Linux-Networking Digest #754, Volume #10 Mon, 5 Apr 99 18:13:49 EDT
Contents:
Re: Dialin-Server in WIN-Network: No browse-list on client (Ron Watkins)
Re: 2 computers (Win98 & Linux) sharing modem to Internet (Frank Sweetser)
Re: Linux VPN (Edward Lee)
Re: Firewalls and proxy servers? (Don Baccus)
Re: Here is my ipchains firewall. Any comment please ("razoon")
Re: Compiling tulip.c ("Donald E. Stidwell")
Re: slow 3c905b ([EMAIL PROTECTED])
Winmodem (Dan)
Re: Unable to FTP or telnet ("Russell S. DiPesa")
Re: Linux Networking Performance Question? (Chris Pitzel)
Samba (Freddie Haddad)
Samba - lmhosts - password? ("Grimteck")
Re: Winmodem ("Daniel G. Hyams")
Re: VNC takes a hit running KDE (Jens Kristian S�gaard)
NIC in Linux (Ian)
Re: Linux in NT Domain (Roope Anttinen)
Need help with custom Sendmail config (Tim Gibson)
----------------------------------------------------------------------------
From: Ron Watkins <[EMAIL PROTECTED]>
Subject: Re: Dialin-Server in WIN-Network: No browse-list on client
Date: Mon, 05 Apr 1999 12:13:37 -0700
You need WINS.
Your other machines are probably all on the same wire, and they find each
other through broadcasts. Broadcasts aren't carried over a PPP link. You
need a WINS server if you want to do browsing across multiple subnets. (there
are also solutions using LMHOSTS files but I found them very awkward and
unreliable.)
Ideally, add WINS services to a lightly-loaded machine or two, and reconfigure
your other machines to use those machines as their primary and secondary WINS
servers. If you also configure your remote dialins to do the same thing, your
browsing will work again. If you do implement two WINS servers, be sure to
set them to sync with each other.
Samba can do both these things for you, but I believe it's not able to
properly replicate WINS information to other servers. So if you do a Samba
WINS server, you can only have the one -- it won't (yet) talk to Microsoft
WINS servers, or even other Samba WINS servers.
<<RON>>
------------------------------
From: Frank Sweetser <[EMAIL PROTECTED]>
Subject: Re: 2 computers (Win98 & Linux) sharing modem to Internet
Date: 05 Apr 1999 15:46:44 -0400
"Redshift" <[EMAIL PROTECTED]> writes:
> [message truncated for your convenience]
>
> > OTOH, why try? Two ISA 10BaseT cards and some coax will cost you
> > less than $30 any more, and then you can ABSOLUTELY do this and
> > several other useful things as well.
>
> How? I'd like to use my LINUX box as a gateway, firewall, e-mail server,
> content filter, proxy server, and cache. This can be done for $30? Thanks
> in advance!
gateway and firewall is simply ip forwarding with a few ipfwadm (or
ipchains for the newer kernels) rules thrown in. email server is sendmail
(comes standard on nearly all linux distro) or, if you prefer, an
alternative such as qmail. content filter, proxy server, and cache can all
be handled nicely by squid.
--
Frank Sweetser rasmusin at wpi.edu fsweetser at blee.net | PGP key available
paramount.ind.wpi.edu RedHat 5.2 kernel 2.2.5 i586 | at public servers
I am not a vegetarian because I love animals; I am a vegetarian because I
hate plants. --A. Whitney Brown
------------------------------
From: Edward Lee <[EMAIL PROTECTED]>
Subject: Re: Linux VPN
Date: Mon, 05 Apr 1999 09:06:31 -0700
By definition, local traffic (10.*) won't go outside your home machine.
Even if you force it to do so, your ISP doesn't know how to route it.
You need some real IPs on your company network.
===========================================
Disclaimer:
Reluctant user of R^ and M$ (not TM of ...)
I am not speaking on behalf of my employer
Steve Dietz wrote:
> I am running RedHat 5.2 as an Internet gateway for my company. All
> internal machines are configured on 10.x.x.x addresses - Linux is
> running IPMasquerading to allow Internet access.
