Hi Kenneth!
> If having some limited success in getting Dachstein 1.02 to run as
> just a router between to private networks, 192.168.1.0 and
> 192.168.2.0, with 192.168.2.0 being a expansion to the 192.168.1.0
> network which is just about full. In terms of machines on either
> network being able to see the other (aka 192.168.1.195 being able
> to ping 192.168.2.195 and vice versa) I've had
I've never tried to do this but I do believe I've a pretty pretty
good idea of where you should look...
> able to be received back by the Network file server other
> information sent by JetDirect on ports 1782 and 161.
More on this later...
> Currently my guess is that the router is blocking such traffic when
> I saw this message in my logs on Dachstein machine:
Only partially...
Let read this log...
> Packet log: input REJECT eth1 PROTO=17 192.168.1.138:1705
> 192.168.2.2:161 L=68 S=0x00 I=44714 F=0x0000 T=128 (#3)
> With 192.168.1.138 being my server and 192.168.2.2 being my printer
On the INPUT chain, for interface eth1, in UDP (PROTO=17), your server
using port 1705 (dynamically assigned) tried to communicate with your
printer on it's port 161 (a service port provided by the printer,
that's interesting...) and all of this was denied by rule #3...
I tried to lookup rule #3 to have a better idea of what was the rule
denying the traffic but unfortunatly (actually fortunatly for me (-; )
I've the FIREWALL ruleset and not the ROUTER one...
Ok, let turn off my ADSL modem and change that ruleset...
Done...
Now let reload it... (svi network ipfilter reload)
O.k., what does the rule #3 looks like now...
0 0 REJECT udp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 * -> 161:162
That's VERY interesting, there's a rule in there specifically for that
kind of traffic...
O.k., what are those ports... Let's go to the IANA for their
assignments... ( http://www.iana.org/assignments/port-numbers )
Port 1782 is HP specific...
hp-hcip 1782/tcp hp-hcip
hp-hcip 1782/udp hp-hcip
while 161 and 162 are:
snmp 161/tcp SNMP
snmp 161/udp SNMP
snmptrap 162/tcp SNMPTRAP
snmptrap 162/udp SNMPTRAP
SNMP!!!
O.k., let's look at /etc/ipfilter.conf...
The relevant part is:
<<
# A function to control SNMP access on a network
snmpBlock () {
local LIST=$1
local DEST_IP=$2
local SNMP_IP
shift 2
if [ "$SNMP_BLOCK" != "YES" -a "$SNMP_BLOCK" != "Yes" \
-a "$SNMP_BLOCK" != "yes" ] ; then
return 0
fi
for SNMP_IP in $SNMP_MANAGER_IPS; do
$IPCH -A $LIST -j ACCEPT -p udp -s $SNMP_IP -d
$DEST_IP 161:162 $*
done; unset SNMP_IP
$IPCH -A $LIST -j REJECT -p udp -s 0/0 -d $DEST_IP 161:162 -l
$*
}
>>
O.k. let's see... If SNMP_BLOCK is not YES (ie if SNMP_BLOCK=NO or
probably just about anything but YES or Yes or yes, I'm sure there's
no other validation of content anywhere else...), the rules won't be
added... So setting SNMP_BLOCK=NO (it's just after
IPFILTER_SWITCH=ROUTER (or FIREWALL or NONE) would work..
OTOH, if you wan't to keep that protection active, you could uncomment
SNMP_MANAGER_IPS in network.conf and put the IP addresses of the pc(s)
you wish to be able to contact your printer using SNMP (I could be
mistaken but it does seem to work that way... BTW, that list is space
separated...) and that should work...
This is the revelvant part of /etc/network.conf:
<<
###############################################################################
# IP Filter setup - can pull in settings from above
###############################################################################
# Set up the basic type of filtering. Can be one of
(none|router|firewall)
# You must load the ip_masq_* modules to enable full IP masquerading,
and
# ip_masq_portfw if you want to forward external ports pop-3, mtp, www
# to internal machines below.
IPFILTER_SWITCH=ROUTER
# This set of variables is used with both sets of filters
SNMP_BLOCK=YES # Block all SNMP (YES/NO)
# List of IP Nos used for SNMP
management
SNMP_MANAGER_IPS="192.168.1.138"
>>
> Also, just as experiment to find out if I even have my network setup
> correctly I did a quick and dirty test using I "think" the same
> configuration with LRP 2.9.8 that I used with Dachstein (as best I
> could
The additionnal parameters (ie the SNMP-related ones) "appear" to
originally come from Materhorn/Eiger scripts (from which Eigerstein &
Dachstein are "derivatives").
> Does anyone have any thoughts on what I might have configured wrong?
Can't say it was actually configured wrong per se but more that some
additionnal config was required...
BTW, I might not have exactly the same scripts as you (but according
to the changelog it seems they should be very close) since my firewall
is Dachstein CD 1.0.1-based (but booting off a write-protected scsi
hd (-; ....). One other thing, I don't think you should have any
problems using private space IP address while in ROUTER mode as
the stopmartians () procedure is apparently not run in that
mode but if it is you'll probably have to comment it out as
somebody suggested...
Good luck!
Nicolas Riendeau
PS: Please forgive my English as it's not my mother tongue. Thanks!
PPS: Don't worry, I've rebooted my firewall after these tests.... (-;
(-; (-;
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
