Chapter 12 Networking

12.1. Where can I get information on “diskless booting”?
12.2. Can a FreeBSD box be used as a dedicated network router?
12.3. Can I connect my Windows® box to the Internet via FreeBSD?
12.4. Does FreeBSD support SLIP and PPP?
12.5. Does FreeBSD support NAT or Masquerading?
12.6. How do I connect two FreeBSD systems over a parallel line using PLIP?
12.7. Why can I not create a /dev/ed0 device?
12.8. How can I set up Ethernet aliases?
12.9. How do I get my 3C503 to use the other network port?
12.10. Why am I having trouble with NFS and FreeBSD?
12.11. Why can I not NFS-mount from a Linux® box?
12.12. Why can I not NFS-mount from a Sun box?
12.13. Why does mountd keep telling me it “can't change attributes” and that I have a “bad exports list” on my FreeBSD NFS server?
12.14. Why am I having problems talking PPP to NeXTStep machines?
12.15. How do I enable IP multicast support?
12.16. Which network cards are based on the DEC PCI chipset?
12.17. Why do I have to use the FQDN for hosts on my site?
12.18. Why do I get an error, “Permission denied”, for all networking operations?
12.19. How much overhead does IPFW incur?
12.20. Why is my ipfw “fwd” rule to redirect a service to another machine not working?
12.21. How can I redirect service requests from one machine to another?
12.22. Where can I get a bandwidth management tool?
12.23. Why do I get “/dev/bpf0: device not configured”?
12.24. How do I mount a disk from a Windows machine that is on my network, like smbmount in Linux?
12.25. What are these messages about “icmp-response bandwidth limit 300/200 pps” in my log files?
12.26. What are these “arp: unknown hardware address format” error messages?
12.27. I have just installed CVSup but trying to execute it produces errors. What is wrong?

12.1. Where can I get information on “diskless booting”?

“Diskless booting” means that the FreeBSD box is booted over a network, and reads the necessary files from a server instead of its hard disk. For full details, please read the Handbook entry on diskless booting

12.2. Can a FreeBSD box be used as a dedicated network router?

Yes. Please see the Handbook entry on advanced networking, specifically the section on routing and gateways.

12.3. Can I connect my Windows® box to the Internet via FreeBSD?

Typically, people who ask this question have two PCs at home, one with FreeBSD and one with some version of Windows the idea is to use the FreeBSD box to connect to the Internet and then be able to access the Internet from the Windows box through the FreeBSD box. This is really just a special case of the previous question and works perfectly well.

If you are using dialup to connect to the Internet user-mode ppp(8) contains a -nat option. If you run ppp(8) with the -nat option, set gateway_enable to YES in /etc/rc.conf, and configure your Windows machine correctly, this should work fine. For more information, please see the ppp(8) manual page or the Handbook entry on user PPP.

If you are using kernel-mode PPP or have an Ethernet connection to the Internet, you need to use natd(8). Please look at the natd section of the Handbook for a tutorial.

12.4. Does FreeBSD support SLIP and PPP?

Yes. See the manual pages for slattach(8), sliplogin(8), ppp(8), and pppd(8). ppp(8) and pppd(8) provide support for both incoming and outgoing connections, while sliplogin(8) deals exclusively with incoming connections, and slattach(8) deals exclusively with outgoing connections.

For more information on how to use these, please see the Handbook chapter on PPP and SLIP.

If you only have access to the Internet through a “shell account”, you may want to have a look at the net/slirp package. It can provide you with (limited) access to services such as ftp and http direct from your local machine.

12.5. Does FreeBSD support NAT or Masquerading?

Yes. If you want to use NAT over a user PPP connection, please see the Handbook entry on user PPP. If you want to use NAT over some other sort of network connection, please look at the natd section of the Handbook.

12.6. How do I connect two FreeBSD systems over a parallel line using PLIP?

Please see the PLIP section of the Handbook.

12.7. Why can I not create a /dev/ed0 device?

Because they are not necessary. In the Berkeley networking framework, network interfaces are only directly accessible by kernel code. Please see the /etc/rc.network file and the manual pages for the various network programs mentioned there for more information. If this leaves you totally confused, then you should pick up a book describing network administration on another BSD-related operating system; with few significant exceptions, administering networking on FreeBSD is basically the same as on SunOS™ 4.0 or Ultrix.