>
> What I want to do, is allow access to the internal network, from the
> Internet and be able to authenticate those users by IP address and/or
> user name/password.
>
> I'm thinking that I can just use ipfwadm to forward packets from a
> specific "external" address (my cable modem at home for example) to
> the 10.x.x.x/0 "internal" network.
>
> Does this sound right? What potential security holes am I looking at?
>
> thanks in advance for all replies
>
> [EMAIL PROTECTED]
------------------------------
Crossposted-To: comp.os.linux.setup
Subject: Re: Firewalls and proxy servers?
From: [EMAIL PROTECTED] (Don Baccus)
Date: 5 Apr 1999 12:35:37 PST
In article <1z7O2.1368$[EMAIL PROTECTED]>,
Eric <[EMAIL PROTECTED]> wrote:
>Although ip masquerading should allow me to accomplish this easily, i don't
>see it giving my network any protection from the exterior. Ideally, I would
>like to control the incoming data, to try to cut out any malicious attacks.
>Currently, being logged on once in a while over a modem cuts out my chances
>of attacks due to the amount of time I am online. I am afriad, however, of
>having my system online 24hrs/day and not having protection for my LAN.
You can have additional firewall rules that afford protection,
as well as the masquerading rules. For instance, you might
want to refuse packets claiming to be from a 192.168.1.x address
if it arrives on the dsl NIC. When I investigated ip masquerading,
I stumbled across a set of sample firewall rules to use with it,
though I forget exactly where I found this page.
[snip]
>What is the best way for me to accomplish this task? Where can I get more
>info, apart from the Firewall HOWTO?
Again, start with the ip masquerade HOWTO, or search for the
IP Masquerade Resource Page. Dig around a bit and you should
find the same information on recommended firewall rules to
use that I did. The page I saw had not only the rules, but
an explanation of what they did.
>It seems to be written for RedHat 3.x,
>and I'm not sure what has changed since... furthermore, it doesn't discuss
>any of the ftp/telnet/web/mail server needs...
If you're really concerned about security, switch to secure
shell so that "su" followed by the root password doesn't travel
the net in the clear.
The ftp protocol isn't masqueraded by default, you have to add
a module to explicitly masquerade. So, you could restrict
ftp to/from the outside world to the firewall box simply by
not masquerading ftp, I think. To get stuff to your local
machines, though, you'd first have to ftp to your 386, then
explicitly ftp between the 386 and another machine on your
LAN. In other words, not masquerading ftp means any machine
on your LAN can ftp back and forth to each other (if you have
ftpd running on the appropriate machine(s)), and the 386
to the oustside world as well, but the locals can't directly
ftp to/from the outside world.
But that's rather annoying, IMO.
I won't belittle your concerns, though - five days after I got
my Linux box up on my DSL service, someone tried to do an
NFS mount...since I'm not using NFS, I just killed it and
that ended that potential problem. Not that the feeble
remote attempt to mount worked or anything.
And another friend's had a DSL connection for a few weeks,
too, and has been monitoring activity, and has seen all
sorts of pokes and prods at his system. Again, without
success.
Use really arcane and non-dictionary passwords for all
accounts and you'll be on the road to good security.
>Right now, I've got the antiquated RedHat 5.1 distribution. I would rather
>not have to d/l the 5.2 release, but if it makes things easier, I'd be more
>than willing to d/l it.
The Ip Masquerading Resource Page has information on which patches
must be applied to which kernals, as I recall 2.0.34 and up have
them. (I run RH 5.2, which is 2.0.36, I don't know what 5.1 was).
--
- Don Baccus, Portland OR <[EMAIL PROTECTED]>
Nature photos, on-line guides, at http://donb.photo.net
------------------------------
From: "razoon" <[EMAIL PROTECTED]>
Subject: Re: Here is my ipchains firewall. Any comment please
Date: Mon, 5 Apr 1999 19:25:41 +0200
Reply-To: "razoon" <[EMAIL PROTECTED]>
Should i place the flush rules in the beginning?
Before any input/output rules?
> >I have two clients behind a Linux 2.2.4 firewall.
