mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2025-01-11 17:04:19 +01:00
280 lines
12 KiB
Plaintext
280 lines
12 KiB
Plaintext
|
<!-- $Id$ -->
|
||
|
<!-- The FreeBSD Documentation Project -->
|
||
|
<!-- <!DOCTYPE linuxdoc PUBLIC '-//FreeBSD//DTD linuxdoc//EN'> -->
|
||
|
|
||
|
<sect><heading>Gateways and routes<label id="routing"></heading>
|
||
|
|
||
|
<p><em>Contributed by &a.gryphon;.<newline>6 October 1995.</em>
|
||
|
|
||
|
For one machine to be able to find another, there must be a
|
||
|
mechanism in place to describe how to get from one to the
|
||
|
other. This is called Routing. A ``route'' is a defined
|
||
|
pair of addresses: a <bf>destination</bf> and a
|
||
|
<bf>gateway</bf>. The pair indicates that if you are
|
||
|
trying to get to this <em>destination</em>, send along
|
||
|
through this <em>gateway</em>. There are three types of
|
||
|
destinations: individual hosts, subnets, and ``default''. The
|
||
|
``default route'' is used if none of the other routes
|
||
|
apply. We will talk a little bit more about default routes
|
||
|
later on. There are also three types of gateways:
|
||
|
individual hosts, interfaces (also called ``links''), and
|
||
|
ethernet hardware addresses.
|
||
|
|
||
|
<sect1><heading>An example</heading>
|
||
|
|
||
|
<p>To illustrate different aspects of routing, we will use
|
||
|
the following example which is the output of the command
|
||
|
<tt>netstat -r</tt>:
|
||
|
|
||
|
<tscreen><verb>
|
||
|
Destination Gateway Flags Refs Use Netif Expire
|
||
|
|
||
|
default outside-gw UGSc 37 418 ppp0
|
||
|
localhost localhost UH 0 181 lo0
|
||
|
test0 0:e0:b5:36:cf:4f UHLW 5 63288 ed0 77
|
||
|
10.20.30.255 link#1 UHLW 1 2421
|
||
|
foobar.com link#1 UC 0 0
|
||
|
host1 0:e0:a8:37:8:1e UHLW 3 4601 lo0
|
||
|
host2 0:e0:a8:37:8:1e UHLW 0 5 lo0 =>
|
||
|
host2.foobar.com link#1 UC 0 0
|
||
|
224 link#1 UC 0 0
|
||
|
</verb></tscreen>
|
||
|
|
||
|
The first two lines specify the default route (which we
|
||
|
will cover in the next section) and the <tt>localhost</tt> route.
|
||
|
|
||
|
The interface (<tt>Netif</tt> column) that it specifies to use
|
||
|
for <tt>localhost</tt> is <tt>lo0</tt>, also known as the
|
||
|
loopback device. This says to keep all traffic for this
|
||
|
destination internal, rather than sending it out over the
|
||
|
LAN, since it will only end up back where it started
|
||
|
anyway.
|
||
|
|
||
|
The next thing that stands out are the
|
||
|
``<tt>0:e0:...</tt>'' addresses. These are ethernet
|
||
|
hardware addresses. FreeBSD will automatically identify any
|
||
|
hosts (<tt>test0</tt> in the example) on the local ethernet and
|
||
|
add a route for that host, directly to it over the ethernet
|
||
|
interface, <tt>ed0</tt>. There is also a timeout
|
||
|
(<tt>Expire</tt> column) associated with this type of route,
|
||
|
which is used if we fail to hear from the host in a
|
||
|
specific amount of time. In this case the route will be
|
||
|
automatically deleted. These hosts are identified using a
|
||
|
mechanism known as RIP (Routing Information Protocol),
|
||
|
which figures out routes to local hosts based upon a
|
||
|
shortest path determination.
|
||
|
|
||
|
FreeBSD will also add subnet routes for the local subnet
|
||
|
(<tt>10.20.30.255</tt> is the broadcast address for the subnet
|
||
|
<tt>10.20.30</tt>, and <tt>foobar.com</tt> is the domain name
|
||
|
associated with that subnet). The designation <tt>link#1</tt>
|
||
|
refers to the first ethernet card in the machine. You'll
|
||
|
notice no additional interface is specified for those.
|
||
|
|
||
|
Both of these groups (local network hosts and local
|
||
|
subnets) have their routes automatically configured by a
|
||
|
daemon called <tt>routed</tt>. If this is not run, then only
|
||
|
routes which are statically defined (ie. entered
|
||
|
explicitly) will exist.
|
||
|
|
||
|
The <tt>host1</tt> line refers to our host, which it knows by
|
||
|
ethernet address. Since we are the sending host, FreeBSD
|
||
|
knows to use the loopback interface (<tt>lo0</tt>) rather than
|
||
|
sending it out over the ethernet interface.