12.8. How can I set up Ethernet aliases?

If the alias is on the same subnet as an address already configured on the interface, then add netmask 0xffffffff to your ifconfig(8) command-line, as in the following:

# ifconfig ed0 alias 192.0.2.2 netmask 0xffffffff

Otherwise, just specify the network address and netmask as usual:

# ifconfig ed0 alias 172.16.141.5 netmask 0xffffff00

12.9. How do I get my 3C503 to use the other network port?

If you want to use the other ports, you will have to specify an additional parameter on the ifconfig(8) command line. The default port is link0. To use the AUI port instead of the BNC one, use link2. These flags should be specified using the ifconfig_* variables in /etc/rc.conf (see rc.conf(5)).

12.10. Why am I having trouble with NFS and FreeBSD?

Certain PC network cards are better than others (to put it mildly) and can sometimes cause problems with network intensive applications like NFS.

See the Handbook entry on NFS for more information on this topic.

12.11. Why can I not NFS-mount from a Linux® box?

Some versions of the Linux NFS code only accept mount requests from a privileged port; try

# mount -o -P linuxbox:/blah /mnt

12.12. Why can I not NFS-mount from a Sun box?

Sun™ workstations running SunOS 4.X only accept mount requests from a privileged port; try

# mount -o -P sunbox:/blah /mnt

12.13. Why does mountd keep telling me it “can't change attributes” and that I have a “bad exports list” on my FreeBSD NFS server?

The most frequent problem is not understanding the correct format of /etc/exports. Please review exports(5) and the NFS entry in the Handbook, especially the section on configuring NFS.

12.14. Why am I having problems talking PPP to NeXTStep machines?

Try disabling the TCP extensions in /etc/rc.conf (see rc.conf(5)) by changing the following variable to NO:

tcp_extensions=NO

Xylogic's Annex boxes are also broken in this regard and you must use the above change to connect through them.

12.15. How do I enable IP multicast support?

FreeBSD supports multicast host operations by default. If you want your box to run as a multicast router, you need to recompile your kernel with the MROUTING option and run mrouted(8). FreeBSD will start mrouted(8) at boot time if the flag mrouted_enable is set to "YES" in /etc/rc.conf.

MBONE tools are available in their own ports category, mbone. If you are looking for the conference tools vic and vat, look there!

12.16. Which network cards are based on the DEC PCI chipset?

Here is a list compiled by Glen Foster , with some more modern additions:

Table 12-1. Network cards based on the DEC PCI chipset

Vendor Model
ASUS PCI-L101-TB
Accton ENI1203
Cogent EM960PCI
Compex ENET32-PCI
D-Link DE-530
Dayna DP1203, DP2100
DEC DE435, DE450
Danpex EN-9400P3
JCIS Condor JC1260
Linksys EtherPCI
Mylex LNP101
SMC EtherPower 10/100 (Model 9332)
SMC EtherPower (Model 8432)
TopWare TE-3500P
Znyx (2.2.x) ZX312, ZX314, ZX342, ZX345, ZX346, ZX348
Znyx (3.x) ZX345Q, ZX346Q, ZX348Q, ZX412Q, ZX414, ZX442, ZX444, ZX474, ZX478, ZX212, ZX214 (10mbps/hd)

12.17. Why do I have to use the FQDN for hosts on my site?

You will probably find that the host is actually in a different domain; for example, if you are in foo.example.org and you wish to reach a host called mumble in the example.org domain, you will have to refer to it by the fully-qualified domain name, mumble.example.org, instead of just mumble.

Traditionally, this was allowed by BSD BIND resolvers. However the current version of bind (see named(8)) that ships with FreeBSD no longer provides default abbreviations for non-fully qualified domain names other than the domain you are in. So an unqualified host mumble must either be found as mumble.foo.example.org, or it will be searched for in the root domain.

This is different from the previous behavior, where the search continued across mumble.example.org, and mumble.edu. Have a look at RFC 1535 for why this was considered bad practice, or even a security hole.

As a good workaround, you can place the line

search foo.example.org example.org

instead of the previous

domain foo.example.org

into your /etc/resolv.conf file (see resolv.conf(5)). However, make sure that the search order does not go beyond the “boundary between local and public administration”, as RFC 1535 calls it.

12.18. Why do I get an error, “Permission denied”, for all networking operations?

If you have compiled your kernel with the IPFIREWALL option, you need to be aware that the default policy is to deny all packets that are not explicitly allowed.

If you had unintentionally misconfigured your system for firewalling, you can restore network operability by typing the following while logged in as root:

# ipfw add 65534 allow all from any to any

You can also set firewall_type="open" in /etc/rc.conf.

For further information on configuring a FreeBSD firewall, see the Handbook chapter.

12.19. How much overhead does IPFW incur?

Please see the Handbook's Firewalls section, specifically the section on IPFW Overhead & Optimization.