> >This is my masquerading firewall as it is copied from a reliable source.
> >
> ># default policy: deny all
> >ipchains forward -P deny
> >ipchains output -P accept
> >ipchains input -P accept
> ># flush all other commands
> >ipchains forward -F
> >ipchains input -F
> >ipchains output -F
> ># now setup masq for 192.168 network
> >ipchains -A forward -j MASQ -s 192.168.0.1/24 -d 0.0.0.0/0
> >
> >I dont get this:
> >First i deny every forwarding in both directions
> >But in the last rule forwarding is accepted on all ports for all
> >destinations.
> >So in my opinion every outsider can send his packets to me. Is that right
or
> >not?
>
> Your forward rule will only forward packets from the 192.168.0 subnet
(going
> anywhere), but it will not forward packets with any other source address
> (that's what -s is - the source addresses). You may want to set up a
"spoof
> guard" rule like in the ipchains docs, so that you can't get input packets
> from the outside network that have source addresses that are internal,
like:
>
> ipchains -A input -i eth0 -s 192.168.0.1/24 -j DENY
>
> (this assumes eth0 is on the "external" network you don't want to forward)
> (should go very early in the rules. Not 100% sure it's -i for interface).
>
> You should probably also add some "input" rules to block connections to
your
> router/masq box, or else it will get hacked, and then the rest of your
network
> will be wide open. Since I set up my box with ipchains on the cable modem
> (it's on 24 hours a day), I notice 3-4 connection attempts a day from some
> strange systems on the internet that are blocked by ipchains. Mostly
tries
> on "ident", "imap2", and "netbios-*" ports. I basically don't allow
anything
> connecting to my box but DNS from the ISP, and ftp-data.
>
> Cheers, Andreas
> --
> Andreas Dilger University of Calgary \"If a man ate a pound of pasta
and
> Micronet Research Group \ a pound of antipasto, would
they
> Dept of Electrical & Computer Engineering \ cancel out, leaving him
still
> http://www-mddsp.enel.ucalgary.ca/People/adilger/ hungry?" --
Dogbert
------------------------------
From: "Donald E. Stidwell" <[EMAIL PROTECTED]>
Subject: Re: Compiling tulip.c
Date: Sun, 04 Apr 1999 20:06:56 -0400
John Strange wrote:
>
> You realy need to tell us what distribution (Slackware, Redhat,..)
> and what release (3.6, 5.2,...) so we can give more correct answers.
>
> Try this as root
>
> updatedb # runs for about a minute, logs file locations.
> locate tulip.c # now you know where to put it.
> cd /usr/src/linux # all compiles for kernel and modules are here
> make modules # compiles any modules which have changed
> make modules_install
>
> Matt Pokress ([EMAIL PROTECTED]) wrote:
> : I bought a Netgear FA-310-TX. The Netgear instructions on their site
> : indicate that card revs higher than D1 (mine is a D2) need to use the
> : included tulip driver, not the standard tulip module.
>
> : The disk actually has tulip.c, so all I have is the source code. How do
> : I compile this, and when I am done where will the new driver reside?
>
> --
> While Alcatel may claim ownership of all my ideas (on or off the job),
> Alcatel does not claim any responsibility for them. Warranty expired when u
> opened this article and I will not be responsible for its contents or use.
The instructions for compiling are on the disk under the Readme/Linux
directory. However, I never could get it to work properly, even though
it compiled without errors. I am using the "out-of-the-box" Tulip driver
for RH5.2 and it works fine.
Don
--
=====================================
Donald E. Stidwell, RM1, USN (Ret.)
Certified Novell Administrator
Network Technican II
Bon Secours Hampton Roads Home Care
[EMAIL PROTECTED] (work)
[EMAIL PROTECTED] (home)
=====================================
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: slow 3c905b
Date: 5 Apr 1999 20:23:34 GMT
andrzej sydorko <[EMAIL PROTECTED]> wrote:
> I have a frustrating problem with my 905b NIC's.
