[5]Ignore any rumors about your network administrator occasionally being found in the network room with a knife, a black cockerel, and a bottle of rum. The truth is far stranger than mere magic. Page 177
Note: If you are looking for top 10 and very good webhost to host and run your jsp application check Actions jsp hosting services
Route Flags The Flags column indicates how the routes in a system were generated or used. You can find a full listing of all route flags in route(4) and related manual pages, but some of the common ones are listed in Table 8-2. You don’t need to understand what each of these flags means at this point. Just be familiar with the flags for each route that normally appears on your system, and if something different appears, start digging for more information. Table 8-2: Common route flags Flag Description U The route is usable G This route is a gateway S This route is static (e.g., not added dynamically by a routing protocol) L This route is a protocol-to-link-address translation (i.e., the MAC address used to reach an IP address) H This route is for a particular host C This route is used when you dynamically create new routes (e.g., a gateway) c This route is used for protocol-specific new routes (e.g., how to reach the gateway) W This route was cloned from another route Adding Routes Adding routes is very simple with the “route add” command. All you need to know is the network block you want to route, the netmask for that block, and the IP address you want them routed to. # route add 172.16.1.0 -netmask 255.255.255.0 192.168.1.254 add net 172.16.1.0: gateway 192.168.1.254 # If you go back and look at your routing table, you’ll see that route. Packets will start to flow back to your internal network. Congratulations! To have this happen automatically at boot, just add the route command to /etc/rc.local. Deleting Routes Take a good close look at the route we added in the last example. Our internal network is 172.16.0.0/24, not 172.16.1.0/24. Oops! To delete a route table entry, you just need the network block and the netmask for that block. # route delete 172.16.1.0 -netmask 255.255.255.0 delete net 172.16.1.0 # Route(8) has many more useful functions; check the man page for full details. Now that you understand the bare bones of the theory of networking, in the next chapter we’ll see how this works out in practice. Page 176
Note: If you are looking for cheapest and affordable webspace to host and run your servlet application check Astra servlet hosting services
sent to the 6 internal firewall’s external interface. If you don’t tell the external firewall this, however, it’s not going to happen. As the external firewall is responsible for the internal network’s Internet connectivity, the internal firewall not being able to find the internal network would mean that the internal network would be off the Internet; it could send data, but not receive any. The external firewall needs routing. Similarly, hosts on the DMZ network need to know how to reach the 172.16.0.0/24 network. In theory they could just use the default route of the internal interface of the external firewall, and the external firewall would use ICMP redirects to tell them where to go. This is messy, increases traffic and lag, and is almost impossible to debug without a packet sniffer. It also assumes that all the network equipment and servers accept ICMP redirects and the firewall will pass ICMP redirects. You should use proper routing. Let’s set up routing for the external firewall in our example. Once you can do that, routing on the DMZ network hosts will be almost exactly the same. Routing Commands All routing is managed by route(8). Route(8) has several sub-functions that allow you to view, edit, and monitor the system routing table. While route(8) has full details, the ability to view, add, and delete routes should be enough to get you started. Viewing Routes Let’s start by viewing the table with “route show.” As OpenBSD supports both IP version 4 and IP version 6, the routes for both protocols are displayed. While the IPv6 route table is very similar, we’re just going to examine the IPv4 table, and only enough of that to give you a good idea how all this works. # route show Routing tables Internet: 1 Destination 2 Gateway 3 Flags 4 default 5 isp-router.Absolut 6 UG 7 192.168.0.0 link#2 U 8 isp-router.Abso 0:2:16:bf:a1:8c UH … Every route table entry has a destination, a gateway, and flags. 1 Destinations can be hosts or networks. The 2 gateway is the place where the system should send the packet to get to that gateway. A gateway can be a host name, a network interface number, or a hardware protocol address. The flags field contains markers that indicate what sort of route this is and how the route behaves. We’ll discuss these in the next section, “Route Flags.” The first routing table entry is usually the 4 default route. By default, this system sends all packets to the machine whose host name begins with 5 “isp-router.Absolut.” If this is your network and your external firewall, you should know what machine this is! In this case, this is the router where our Internet circuit hooks in, and our default route out of the entire network. This route has the 6 flags “U” and “G.” The 7 second route is for the directly attached network 192.168.0.0. You can tell that it is directly attached by the gateway entry of “link#2″. If you look at the “ifconfig -a” output on this system, you’ll see that the second real network card is the network with 192.168.0.1/24 assigned to it. The system knows to send requests for those IP addresses out that card. Our 8 last shown route is for the machine whose name begins with “isp-router.Abso”. Here, the routing table shows the physical protocol address for the gateway address. The system knows that the default gateway is this machine, and that the machine has the physical address. “0:2:16:bf:a1:8c”. Given this information, it can route packets as it needs to. Page 175
