qube2 as firewall

Hello,

I'm trying to setup a qube2 as a firewall
but it's not working correctly.
The installation went fine and I built a
custom kernel for my needs.
But it seems to have troubles when passing
packets from one nic to the other after
some time.
I tried with and without any firewall rule
(except nat) and also with a 3c905 nic (ex0)
instead of the second built-in nic (tlp1).
The nat is configured like this:
map tlp1 192.168.1.0/24 -> 0/32                                                 
map ex0 192.168.1.0/24 -> 0/32
because i use dhcp to connect to the internet.
Has anyone succeded in setting up a firewall
or gateway using this hardware?
I haven't find anything yet in the ml archives.
Thanks.

btw: Happy new year 8)

Re: qube2 as firewall

On Sun, Jan 05, 2003 at 03:05:31PM +0100, netbsd-ml <at> bikochan.net wrote:
> Hello,
> 
> But it seems to have troubles when passing
> packets from one nic to the other after
> some time.

You need to add "options GATEWAY" to your kernel. This enables 
IP_FORWARDING and increases the size of NMBCLUSTERS.

Without rebuilding your kernel, you can enable IP_FORWARDING at any time 
by using sysctl(3) with the variable net.inet.ip.forwarding.

best wishes,
Chris

It Works!!!

Got my qube running with a 120 Gig drive and NetBSD.
I'm loving it! What a great little machine! All it
needed was a decent OS and a big giant disk.

Thanks to all who helped out. I'm in the process of
writing some install instructions
baseexperienceierience. I'll post again once they are
online.

One more question. I'm really tempted to add a 2nd 120
Gig drive. I'm not worried about heat (drive runs
prequietestl) or nI've (quitest drive i've ever heard)
but I don't want to cook the tiny power supply on the
qube.

Is anyone out there running two drives yet?

Thanks all, you rule!

-Mind

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

ipf and ftp proxy

Hi

I'm using a qube2/netbsd as a firewall and noticed
a security advisory about ipfilter versions prior
to 3.4.29 (the default installed system runs 3.4.27).
So I downloaded netbsd-current from the cvs to
upgrade. But it fails to compile, complaining about
the toolchain utilities it seems.
The error is:
(${TOOLCHAIN_MISSING} != "yes")
make: "/usr/src.cvs/tools/Makefile" line 9: if-less endif
make: "/usr/src.cvs/tools/Makefile" line 9: Need an operator
make: Fatal errors encountered -- cannot continue
make: "/usr/share/mk/bsd.own.mk" line 92: warning: "cd
/usr/src.cvs/tools && make -V .OBJDIR" returned non-zero status
make: don't know how to make cleanall. Stop

make: stopped in /usr/src.cvs/usr.sbin/ipf

I read somewhere in this ml, that /bin/sh was troublesome
sometimes so I temporally replaced it with bash2.
It goes further but still fails with a similar error.

My question is "how do you succesfully compile netbsd-current from cvs?"

Thanks.

Andre

patched kernel mentioned in faq

Re: patched kernel mentioned in faq

On Tue, 14 Jan 2003, Jake Baillie wrote:

> <http://heorot.stanford.edu/tedu/netbsd.gz>http://heorot.stanford.edu/tedu/netbsd.gz
>
> Unfortunately, it appears that host no longer has a DNS entry. :) Any idea
> where I might be able to obtain this patched kernel?

Yeah, I'm not running a server now for while.  Can someone remove that
from the FAQ to prevent confusion?

You can try cross-compiling a kernel from another netbsd system, but I've
never done that.

--
"I read a funny story about how the Republicans freed the slaves.
The Republicans are the ones who created slavery by law in the
1600's.  Abraham Lincoln freed the slaves and he was not a
Republican."
      - M. Barry, Mayor of Washington, DC

RE: patched kernel mentioned in faq

If that can help you get started, you can get one from here:

http://realconnect.com/NetBSD/

There is the old Linux stuff as well.

After your box is working, replace it with the original from the NetBSD
site.

Hope this help.

Daniel

PS: As usual, no warranty apply, etc..... Just there to help without any
other imply reason.

> -----Original Message-----
> From: port-cobalt-owner <at> netbsd.org
[mailto:port-cobalt-owner <at> netbsd.org]
> On Behalf Of Ted Unangst
> Sent: Tuesday, January 14, 2003 4:25 PM
> To: Jake Baillie
> Cc: port-cobalt <at> netbsd.org
> Subject: Re: patched kernel mentioned in faq
> 
> On Tue, 14 Jan 2003, Jake Baillie wrote:
> 
> >
>
<http://heorot.stanford.edu/tedu/netbsd.gz>http://heorot.stanford.edu/te
du
> /netbsd.gz
> >
> > Unfortunately, it appears that host no longer has a DNS entry. :)
Any
> idea
> > where I might be able to obtain this patched kernel?
> 
> Yeah, I'm not running a server now for while.  Can someone remove that
> from the FAQ to prevent confusion?
> 
> You can try cross-compiling a kernel from another netbsd system, but
I've
> never done that.
> 
> 
> --
> "I read a funny story about how the Republicans freed the slaves.
> The Republicans are the ones who created slavery by law in the
> 1600's.  Abraham Lincoln freed the slaves and he was not a
> Republican."
>       - M. Barry, Mayor of Washington, DC