|
||
|
|
||
|
The two <tt>host2</tt> lines are an example of what happens
|
||
|
when we use an ifconfig alias (see the section of ethernet
|
||
|
for reasons why we would do this). The <tt>=></tt>
|
||
|
symbol after the <tt>lo0</tt> interface says that not only are
|
||
|
we using the loopback (since this is address also refers to
|
||
|
the local host), but specifically it is an alias. Such
|
||
|
routes only show up on the host that supports the alias;
|
||
|
all other hosts on the local network will simply have a
|
||
|
<tt>link#1</tt> line for such.
|
||
|
|
||
|
The final line (destination subnet <tt>224</tt>) deals with
|
||
|
MultiCasting, which will be covered in a another section.
|
||
|
|
||
|
The other column that we should talk about are the
|
||
|
<tt>Flags</tt>. Each route has different attributes that are
|
||
|
described in the column. Below is a short table of some of
|
||
|
these flags and their meanings:
|
||
|
|
||
|
<descrip>
|
||
|
|
||
|
<tag/U/ <bf/Up:/ The route is active.
|
||
|
|
||
|
<tag/H/ <bf/Host:/ The route destination is a single host.
|
||
|
|
||
|
<tag/G/ <bf/Gateway:/ Send anything for this destination
|
||
|
on to this remote system, which will figure out from
|
||
|
there where to send it.
|
||
|
|
||
|
<tag/S/ <bf/Static:/ This route was configured manually,
|
||
|
not automatically generated by the system.
|
||
|
|
||
|
<tag/C/ <bf/Clone:/ Generates a new route based upon this
|
||
|
route for machines we connect to. This type of route is
|
||
|
normally used for local networks.
|
||
|
|
||
|
<tag/W/ <bf/WasCloned/ Indicated a route that was
|
||
|
auto-configured based upon a local area network (Clone)
|
||
|
route.
|
||
|
|
||
|
<tag/L/ <bf/Link:/ Route involves references to ethernet
|
||
|
hardware.
|
||
|
|
||
|
</descrip>
|
||
|
|
||
|
|
||
|
<sect1><heading>Default routes</heading>
|
||
|
|
||
|
<p>When the local system needs to make a connection to
|
||
|
remote host, it checks the routing table to determine if
|
||
|
a known path exists. If the remote host falls into a
|
||
|
subnet that we know how to reach (Cloned routes), then
|
||
|
the system checks to see if it can connect along that
|
||
|
interface.
|
||
|
|
||
|
If all known paths fail, the system has one last option:
|
||
|
the <bf>default</bf> route. This route is a special type
|
||
|
of gateway route (usually the only one present in the
|
||
|
system), and is always marked with a ``<tt>c</tt>'' in
|
||
|
the flags field. For hosts on a local area network, this
|
||
|
gateway is set to whatever machine has a direct
|
||
|
connection to the outside world (whether via PPP link, or
|
||
|
your hardware device attached to a dedicated data line).
|
||
|
|
||
|
If you are configuring the default route for a machine
|
||
|
which itself is functioning as the gateway to the outside
|
||
|
world, then the default route will be the gateway machine
|
||
|
at your Internet Service Provider's (ISP) site.
|
||
|
|
||
|
Let's look at an example of default routes. This is a
|
||
|
common configuration:
|
||
|
<tscreen><verb>
|
||
|
[Local2] <--ether--> [Local1] <--PPP--> [ISP-Serv] <--ether--> [T1-GW]
|
||
|
</verb></tscreen>
|
||
|
|
||
|
The hosts <tt>Local1</tt> and <tt>Local2</tt> are at your
|
||
|
site, with the formed being your PPP connection to your
|
||
|
ISP's Terminal Server. Your ISP has a local network at
|
||
|
their site, which has, among other things, the server
|
||
|
where you connect and a hardware device (T1-GW) attached
|
||
|
to the ISP's internet feed.
|
||
|
|
||
|
The default routes for each of your machines will be:
|
||
|
|
||
|
<tscreen><verb>
|
||
|
host default gateway interface
|
||
|
---- --------------- ---------
|
||
|
Local2 Local1 ethernet
|
||
|
Local1 T1-GW PPP
|
||
|
</verb></tscreen>
|
||
|
|
||
|
A common question is ``Why (or how) would we set the
|
||
|
T1-GW to be the default gateway for Local1, rather than
|
||
|
the ISP server it is connected to?''.