Note: If you are looking for cheapest and affordable webspace to host and run your servlet application check Astra servlet hosting services
shows that the connection is 10baseT, or common 10-megabit Category 5 Ethernet. You can get a full list of valid media types in by running “ifconfig -m interfacename,” and you can see what those media types mean in the network card’s man page. For example, fxp(4) contains full descriptions of the six different valid connection types the card supports. The 5 status line indicates if the network card is receiving and sending Ethernet data. By 6 inet6, you will see the interface’s IPv6 address. Similarly, the 7 inet line shows the interface’s IPv4 address. Ifconfig(8) has many other flags and functions, and we’ll discuss the most common of them throughout this chapter. Page 173
Note: If you are looking for cheap and quality provider to host and run your java application check Astra java hosting services
IP Routing When administering most UNIX-like operating systems, you don’t need to understand routing. The network administrator gives you the IP address of the default route, you put it in the appropriate configuration file, and everything works like magic. [5] OpenBSD systems frequently tend to be part of the network infrastructure, however, or in demilitarized zones where the system must make routing decisions. You really must understand the basics of routing to administer OpenBSD. Routing is simply making a decision on where to send a packet. If a computer is directly attached to a network, it doesn’t need to make any decisions. Your OpenBSD system on the Ethernet network 192.168.1.0/24 already knows how to reach any IP address beginning with 192.168.1; it sends it out that Ethernet. What about an IP address of 209.69.69.12, however? Where should it send those packets? Many computers use a default route, where they send all packets bound for IP addresses that they don’t know about. This is very common in small office networks, where you have one router or firewall that provides network access for everyone in the office. Small companies frequently have only one network, and don’t need complicated routing. The company router itself might have a default route pointing to the Internet service provider, who makes all the actual routing decisions for you. Routed Internal Network Example In a more complicated setting, your system will have to make routing decisions. Suppose your network has multiple routers attached to it, each going to a different network. Machines on your network will have to decide where to send packets. Here’s an example of a fairly common double-firewall situation. This sort of firewall setup is used whenever servers need different stages of protection. The 1 external firewall provides the outermost layer of protection. Any traffic coming in through the Internet hits this firewall first, and any traffic leaving the network goes through this firewall last. This firewall probably has fairly liberal traffic-management rules. The 2 demilitarized zone network is for machines that must be somewhat exposed to the Internet. Perhaps you have intrusion-detection systems here. In many web-farm situations, this is where the actual web servers live. In our example, the DMZ network uses the IP addresses 192.168.0.0/24. The 3 internal firewall is very tightly secured device. Only the bare minimum permitted traffic may pass through it. This firewall is responsible for securing the most vital information on the network. The 4 internal network holds the most vital, protected information on the network: financial information, customer databases, or your MP3 collection. In our example, the internal network has the IP addresses 172.16.0.0/24. Many of the hosts in this network have very simple routing decisions. Anything in the internal network has only one route to reach anything. If the packet is going to an IP address not in the 192.168.1.1/24 network, it must be sent to the 7 default gateway on the internal network. Similarly, the internal firewall has two networks directly attached. If it wants to send a packet to an IP within 172.16.0.0/24, it sends the packet out the 7 interface directly attached to that network. If it wants to send a packet to an address within the 192.168.0.0/24 range, it sends it to the 6 interface directly attached to that network. If it wants to reach an IP that isn’t in those two ranges, it uses the default gateway of 5 192.168.0.1. The external firewall is directly attached to the 192.168.0.0/24 network, so it can send packets there. It’s directly attached to the Internet and can send any packets it doesn’t know how to reach otherwise out there. That leaves out the 172.16.0.0/24 network, however. Packets bound for 172.16.0.0/24 should be Page 174
Note: If you are looking for cheap and quality provider to host and run your java application check Astra java hosting services
Configuring Interfaces Almost all network interface operations are performed with ifconfig(8). This program is a general interface configuration tool that can be used to examine every network interface on your system. To start with, the “-a” flag will list every interface on your system and its configuration. An OpenBSD system starts with quite a few interfaces, so don’t be surprised at the length of the output! A typical entry for an Ethernet card looks like this: fxp1 1 : flags=8843
Hint: If you are looking for high quality and reliable webspace provider to host and run your jsp hosting application check Virtualwebstudio jsp web hosting provider