RE: patched kernel mentioned in faq

At 04:45 PM 1/14/2003 -0500, Daniel Ouellet wrote:
>If that can help you get started, you can get one from here:
>
>http://realconnect.com/NetBSD/
>
>There is the old Linux stuff as well.
>
>After your box is working, replace it with the original from the NetBSD
>site.
>
>Hope this help.

Well, I retrieved the kernel. I have some fun issues, now.

I have a raq2 mips. Dual Ethernet, 30 GB maxtor hard drive. Runs CobaltOS 
just fine, and I want to put NetBSD on there just to get to learn NetBSD (I 
know, start on i386, but I don't listen well. :)).

I followed the netboot directions at the bottom of the FAQ to the letter. I 
fired up tcpdump, reset the box using the left and right keys, and tailed 
my messages log for dhcpd messages. Both tcpdump and dhcpd on the host see 
the cobalt, acknowledge its request for both the IP address and nfs 
request, and the cobalt requests the kernel.

No problem up until this point. Then, after about 30 seconds of network 
activity, the cobalt seemed to just start CobaltOS. Weird. I tried again, 
no luck.

So, I hooked up a console. Ran "bfd /boot/vmlinux_raq-2800.gz 
nfsroot=/nfsroot" and watched it do it's magic. It decompressed the kernel, 
went to town on the network again, and then the son-of-a-bitch rebooted. 
Which explains the appearance of it "just starting" CobaltOS.

Any ideas why it just might reboot like that?

TIA,
Jake 

RE: patched kernel mentioned in faq

[snip]
> 
> ìCobalt Microserver Diagnostics - 'We serve it, you surf it'
> 
> Built Tue May 25 15:58:41 PDT 1999
> 
>  1.LCD Test................................PASS
>  2.Controller Test.........................PASS
>  5.Bank 0:.................................64M
>  6.Bank 1:.................................0M
>  7.Bank 2:.................................0M
>  8.Bank 3:.................................0M
>  9.Serial Test.............................PASS
> 10.PCI Expansion Slot....................**EMPTY**
> 12.IDE Test................................PASS
> 13.Ethernet Test...........................PASS
> 16.RTC Test................................PASS
> 
> Cobalt: bfd /Kevin/netbsd.gz /nfsroot=/nfsroot Decompressing
> -\|/-\|/-\|/-\| done
> Executing bootloader kernel...
> Decompressing
> -/-\|/-\|/-\|/-\|/-\|/-\|/-\|/- done.

I get to this point ^^^^^^^^. Exceptions:

a) My RAM is different. I have 160 MB.
b) My bfd command is: "bfd /boot/vmlinux_raq-2800.gz nfsroot=/nfsroot". 
Yes, my NFS share is accessible and the file is there, because I can 
see the raq transfer the file with NFS (using tcpdump on the host 
machine).
c) I never receive the "done" message after the bootloader kernel 
decompression. It just reboots, and puts be back into diagnostics mode, 
ready to boot the regular kernel unless I interrupt it again.

Weird. Thanks for the help so far.

Re: patched kernel mentioned in faq

On Tue, 14 Jan 2003 23:42:48 EST (-0500)
"Jake Baillie" <jake <at> priva.com> wrote:

Hi ,
> 
> a) My RAM is different. I have 160 MB.

The diagnostic is done by the cobalt's BIOS, so if it see 64Mb, you've certainly got a problem with your RAM,
not form the OS

> b) My bfd command is: "bfd /boot/vmlinux_raq-2800.gz nfsroot=/nfsroot". 
> Yes, my NFS share is accessible and the file is there, because I can 
> see the raq transfer the file with NFS (using tcpdump on the host 
> machine).

Just try without bfd command and push on the left and right panel buton and look what append on your console
(this is the way I installed my cobalts... and just work very fine)

> c) I never receive the "done" message after the bootloader kernel 
> decompression. It just reboots, and puts be back into diagnostics mode, 
> ready to boot the regular kernel unless I interrupt it again.

I had the same problem when my kernel was too big. Please, check that your kernel.gz (or in this case
mlinux_raq-2800.gz) is samller than 1M and 2.5M uncompressed.
You can cross-compile a kernel for cobalt on NetBSD or FreeBSD i386 (works very fine), add the option
"config          netbsd        root on ? type nfs" and remove other option that you don't have utility to get your kernel smaller.

Hope it will help you 

Julien

PS: be indulgent for my poor english :)