|
||
|
|
||
|
Remember, since the PPP interface is using an address on
|
||
|
the ISP's local network for your side of the connection,
|
||
|
routes for any other machines on the ISP's local network
|
||
|
will be automatically generated. Hence, you will already
|
||
|
know how to reach the T1-GW machine, so there is no need
|
||
|
for the intermediate step of sending traffic to the ISP
|
||
|
server.
|
||
|
|
||
|
As a final note, it is common to use the address ``<tt>...1</tt>''
|
||
|
as the gateway address for your local network. So (using
|
||
|
the same example), if your local class-C address space
|
||
|
was <tt>10.20.30</tt> and your ISP was using <tt>10.9.9</tt> then the
|
||
|
default routes would be:
|
||
|
|
||
|
<tscreen><verb>
|
||
|
Local2 (10.20.30.2) --> Local1 (10.20.30.1)
|
||
|
Local1 (10.20.30.1, 10.9.9.30) --> T1-GW (10.9.9.1)
|
||
|
</verb></tscreen>
|
||
|
|
||
|
<sect1><heading>Dual homed hosts</heading>
|
||
|
|
||
|
<p>There is one other type of configuration that we should
|
||
|
cover, and that is a host that sits on two different
|
||
|
networks. Technically, any machine functioning as a
|
||
|
gateway (in the example above, using a PPP connection)
|
||
|
counts as a dual-homed host. But the term is really only
|
||
|
used to refer to a machine that sits on two local-area
|
||
|
networks.
|
||
|
|
||
|
In one case, the machine as two ethernet cards, each
|
||
|
having an address on the seperate subnets. Alternately,
|
||
|
the machine may only have one ethernet card, and be using
|
||
|
ifconfig aliasing. The former is used if two physically
|
||
|
separate ethernet networks are in use, the latter if
|
||
|
there is one physical network segment, but two logically
|
||
|
seperate subnets.
|
||
|
|
||
|
Either way, routing tables are set up so that each subnet
|
||
|
knows that this machine is the defined gateway (inbound
|
||
|
route) to the other subnet. This configuration, with the
|
||
|
machine acting as a Bridge between the two subnets, is
|
||
|
often used when we need to implement packet filtering or
|
||
|
firewall security in either or both directions.
|
||
|
|
||
|
<sect1><heading>Routing propogation</heading>
|
||
|
|
||
|
<p>We have already talked about how we define our routes to
|
||
|
the outside world, but not about how the outside world
|
||
|
finds us.
|
||
|
|
||
|
We already know that routing tables can be set up so that
|
||
|
all traffic for a particular address space (in our
|
||
|
examples, a class-C subnet) can be sent to a particular
|
||
|
host on that network, which will forward the packets
|
||
|
inbound.
|
||
|
|
||
|
When you get an address space assigned to your site, your
|
||
|
service provider will set up their routing tables so that
|
||
|
all traffic for your subnet will be sent down your PPP
|
||
|
link to your site. But how do sites across the country
|
||
|
know to send to your ISP?
|
||
|
|
||
|
There is a system (much like the distributed DNS
|
||
|
information) that keeps track of all assigned
|
||
|
address-spaces, and defines their point of connection to
|
||
|
the Internet Backbone. The ``Backbone'' are the main
|
||
|
trunk lines that carry internet traffic across the
|
||
|
country, and around the world. Each backbone machine has
|
||
|
a copy of a master set of tables, which direct traffic
|
||
|
for a particular network to a specific backbone carrier,
|
||
|
and from there down the chain of service providers until
|
||
|
it reaches your network.
|
||
|
|
||
|
It is the task of your service provider to advertise to
|
||
|
the backbone sites that they are the point of connection
|
||
|
(and thus the path inward) for your site. This is known
|
||
|
as route propogation.
|
||
|
|
||
|
<!--
|
||
|
<sect1><heading>Multicast Routing</heading>
|
||
|
-->
|
||
|
|
||
|
<sect1><heading>Troubleshooting</heading>
|
||
|
|
||
|
<p>Sometimes, there is a problem with routing propogation,
|
||
|
and some sites are unable to connect to you. Perhaps the
|
||
|
most useful command for trying to figure out where a
|
||
|
routing is breaking down is the <tt>traceroute(8)</tt>
|
||
|
command. It is equally useful if you cannot seem to make
|
||
|
a connection to a remote machine (ie. <tt>ping(8)</tt>
|
||
|
fails).
|
||
|
|
||
|
The <tt>traceroute(8)</tt> command is run with the name
|
||
|
of the remote host you are trying to connect to. It will
|
||
|
show the gateway hosts along the path of the attempt,
|
||
|
eventually either reaching the target host, or
|
||
|
terminating because of a lack of connection.
|
||
|
|
||
|
For more information, see the manual page for
|
||
|
<tt>traceroute(8)</tt>.
|
||
|
|