How can I define multiple IP adresses on one interface?

[113345]

Hi,

my server (running FreeBSD 4.9) has 4 IP adresses, but I can
only define one address in the rules.
-----
/** set these to your outside interface network and netmask and ip **/
#define oif em0
#define oip 217.xxx.xxx.20
#define onet 217.xxx.xxx.0:255.255.255.224

/** Stop spoofing **/
add deny log all from oip to any in via oif
-----
When I try this:
#define oip 217.xxx.xxx.20,217.xxx.xxx.20

I get an error:
ipfw: hostname ``217.xxx.xxx.20,217.xxx.xxx.21'' unknown

I tried the same in 5.2.1, and it works...
What am I doing wrong?

 

[DirectAdmin Support]

Hello,

DA adds extra IPs to the interface with the /usr/local/etc/rc.d/startips script. Perhaps they're fighting. Try running the start ips script after you load the firewall.

John

 

[113345]

Hi,

I have added the IP's already in the /etc/rc.conf:
-----
# standard address (sv1.xxxx.net)
ifconfig_em0="inet 217.xxx.xxxx.22 netmask 255.255.255.224"
#
# nameserver 1 (ns1.xxxx.net)
ifconfig_em0_alias0="inet 217.xxx.xxx.20 netmask 255.255.255.255"
#
# shared webserver and DirectAdmin registration address (www1.xxxx.net)
ifconfig_em0_alias1="inet 217.xxx.xxx.21 netmask 255.255.255.255"
#
# nameserver 2 (ns3.xxxx.net)
ifconfig_em0_alias2="inet 217.xxx.xxx.23 netmask 255.255.255.255"
#
-----
If I execute /etc/rc.firewall by hand I get the same error.
When it is executed during startup of the server, the firewall ends up closed.
I have serial connections between 2 servers, so the closure of the firewall is not deadly.

When use this rule:
-----
#define oif em0
#define oip 217.xxx.xxx.20/29
#define onet 217.xxx.xxx.0:255.255.255.224
-----
I can have communication, but because this rule is also present:
-----
/** Stop spoofing **/
add deny log all from oip to any in via oif
-----
there is no communication possible with my other server, because it has IP's in the same block.

I have used the firewall HOWTO from existenz in this thread: http://www.directadmin.com/forum/showthread.php?s=&threadid=2500

 

[113345]

It is fixed.

What I did was use a new line for every IP:
-----
#define oip0 217.xxx.xxx.20
#define oip1 217.xxx.xxx.21
#define oip2 217.xxx.xxx.22
#define oip3 217.xxx.xxx.22
-----
and for the rules:
-----
add allow tcp from any to oip0 25 setup
add allow tcp from any to oip1 25 setup
add allow tcp from any to oip2 25 setup
add allow tcp from any to oip3 25 setup
etc ....
etc ...
-----
A bit later I moved all the rules from /usr/local/etc/firewall.rules to /etc/rc.firewall:
-----
[Ss][Ee][Rr][Vv][Ee][Rr])
# Set these to your outside interface network and netmask and ip.
oif="em0"
onet="217.xxx.xxx.0"
omask="255.255.255.224"
oip0="217.xxx.xxx.24"
oip1="217.xxx.xxx.25"
oip2="217.xxx.xxx.26"
oip3="217.xxx.xxx.27"

# Set these to your inside interface network and netmask and ip.
iif="em1"
inet="10.0.0.0"
imask="255.255.255.0"
iip="10.0.0.2"

${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
etc...
etc...
-----
In /etc/rc.conf changed:
firewall_type="/usr/local/etc/firewall.rules"
to
firewall_type="server"
and remove:
firewall_flags="-p cpp"
-----