> First some info:
> I have disabled PNP in the BIOS
> I have disabled auto-negotiation with 3c90xcfg.exe in DOS
> The driver is loaded as module 3c59x 0.99H-WOL
try setting thePCI latency to 248 or 255 (via BIOS).
> The kernel is 2.0.36
> The dist. is RedHat 5.2
> My network is 1 RedHat-box and 1 Win98 box (for simplicity).
> All NIC's are 3c905b
> The problem:
> It's the troughput. When transferring files from Linux to Windows (ftp,
> smb..whatever) performance is good., about 6mb/s
> But when transferring files from Windows to Linux, performance is poor,
> about 1-1.2mb/s
:) convert eh windows box into a linux box :)... problems solved.. besides
that, make sure you have the lastest winsock/windows..
> At first I thought this was because maybee Linux has poor support for
> IDE-drives, (maybee it's fast only one way) so I got a couple of U2W
> disks. Imagine my surprise when this didn't help?
> I have been searching the newsgroups for cases similar to mine, but has
> struck no luck.
> Anybody fammiliar with this problem?
--
It's nice having Multiple Personalities! [EMAIL PROTECTED]
http://www.infinex.com/~gman Keeper of Bay Area
B.A.S.P: Shell
Linux => OS for the Computer-Literate! Providers List
(=E G-man, G-DoG, Archy, LoOoD, Gary B. from E.C and FoG CiTY
------------------------------
From: Dan <[EMAIL PROTECTED]>
Subject: Winmodem
Date: Mon, 05 Apr 1999 22:17:34 +0200
Hello all,
Can I use winmodem with linux?
10x,
Dan
------------------------------
From: "Russell S. DiPesa" <[EMAIL PROTECTED]>
Subject: Re: Unable to FTP or telnet
Date: 5 Apr 1999 16:49:38 GMT
Dang,
1. File is empty
2. File is empty
3. I don't believe the machine is configured as a firewall.
4. Services are set to ftp - 21 and telnet - 23.
As I said, I am able to connect using Windows machines, so I would assume
that it has to do with box1 recognizing box2 as a different type of machine
and then not allowing the connection. I am not too sure, though.
Russ
------------------------------
From: Chris Pitzel <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.hardware,comp.periphs.scsi
Subject: Re: Linux Networking Performance Question?
Date: Sun, 04 Apr 1999 16:24:30 -0600
> It would cost us over �10,000 pounds to upgrade the HP9000 hard disks and
> controller to Ultra2 SCSI (80Mbs) and have considered storing the data on
One thing to consider is the fact that your existing 20mb/sec
controllers on the HP9000 probably aren't even being utilized to their
fullest capacity. Modern hard drives only put out around 4-5mb/sec each
at the most, and it's unlikely that all of the drives in your HP 9000
are active at any given time.
There are other considerations, of course, with the HP9000, such as the
fact that you likely will have to buy 'HP-brand' drives (which usually
are just Seagate Barracudas anyways..), and of course, you will need to
consider your backup needs as well.
> linux boxes over the 100BaseT network.
> Our primary data is UniData database files. A linux box with Ultra2 drives
> and controller can be purchased for under �2000 with increased storage
> space.
Yes, or you could just add some Ultra2 drives to the HP 9000 machine.
Since SCSI is forwards and backwards compatible, you should be able to
do this without any problems whatsoever. The fact that the HP
controller and existing drives only support 20mb/sec isn't really an
issue, considering that you're dealing with database files which are not
terribly taxing on the bandwidth of your SCSI controller.
> 1) What would the performance increase be like if I were to go for this
> method, considering our current local HP drives are rated at 20Mbs.
You wouldn't see a performance increase. Your HP machine has plenty of
capacity for additional drives.
> 2) Where would the primary bottleneck be.
Unless the HP9000 is multihomed (ie: fitted with multiple network
cards), the network card would be busy doing the NFS traffic from the
Linux box, and would be impaired in it's capability to serve the network
it's intended to serve.
With 100mb/sec ethernet, you only get around 10mb/sec of effective
capacity, if even. If you're doing some heavy work on Linux mounted
SCSI drives that you propose, that could nearly eat up all the
bandwidth, leaving none for your real clients to use.
