[masq] (Fwd) Re: [masq] ipchains - proper forum?
Subject: Re: [masq] ipchains - proper forum? Is discussing ipchains on this list appropriate since it appears as if ipchains is pretty much going to replace ipmasq as we currently know it? IPCHAINS will only replace IPFWADM. MASQ is still a function of the Linux kernel. So.. YES.. this is a perfect place to talk about IPCHAINS. - I agree. This list is populated by folks doing firewalls for fun and/or profit, and if ipchains is the future, we'd all better get up to speed soon. "Some people crave baseball - I find this unfathomable - but I can easily understand why a person could get excited about playing a bassoon." Frank Zappa - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
[masq] Blocking certain domain names
I would like to to start putting in firewall rules to block ANYTHING from certain domain names. For instance, I'll often get hit from (something).sp.mandic.com.br, but there doesn't seem to be a contiguous IP range. I think I figured out that I need ipfwadm -I -a deny -S mandic.com.br to do that. will that block (something).sp.mandic.com.br? Also, how would I check it? I've been trying variants of ipfwadm -I -c -S (ip address) -W eth0 but whatever I try, I get one error message or another. Thanks in advance. --- David Kramer[EMAIL PROTECTED] DK KD http://start.at/david.kramer DKK D Anyone can become angry -- that is easy; but to be angry with DK KD the right person, to the right degree, at the right time, for the right purpose and in the right way -- that is not easy. Aristotle - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
[masq] Masq/FTP/ipchains
I posted a similar message recently to a Usenet group. Hopefully, you guys will know better: I got my Austin Roadrunner service up and running with Linux (Redhat 5.1 + kernel 1.2.126) masquerading a RFC1918 network. Surprisingly, there is currently no need for the authorization process in my area - I suppose I'll need to watch out for this. There should be a temporary kludge to get it working by running the authorization program on an internal NT box - we'll see. I plan on writing a Linux based process should the need arise. My question to anyone with ipfw experience is this: I would like to open inbound ftp-data sourced requests but only to my masqueraded boxes (to prevent someone manually sourcing the ftp-data port and breaking my firewall). The ftp masq module should take care of any security problems, but since the ipfw stuff is only based on 'real' IP's on the unsecured side, I can't seem to do this. Am I right in assuming this is the case or is there a way to match incoming requests on a 'post masquerade' basis? Essentially, I'd like to do something like: ipchains -A input -i eth0 -p TCP -y -s 0.0.0.0/0 ftp-data -d RFCNET/24 -j ACCEPT where eth0 = RoadRunner connection and RFCNET = my 1918 internal network. or for a step by step description: 1) packet comes in sourced with ftp-data port 2) input filter let's it through 3) masquerade either handles it or passes it though 4) ipfw blocks the packet if masq can't handle it. hopefully, this makes some kind of sense. thanks! -C oh! btw, does anyone have experience setting up GRE tunnels with Linux? I'd be very interested in hearing from you... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
[masq] Getting traceroute to work through a firewall + ipmasquerading configuration
Greetings everyone I've got a public IP address for my gateway. The gateway is doing IP masquerading for my entire LAN. The gateway also acts as a firewall. If I take down the firewall (i.e. flush all Input and Output rules) and just leave masquerading running I can traceroute from the LAN. However, as soon as I enable the firewall rules, traceroute fails to work. Does anyone know what changes I should make to my firewall configuration in order to get traceroute working ? Does it use ICMP + something else ? If so, which ports/protocol does it use ? A relevant selection from my current I/O/F rules follows: LOCALHOST="gateway" LOCALNET="160.160.100.0/24" ANYWHERE="0.0.0.0/0" IFINTERN="160.160.100.1" IFEXTERN="196.123.123.123" UNPRIVPORTS="1024:65535" # Deny anything coming in "$IPFWADM" -I -p deny "$IPFWADM" -O -p deny "$IPFWADM" -F -p deny # Refuse spoofed packets "$IPFWADM" -I -a deny -V $IFEXTERN -S $LOCALNET "$IPFWADM" -I -a deny -V $IFEXTERN -S $IFEXTERN # Unlimited traffic within the local network "$IPFWADM" -I -a accept -V $IFINTERN "$IPFWADM" -O -a accept -V $IFINTERN # Loopback interface is valid "$IPFWADM" -I -a accept -V 127.0.0.1 "$IPFWADM" -O -a accept -V 127.0.0.1 # Unlimited ICMP traffic "$IPFWADM" -I -a accept -P icmp "$IPFWADM" -O -a accept -P icmp # Masquerading "$IPFWADM" -F -a m -W ppp0 -S "$LOCALNET" -D "$ANYWHERE" Thanks Henty - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
[masq] Transparent proxy
Hi, I hope this is not off-topic. If it is, please tell me where it would be more approriate. I got a question concerning the transparent proxy support in the Linux kernel. As I understand it the Linux box will catch any outgoing request to a specific port and redirect it to a local port. (If you set it up correctly with ipfwadm). Now if I write a proxy application on the Linux machine that will accept these redirected requests, can it somehow inquire where the orignal request was going? To make it a little clearer, here is a small graph: +-++-+ +Remote host 1++Remote host 2+ +-++-+ \ / \ / +---+ +Linux host + +with transp+ +proxy + +---+ | | +---+ +Client + +maschine + +---+ OK, my client machine tries to connect to remote host 1 on port xyz. Linux catches the request and forwards it to a local port where a proxy is listening. Does this process know, if I was trying to reach remote host 1 or 2 (or any other machine)? Thanks for your help, Lars P.S. Are there any more infos regarding this feature? There are 5 lines or so in the ipfwadm manpage, but I couldn't find anything else. -- Anything is possible, unless it's not. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] Blocking certain domain names
