, David Young wrote:
> Does that make any more sense?

Yes.

Can you run something like 6to4 (NetBSD's stf(4)) on the NAT router?
Works fine for me,  and I can access all machines with IPv6 behind the 
(v4) NAT router from outside.

Documentation for 6to4 is here: 
http://www.netbsd.org/guide/en/chap-net-misc.html#chap-net-misc-ipv6-6to4,you 
ma find the pkgsrc/net/hf6to4 pkg useful.

There are other approaches that use "fixed" v6 numbers with "tunnel 
brokers", but I've never used them. They all need to run on the NAT 
router though.

Looking at Toredo[1] it seemt to tunnel the v6 pkgs similar to 6to4, but 
uses a NAT-friendlier encapsulation (v4 UDP instead of some non-IP 
protocol, that's unlikely to be handled by NAT).

  - Hubert

--

-- 
NetBSD - Free AND Open!      (And of course secure, portable, yadda yadda)
Permalink | Reply | 3 comments |

Gmane