> 3) As the network is switched, would there be a degredation in network
> performance.
Definitely, due to saturation of the network interface on the HP machine
itself, not to mention the increased load on the switch, and
corresponding decrease in reliability as well (because when you add an
extra machine, you've just established another point of failure..).
> Any tips or information would be most appreciated.
I would look into fitting Ultra2 drives onto your existing 20mb/sec
controller. You won't see any performance degradation.
------------------------------
From: Freddie Haddad <[EMAIL PROTECTED]>
Subject: Samba
Date: Mon, 05 Apr 1999 08:03:06 -0700
Hi, I am able to mount my windows nt computer under linux using:
smbmount //haddadent/c$/ /home/samba -c vrdesigns -U administrator -P
xxxxxx -g 0 -u 0
I read the samba man page, but I can't figure out how to share the
printer.. Can anyone help?
winnt netbios name is "HADDADENT"
printer share name is "HP4$"
IP: 192.168.1.2
Thanks
------------------------------
From: "Grimteck" <[EMAIL PROTECTED]>
Subject: Samba - lmhosts - password?
Date: Mon, 5 Apr 1999 21:13:55 +0100
I am running SuSE 5.2 on a linux box and Win98 on a windoze box
I have networked the two together using ethernet cards,
it is all running i have varified the cards are working
and cabled correctly as i can ping bothways on both machines,
I understand the only way to see the network is to use samba!
I have therefore set it up well tried to, but when i enter
smbclient //p200/tmp
i get the following [p200 is the name of my win98 box]
Added interface ip=169.254.169.2 bcast=169.254.255.255 nmask = 255.255.0.0
startlmhosts: Can't open lmhosts file /etc/lmhosts. error was no such file
or directory
[there is no such file lmhosts in my /etc directory I dont know what this
file is for or how to set it up :( there is no man file for it either :( ]
Got a possitive name querry responce from 169.254.169.2 (169.254.169.2)
servertime is Mon Apr 19:44:30 1999
timezone is utc-0.0
password
[now i dont know what password it wants so i have tried my root password for
linux both in upper and lower case, also my user password and my windoze
password , again in both cases. But I get:- ]
Security=Share
SMBtconX failed. ERRSRV - ERRinvnetname <invalid network name in tree
connect.>
Perhaps you are using the wrong share name, username or password?
Some servers insist that there be in uppercase
if i enter smbclient -L p200
i do get a list of all the shared harddirve i have set up on the windoze
box!!
I think that one this has been sorted out the network should work fine - can
anyone help me with this
any assistance will be greatly appreciated.
------------------------------
From: "Daniel G. Hyams" <[EMAIL PROTECTED]>
Subject: Re: Winmodem
Date: Mon, 5 Apr 1999 16:05:32 -0500
On Mon, 5 Apr 1999, Dan wrote:
> Hello all,
>
> Can I use winmodem with linux?
>
Sorry; winmodems are not supported. The guts of the modem
are actually implemented within 'firmware drivers' available
on Windows platforms only. If possible, take your modem back
and buy a non-stripped down modem, which will work in both
Linux and Windows. This will cost more, but the reason that
winmodems are so cheap is that hardware has been removed
in favor of forcing the computer itself to perform the same
functions via the firmware driver.
===========================================================
Daniel G. Hyams
email: [EMAIL PROTECTED]
phone: (601) 323-4198
===========================================================
------------------------------
From: [EMAIL PROTECTED] (Jens Kristian S�gaard)
Crossposted-To: comp.windows.x.kde,comp.os.linux.x
Subject: Re: VNC takes a hit running KDE
Date: 05 Apr 1999 17:52:53 +0200
[EMAIL PROTECTED] (Bob Nixon) writes:
> Any thoughts, suggestions, idea's or similar experiences?
VNC is slow in design. It's great -- but it requires a lot of
bandwith.
Try using the X-Win32 X-server on Windows -- it's the best one
available. I can easily use KDE desktop with this program (on small
Pentium 120 computers).
If you only have limited bandwith, consider using the lbxproxy
program.