David Kramer [EMAIL PROTECTED] wrote: I would like to to start putting in firewall rules to block ANYTHING from certain domain names. What sounds simple on the surface is often not-so-simple underneath. For instance, I'll often get hit from (something).sp.mandic.com.br, but there doesn't seem to be a contiguous IP range. What do you mean by "get hit"? I think I figured out that I need ipfwadm -I -a deny -S mandic.com.br to do that. will that block (something).sp.mandic.com.br? No. The IP forwarding rules work on just that: IP addresses. They know nothing about domain names. In fact, there is never a direct way to translate between a domain name and an IP address. For every IP address, you must perform a DNS reverse-lookup in order to find out what name (if any!) is associated with an IP address. This is complicated by the fact that there can be more than one name that maps to an IP address, and there is not necessarily a reverse-mapping from the IP address back to a name, plus the fact that DNS services can be slow, or unavailable at times, and you certainly don't want your kernel to BLOCK and WAIT for the name server to answer and tell you whether you should drop or forward this packet that just came in... Anyway, what you want to do is lookup these various hosts, and either block their specific IP's, or block the subnet(s) on which they exist. You could probably use the nslookup command "ls" to get a listing of the domain, as I've done here: % nslookup Default Server: zero.foxtaur.com Address: 192.0.2.5 set type=ns sp.mandic.com.br. Server: zero.foxtaur.com Address: 192.0.2.5 sp.mandic.com.brnameserver = gandalf.mandic.com.br sp.mandic.com.brnameserver = merlim.mandic.com.br sp.mandic.com.brnameserver = oz.mandic.com.br sp.mandic.com.brnameserver = hermes.mandic.com.br gandalf.mandic.com.br internet address = 200.246.227.152 merlim.mandic.com.brinternet address = 200.246.227.35 oz.mandic.com.brinternet address = 200.246.125.3 hermes.mandic.com.brinternet address = 200.246.125.5 server gandalf.mandic.com.br Default Server: gandalf.mandic.com.br Address: 200.246.227.152 ls mandic.com.br. [gandalf.mandic.com.br] [... lots and lots of hostnames and IP addresses...] So then you can go through this list and either group them into subnets for blocking, or just make a specific rule for hosts that you know you don't want to hear from. Also, how would I check it? I've been trying variants of ipfwadm -I -c -S (ip address) -W eth0 but whatever I try, I get one error message or another. I have never used the -c option to ipfwadm, but from what I read on the subject, it seems that you must be very specific when you give it the parameters. That is, you can't just ask "What if a packet had this source address?" You must give a specific question, like "What if this packet had this source address, this source port, that destination address, that port, was protocol UDP, and came in on this interface?" Essentially, specify every option that there is. ipfwadm -I -c -S 192.0.2.5 1234 -D 192.168.1.45 23 -P tcp -W eth0 -- [EMAIL PROTECTED] (Fuzzy Fox) || "Nothing takes the taste out of peanut sometimes known as David DeSimone || butter quite like unrequited love." http://www.dallas.net/~fox/ || -- Charlie Brown - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] Flood Pinging and Spoofing
I have someone flood pinging my IPMasq PC from what I believe to be spoofed IP addresses. I would like to stop this. Is there any way to stop an IPMasq PC from responding to pings and/or spoofed packets? Try this before your implict IPFWADM deny/reject: $extif is the NAME of your internet connection (PPP0, ETH0, etc) # ICMP: Deny ICMP /sbin/ipfwadm -I -a deny -W $extif -P icmp -S 0.0.0.0 -D $extip BTW.. if you have people hacking at your box, you better have some security in place ASAP or they WILL get in. I've worked LONG and hard on my TrinityOS doc and its better than ever.. NOTE: This is a new version as of today! I'll get around to updating the Changes-log WWW page later. All TrinityOS changes are documented though. http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri --David .. | David A. Ranch - Remote Access/Linux/PC hardware [EMAIL PROTECTED] | !! `- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -' - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
[masq] more masq/firewall stuff...
So I think I finally dug up what I needed, but I wanted to bounce it off to see if this is right. In the kernel, there is a defined start and length for the ip_masq ports (61000 + 4096) by default. Am I current to assume that I can just permit this range of ports in arbitrarily and let the masq stuff deal with it? Does the ftp_masq module use this same range? thanks! -C - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
[masq] VPN Question
Hi, I was wondering if anyone knows where I can get additional documentation on VPN and Linux aside from the VPN Howto. Thanks, Dave C. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
[masq] NO ident server for irc (bitchx)
I'm using bitchx or any irc client on a client system (win95) but when I try to connect to any IRC server I get an error message saying that I'm not running a ident rfc14?? server which I'm 100% shure that win95 is running. I can telnet to the ipmasq server and use BitchX there and it will work. what am I not doing... Thanks.. Steve Beaulac - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]