The first entry 1 shows us an existing TCP connection. The local address is 192.168.1.250.22, meaning that the remote side of my connection is talking to this machine on port 22 of the IP address 192.168.1.250. The remote machine is 192.168.1.200, and the connection is coming from port 49182. Finally, we see that this connection is ESTABLISHED; data is quite possibly flowing over this right now. We also see a TCP connection that has terminated 2 and is in the final stages of teardown. The next line 3 shows a port that’s listening on the local host, but on no other IP addresses. Only systems that can connect to 127.0.0.1 can actually connect to this machine. Because the only machine that can do that is the local host, this port is only available to the local machine. Shortly thereafter, we 4 see that the machine is listening to TCP port 22 on all available IP addresses. Because there is no remote host and no state, this is a daemon listening for incoming connections. Near the bottom, we 5 see a series of available connections on UDP ports. You should rarely, if ever, see a remote host running over a UDP connection. They tend to appear very briefly. What’s Listening on Ports? Now that you know which TCP and UDP ports are open, how can you tell which programs are listening on them? OpenBSD, like many UNIX-like operating systems, supports the lsof(8) program that helps track down which files are open. (Although lsof is not integrated with OpenBSD, it’s available in /usr/ports/ sysutils/lsof.) Although many people like lsof, it isn’t the only way to get this information out of OpenBSD. You can look in /etc/services and try to identify the program by the port number. This works well if you’re certain that nobody has been tampering with your system. One fun trick an intruder can try is to run a program on a port that should be used by another program. You might not think anything about port 80 being open on a web server, as that’s traditionally the port used by web servers. If one IP address has an SSH daemon listening on port 80, you’d never even notice. The only way to be absolutely sure what daemons are running on which ports is to check it yourself. OpenBSD includes the fstat(1) program, which lists every open file, pipe, or port on the system and various information about its state. I highly recommend perusing fstat(1), as it is a terribly useful program in many different troubleshooting situations. The important thing for us at this moment, however, is that it displays which program is bound to a port. Let’s examine TCP port 25, as shown in our example. According to /etc/services this should be “smtp,” or email. It probably is, but it’s definitely a good example to track down. Run fstat(1) and search its output for port 25. Network ports always appear with a colon before their names, so it’s a good idea to include the colon. (Searching for the number 25 in the list of all open files and their states will generate an awful lot of false positives. Go ahead, try it sometime.) # fstat | grep ‘:25′ root 2 sendmail 29452 4* internet stream tcp 0xe0b40d70 1 127.0.0.1:25 root sendmail 29452 5* internet6 stream tcp 0xe0b59004 [::1]:25 # At the end of the line we see the IP addresses and port numbers that this connection is listening on, and near the beginning we see the name of the program that is listening on this port. What do you know; this really is the mail server program! My nasty paranoid suspicions were unfounded this time. If you’re not sure what a program listening on a port does, be sure to check its man page. Page 171
Hint: If you are looking for high quality and reliable webspace provider to host and run your jsp hosting application check Virtualwebstudio jsp web hosting provider
The first column, PROTO, gives the protocol that this particular connection or listening port is using. We have several TCP ports open, as well as a few UDP ports. The Recv-Q and Send-Q columns show how many bits are waiting to be handled on this connection. If you see that your system has Recv-Q numbers continually, you know that it cannot process incoming data quickly enough. Similarly, if the Send-Q column keeps having entries, you know that either the network or the other system in the connection cannot accept data as quickly as you can send it. While occasional bursts of either Send-Q or Recv-Q entries are normal, individual entries in these columns should disappear quickly. You need to watch your own system to learn what is normal and what isn’t. The Local Address column is, as you might guess, an open IP address and port number on the local system. The first four numbers are the IP address, and the port number is appended with a period. For example, 192.168.1.250.22 is port 22 on the IP address 192.168.1.250. If this entry is an asterisk, a period, and a port number, it means the system is listening on all available IP addresses for an incoming connection on that port. That particular line does not show any active connections, but the system is ready to accept one. The Foreign Address column shows the address and port number on the remote end of any connection. Finally, the (state) column shows the status of the TCP handshake. You don’t need to know all of the possible TCP connection states right now; just become familiar with what’s normal. ESTABLISHED means that a connection is complete, and data is quite probably flowing over that connection. LAST_ACK, FIN_WAIT_1, and FIN_WAIT_2 mean that the connection is closing. SYN_RCVD, ACK, and SYN+ACK are all parts of the normal connection creation process. Here we look at the netstat output on a brand-new, out-of-the-box OpenBSD install. I’m using SSH to connect to it, but it has no custom services running. # netstat -na -f inet Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) 1 tcp 0 0 192.168.1.250.22 192.168.1.200.49182 ESTABLISHED tcp 0 0 192.168.1.250.22 192.168.1.200.49181 2 TIME_WAIT tcp 0 0 3 127.0.0.1.587 *.* LISTEN tcp 0 0 127.0.0.1.25 *.* LISTEN tcp 0 0 *.22 4 *.* LISTEN tcp 0 0 *.37 *.* LISTEN tcp 0 0 *.13 *.* LISTEN tcp 0 0 *.113 *.* LISTEN tcp 0 0 127.0.0.1.111 *.* LISTEN tcp 0 0 *.111 *.* LISTEN Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) udp 0 0 *.700 5 *.* udp 0 0 *.798 *.* udp 0 0 *.512 *.* udp 0 0 127.0.0.1.111 *.* udp 0 0 *.514 *.* udp 0 0 *.111 *.* # Page 170
