MikeL's FreeBSD howto - Networking
Getting a bunch pf the following in my
Limiting closed port RST response from 1525 to 200 packets/sec
By using this magic incantation while it's happening, you can
get an idea of what's going on and whom is doing it. This will show
you all the RST packet activity:
tcpdump -n -v 'tcp[tcpflags] & (tcp-rst) != 0'
You probably can't do anything about it, but this may make you feel a
little better it. The bottom line is that this is an idication the
FreeBSD is doing it's thing properly. To change the limiting value,
This is basically a checklist of how to setup a new system to do
networking stuff beyond the basic. The intent is not to cover
everything in detail, merely to point you to each of the tasks that
must be performed.
Obviously you must already have your hardware set up. If you're
making a gateway/firewall, there will be
two Network Interface Cards (NICs); one connected to the
external network that you're protecting yourself from, the other
connected to the internal "private" network.
Related manual pages:
Handbook ch. 6 (Firewalls).
The first line will be "domain <yourdomain>"
If you're running
named on this box, you'll want your
own external IP address here (2nd line) as a nameserver.
The last line will be "nameserver <upstream nameserver>", this
address will be provided by your upstream provider.
- Even if you're just a standalone system connected to a network,
you may want to build a custom
kernel. If you're building a gateway/firewall, you
must build a custom kernel, visit
- There are quite a few relevant fields in
You must set this appropriately
network_interfaces="xl0 xl1 lo0"
There is one entry for each NIC, plus "lo0". The actual name here
is defined by the make of NIC you have -- use
dmesg | more' and look for NIC startup
ifconfig_xl1="inet 192.168.0.19 netmask
You'll have a line like this for each NIC.
For your internal network, you should use 192.168.x.y (see
RFC 1918). This value
is never passed through a router, so it ensures your private network
stays private. I recommend using x and y as the last two numbers in
your public address so that the two NICs are obviously on the same
- ifconfig_xl0="inet 10.12.123.19 netmask 255.255.255.0"
This would be your public address (assuming firewall/gateway). This
address is assigned by your ISP.
This is assigned by your ISP.
- If you're on a complex network with multiple subnets, you'll need
to configure static routes.
- If you want to run the Network File System (NFS) so that multiple
Unix machines can share drives, you'll need to visit
Setting up NFS.
- If you want DOS/Windows/NT machines on the network to be able to
mount this computers drives as "shares", you'll want to install
How to change a machines IP address:
In general this is a bad idea, but if you gotta do it, this list of
standard files is where I've found my address hardcoded thus had to be
Also don't forget that you may have it hardcoded in on DNS secondary
Adding additional "alias" addresses:
In rc.conf, merely add an ifconfig, underscore, interface, underscore,
"alias", x; e.g:
ifconfig_xl0_alias0="inet 10.12.123.18 netmask 255.255.255.0"
increment x for each additional alias, starting at 0.
Now, why would you want to do this? What happens when you've got your
machine all set up, including domain names, with fixed IP addresses,
and you move your home/business, thus getting stuck with a new IP
address? You don't have the luxury of waiting for DNS replication
(perhaps many hours, even days), so you can do this...
You want to set up the machine to do everything itself via the new IP,
but from the outside, to also deal with the old. Follow the changing
IP address directions above, then add a new alias to the loopback
interface (not to the public interface itelf) that is the old
So let's say our old addres was 10.12.123.17, and we have been moved
to another DSL provider, and they gave us 172.16.4.5.
ifconfig_xl0="inet 172.16.4.5 netmask 255.255.255.0"
ifconfig_lo0_alias0="inet 10.12.123.17 netmask 255.255.255.0"
We can now change our DNS info at our leisure, then after the dust has
settled, dump the alias.
ifconfig <ip> <mask>
Shows routing info
- kill -HUP <pid-of-named>
restart DNS deamon
- kill -HUP <pid-of-sendmail>
- apachectl stop|start|startssl
restart apache webserver
- sh /etc/rc.firewall <open>
If stuff isn't working (especially "permission denied" from
'ping'), try opening your firewall. If this fixes it, you know
it's a firewall issue -- bring back up the
firewall, then fix it's config. Note! Doing this will
immediately drop all connections -- don't do this
unless you have console access.
Copyright © 1995-2023
(running on host pedicel)