12.20. Why is my ipfw “fwd” rule to redirect a service to another machine not working?

Possibly because you want to do network address translation (NAT) and not just forward packets. A “fwd” rule does exactly what it says; it forwards packets. It does not actually change the data inside the packet. Say we have a rule like:

01000 fwd 10.0.0.1 from any to foo 21

When a packet with a destination address of foo arrives at the machine with this rule, the packet is forwarded to 10.0.0.1, but it still has the destination address of foo! The destination address of the packet is not changed to 10.0.0.1. Most machines would probably drop a packet that they receive with a destination address that is not their own. Therefore, using a “fwd” rule does not often work the way the user expects. This behavior is a feature and not a bug.

See the FAQ about redirecting services, the natd(8) manual, or one of the several port redirecting utilities in the ports collection for a correct way to do this.

12.21. How can I redirect service requests from one machine to another?

You can redirect FTP (and other service) request with the socket package, available in the ports tree in category “sysutils”. Simply replace the service's command line to call socket instead, like so:

ftp stream tcp nowait nobody /usr/local/bin/socket socket ftp.example.com ftp

where ftp.example.com and ftp are the host and port to redirect to, respectively.

12.22. Where can I get a bandwidth management tool?

There are three bandwidth management tools available for FreeBSD. dummynet(4) is integrated into FreeBSD as part of ipfw(4). ALTQ is available for free on FreeBSD 4.X and has been integrated into FreeBSD 5.X as part of pf(4). Bandwidth Manager from Emerging Technologies is a commercial product.

12.23. Why do I get “/dev/bpf0: device not configured”?

You are running a program that requires the Berkeley Packet Filter (bpf(4)), but it is not in your kernel. Add this to your kernel config file and build a new kernel:

pseudo-device bpf        # Berkeley Packet Filter

On FreeBSD 4.X and earlier, you must also create the device node. After rebooting, go to the /dev directory and run:

# sh MAKEDEV bpf0

Please see the Handbook entry on device nodes for more information on managing devices.

12.24. How do I mount a disk from a Windows machine that is on my network, like smbmount in Linux?

Use the SMBFS toolset. It includes a set of kernel modifications and a set of userland programs. The programs and information are available as net/smbfs in the ports collection, or in the base system as of 4.5-RELEASE and later.

12.25. What are these messages about “icmp-response bandwidth limit 300/200 pps” in my log files?

This is the kernel telling you that some activity is provoking it to send more ICMP or TCP reset (RST) responses than it thinks it should. ICMP responses are often generated as a result of attempted connections to unused UDP ports. TCP resets are generated as a result of attempted connections to unopened TCP ports. Among others, these are the kinds of activities which may cause these messages:

  • Brute-force denial of service (DoS) attacks (as opposed to single-packet attacks which exploit a specific vulnerability).

  • Port scans which attempt to connect to a large number of ports (as opposed to only trying a few well-known ports).

The first number in the message tells you how many packets the kernel would have sent if the limit was not in place, and the second number tells you the limit. You can control the limit using the net.inet.icmp.icmplim sysctl variable like this, where 300 is the limit in packets per second:

# sysctl -w net.inet.icmp.icmplim=300

If you do not want to see messages about this in your log files, but you still want the kernel to do response limiting, you can use the net.inet.icmp.icmplim_output sysctl variable to disable the output like this:

# sysctl -w net.inet.icmp.icmplim_output=0

Finally, if you want to disable response limiting, you can set the net.inet.icmp.icmplim sysctl variable (see above for an example) to 0. Disabling response limiting is discouraged for the reasons listed above.

12.26. What are these “arp: unknown hardware address format” error messages?

This means that some device on your local Ethernet is using a MAC address in a format that FreeBSD does not recognize. This is probably caused by someone experimenting with an Ethernet card somewhere else on the network. You will see this most commonly on cable modem networks. It is harmless, and should not affect the performance of your FreeBSD machine.

12.27. I have just installed CVSup but trying to execute it produces errors. What is wrong?

First, see if the error message you are receiving is like the one shown below.

/usr/libexec/ld-elf.so.1: Shared object "libXaw.so.6" not found

Errors like these are caused by installing the net/cvsup port on a machine which does not have the XFree86 suite. If you want to use the GUI included with CVSup you will need to install XFree86 now. Alternatively if you just wish to use CVSup from a command line you should delete the package previously installed. Then install the net/cvsup-without-gui port. This is covered in more detail in the CVSup section of the Handbook.

This, and other documents, can be downloaded from ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/.

For questions about FreeBSD, read the documentation before contacting <[email protected]>.
For questions about this documentation, e-mail <[email protected]>.