--
Jens Kristian S�gaard,
[EMAIL PROTECTED] -- http://soegaard.hypermart.net/
------------------------------
From: [EMAIL PROTECTED] (Ian)
Subject: NIC in Linux
Date: Mon, 05 Apr 1999 20:25:53 GMT
Reply-To: [EMAIL PROTECTED]
I'm trying to configure a 3Com 3c509b ISA NIC in Red Hat Linux 5. What would
be the best way for me to do this?
Thanks in advance,
Ian
------------------------------
From: Roope Anttinen <[EMAIL PROTECTED]>
Subject: Re: Linux in NT Domain
Date: 5 Apr 1999 21:10:14 GMT
Reply-To: [EMAIL PROTECTED]
Greg Saunders <[EMAIL PROTECTED]> wrote:
> I'm in the process of setting up a Linux box on my existing NT Domain based
> network. The advantages of gaining some much needed network space at a
> reasonable price and the potential to add some "native" Internet
> connectivity were too much to pass up even for an NT diehard like myself.
> I've setup RedHat 5.2 (surprisingly easy) with Samba on a system, and have
> things barely functional (share level acces via a guest account). My network
> is all IP, with 95/98 clients and NT Server as the PDC.
I've done the same thing at our office... all NT workstations and all NT
servers - or appear to be ;)
> Does anyone who has travelled this road before have any tips they'd like to
> share? I'd be especially interested in the following:
I'll try.
> 1. Can Linux validate users (even just for Samba) through the NT box?
Yup, with security=server parameter. You got to have maching user names in
both, Linux and NT domain to got it work properly (if you want to create
shares with no guest access - for valid users only).
> 2. Should I run my WINS server on NT or Linux (using RAS on NT for limited
> dialup)?
I havent tried it on Linux and I've got a feeling I've read somewhere that
it's better to keep it runnin on real NT. Not sure though.
> 3. Does this encrypted password thing really work in Samba?
Yes it does. But if you validate users again NT PDC, there's no extra work
to be done on Linux end (like creating encrypted samba-passwd file)
> 4. Is there anything which in retrospect I'm likely to feel really stupid
> about doing?
Well, it would be stupid not to read files under /usr/doc/samba
Roope
--
MicroSoft? is that some kind of a toilet paper?
PS: Look for address here, not from headers. And remove NOSPAM's
___________________________________________________________________________
[EMAIL PROTECTED] / [EMAIL PROTECTED]
+358 9 812 7567 / +358 500 445 565 / +358 49 445 565
http://myy.helia.fi/~anttiner/index.html
===========================================================================
Helsinki Business Polytechnic - Institute of information technology
------------------------------
From: Tim Gibson <[EMAIL PROTECTED]>
Crossposted-To: comp.mail.sendmail
Subject: Need help with custom Sendmail config
Date: Mon, 05 Apr 1999 13:29:32 -0700
Here's what I want to do:
I have 2 machines in my network. One is hooked up directly to the
Internet in addition to my private network. We'll call this "Linux."
The other is on my private network, running Lotus Notes. We'll call
this one "Notes." What I want to do is have the Linux box send and
recieve Internet e-mail on behalf of the Notes machine. So once the
Notes box gets an e-mail from an internal client intended for an
Internet address it will relay it to Linux and then Linux will take care
of it. I knwo how to get Nots to do this, so that's not the problem.
Also I want incoming mail to Linux to be relayed to the Notes server
based on the domain name (we'll call this 'company.com'). I would like
to be able to recieve e-mail on the Linux that is intended for it
(linux.company.com).
My internal IP addresses are 129.64.100.0 which might make things a bit
more difficult because these are not registered adddresses. I cannot
change these addresses to valid or excluded (192.168.0.0) right now, but
maybe in the future.
So is this setup possible? I would also like to use the Linux machine
as a mail relay for roaming dial-up clients so an allow policy based on
reply to address would be nice. Any help is greatly appreciated. I have
spent hours perusing Dejanews and sendmail.org, including the FAQ's,
with not much luck so this is pretty much my last resort. Thanks.
Please cc me via e-mail at [EMAIL PROTECTED]
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.networking) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Networking Digest
******************************