Hint: If you are looking for high quality and reliable webspace provider to host and run your jsp hosting application check Virtualwebstudio jsp web hosting provider
attach, or bind to ports on a system. For example, Internet mail servers generally bind to TCP port 25. Connections intended for the mail server will try to connect to port 25. This means that other programs could connect to the same machine on other ports. The /etc/services file contains a list of port numbers and the services that they’re commonly associated with. It’s possible to run almost any service on any port, but by doing so you’ll confuse other Internet hosts that try to connect to your system. If someone tries to send you email, their mail program will automatically connect to port 25 on your machine. If your server runs email on port 77, and you have a web server on port 25, that mail will never arrive. What’s more, people will never see the web page on that system. /etc/services has a very simple format, with five columns: the official service name, the port number, the protocol, any aliases for that service, and comments. For example, one service that could be found on many UNIX hosts was Quote of the Day, also known as qotd. If you check /etc/services, you’ll find the following entry: qotd 17/tcp quote The Quote of the Day service runs on TCP and can normally be found on port 17. Many services have both the TCP and UDP ports of a certain number assigned to them, while others have only one of the protocols. For example, the “echo” service runs on port 7 of both TCP and UDP. Many programs read /etc/services to learn which port to bind to. Depending on the program, you may have to edit /etc/services to assign that protocol to the port. The software instructions will generally tell you if this is the case. Like all standards, the lists in /etc/services can be violated. The SSH daemon, sshd, normally listens on port 22, but I’ve run it on port 80 to escape firewalls in some unusual circumstances. This all depends on the program you’re using to provide a service. Low-Numbered Ports The ports 1024 and below are called low-numbered ports. These are the ports reserved for core Internet infrastructure protocols and important services such as DNS, SSH, HTTP, and so on. Their standard port assignment is basically carved in stone. Only programs that start with root-level privileges can bind to low-numbered ports. What Ports Are Open? So, programs bind to ports. The two obvious questions here are, “which ports are open” and “what programs are listening to each?” You can identify this with netstat(1), the same program we used to check mbuf counts. General Netstat Hints Any time you use netstat(1) to look at network information you might want to use the “-n” flag. -n tells netstat to not perform DNS lookups on the IP addresses it sees. If most of your network connections are to IP addresses with names cached by your nameserver, then your output will be fairly fast even with DNS lookups. If the system must perform a DNS lookup for every IP address your command will run very slowly, especially if the network between you and your DNS server is performing badly. The “-f” flag allows you to select a protocol family to examine with netstat(1). If you’re only interested in IPv4 connections, use “-f inet”. Other valid values for -f include inet6 (for IPv6 connections), ipx (Novell IPX), atalk (AppleTalk), and UNIX (pipes). See netstat(1) for a full list of protocols you can select. Open Ports and Netstat Netstat’s “-a” flag shows open ports and existing TCP/IP connections. If this machine is an active server, you’ll almost certainly want to use the “-n” flag to avoid the DNS lookups, and you’ll want to use the “-f inet” option to specify IP connections only. (Try it some time without using either -n or -f, just for your own education.) You’ll get a long list back, with six columns. Page 169
Hint: If you are looking for high quality and reliable webspace provider to host and run your jsp hosting application check Virtualwebstudio jsp web hosting provider
You now understand how slashes, netmasks, and IP address assignments work together and how, for example, a /28 has 16 IP addresses. Unfortunately, you cannot use all of the IP addresses in a block. The first IP address in any block is the network number. It’s used for internal bookkeeping. Similarly, the last number in any block of IP addresses is the broadcast address. According to the IP specifications, every machine on a network is supposed to respond to a request to this address. This allows you to ping the broadcast address and quickly determine which IP addresses are in use. For example, on a typical /24 network, the broadcast address is x.y.z.255. In the late 1990s, however, this feature was turned into an attack technique. It’s now disabled by default on most operating systems, including OpenBSD. In any case, the point is that you cannot assign either the first or last IP address in a network to an interface without causing some problems on the network. Some systems will fail gracefully; others will not. Go ahead, try it sometime preferably after hours, when the network is not in use. [4] [3]Yes, you could say that the decimal numbers are easiest to work with in all cases. But that would just show that you aren’t a real computer person and possibly get you burned at the stake. [4]Or during peak usage hours, if you want a good story to tell at your next job. Page 167
Hint: If you are looking for very good and affordable webspace to host and run your tomcat hosting application check Virtualwebstudio tomcat web hosting provider