Linux-Networking Digest #977, Volume #10 Wed, 28 Apr 99 02:13:43 EDT
Contents:
What is a good firewall for Linux RedHat 5.2? (Dennis Rawlusyk)
Re: Set up DNS to resolve hostname to hostname:port? ([EMAIL PROTECTED])
Telnet taking ages before allowing login ([EMAIL PROTECTED])
Re: Problem connecting to the Samba Server!! (Paul Sery)
Deb 2.1 pppd fails leaving modem locked ? ("Cameron Spitzer")
Re: limit number of connected users for a ftp server ? (Durango)
Re: Set up DNS to resolve hostname to hostname:port? ([EMAIL PROTECTED])
Re: Ftpd with gui interface (Joel Sloan)
Re: 2 IPs 2 Subnets 1 Nic Is It Possible? (Luca Filipozzi)
Re: @home anyone? is it worthwhile or not? ("D. C. & M. V. Sessions")
Re: 10/100 hub connect with both networks? ("D. C. & M. V. Sessions")
Re: Advice: Linux + ADSL - internal or external modem (ANT?) (Malcolm Ferguson)
Re: Advice: Linux + ADSL - internal or external modem (ANT?) (Malcolm Ferguson)
modem ("Keith & Tracy Davisson")
Re: Another IP Masquerading problem (Steven J Rann)
Re: Network Card Hanging (Hans Dumbrajs)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Dennis Rawlusyk)
Subject: What is a good firewall for Linux RedHat 5.2?
Date: Tue, 27 Apr 1999 23:00:36 GMT
I have tried to compile TIS FWTK and had nothing but problems.
Does anyone have a simple solution? I want to keep statistics of data
transfer and limit clients to what they can and can not access. I am
currently using IP Masq.
Thanks
Dennis
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Set up DNS to resolve hostname to hostname:port?
Date: Tue, 27 Apr 1999 23:03:43 GMT
In article <7g569n$e85$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> "You can't do that".
> DNS doesn't allow you to specify a port when resolving a domain name, just an
> IP address.
Dang. Well, I figured, but hope springs eternal...
> 1) Set up a 2-way NAT on your LAN's gateway, for the webserver, and point to
> that IP address.
I'm not entirely certain how to do that. The machine that I want to be the
server doesn't have a "real" IP address... only a local 192.168.1.80 address.
If I wanted external hosts to be able to access port 80 on that machine
without having to specify a port like I do now?
> 2) Run Apache on your LAN's gateway [on port 80], and have it proxy for the
> actual webserver.
I've been trying that today... but it doesn't seem to working out. I set up a
VirtualHost section for palmtop.ipair.com and added:
ProxyPass / http://www.ipair.com:7070/
It works for text, but the image on the page (to test if it works) doesn't
show up. Apache sends something, but I'm not sure what-- it's definitely not
a JPG file. Strange.
> 3) Create a DMZ outside your gateway, and move the webserver there.
I feel like an idiot, but... what's a DMZ?
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED]
Subject: Telnet taking ages before allowing login
Date: Tue, 27 Apr 1999 23:02:13 GMT
Hi,
I am having a problem where a Linux server which I could previously telnet to
is now taking so long to give a login prompt that it times out. It connects
and says:
>> > Trying box1.net.
>> > Connected to box1.net.
>> > Escape character is '^]'.
Then it waits ages and eventually the login prompt appears followed by
connection closed by foreign host. The setup has been in place for some time
working OK and no config changes that I know about have been done. I have
checked name resolution and other obvious things, but can't figure out what it
is doing for all that time. It does the same when connecting by name or IP
Address and also when you do it on the console with 127.0.0.1.
Also, ftp seems to be doing the same sort of thing.
Any help would be greatly appreciated, I have been looking at it for a long
time and can't find what it is! Even if someone can tell me what the very next
thing that in.telnetd does after the connection is made that would be a start.
Cheers,
Derek.
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (Paul Sery)
Crossposted-To: comp.os.linux.help,comp.os.linux.questions,it.comp.linux.setup
Subject: Re: Problem connecting to the Samba Server!!
Date: 27 Apr 1999 16:49:22 -0600
Win98 sennds encrypted passwords. You need to configure Samba to use
encrypted passwords. The ENCRYPTION.txt file that comes in the
/usr/doc/samba directory gives instructions for doing that.
In article <[EMAIL PROTECTED]>, SS <[EMAIL PROTECTED]> wrote:
>Hi All,
>
>I have both win98(client) and Linux(Samba Server) Machine on my network.
>While I can find the Linux machine from my win98 machine in
>network-nightborhood, but I can't get into it because when I click the linux
>icon, I was asked to input a password. after input the password, the error
>message"invalid password, try again" come out.
>I don't know why... Please help ^_^
>
>P.S. I can login linux machine by telnet and ftp from my win98 machine
>
>
>
>
>
>
------------------------------
From: "Cameron Spitzer" <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.misc
Subject: Deb 2.1 pppd fails leaving modem locked ?
Date: 28 Apr 1999 03:59:22 GMT
This weekend I replaced my highly upgraded 1994 Slackware
with Debian GNU/Linux 2.1. Debian is truly impressive.
Lots of things worked.
One gripe, I start pppd with their "pon provider" command,
and if it connects the first time it's great. This is the
first Distro where I haven't had to mess with ppp to make it
connect.
But if it gets a busy, pppd exits leaving /dev/ttyS1 locked
in such a way that when I try again no commands are sent
to the (external) modem. setserial /dev/ttyS1 '^session_lockout'
has no effect. I can't unload the serial module, device busy.
I had to reboot to clear it, unacceptable!
Before I jump into the extremely busy debian-user mailing list,
I wonder if anyone else has seen this.
What other way can /dev/ttyS1 be locked but the way I can
see with stty -a ?
And I'd appreciate a pointer to how to interpret the output
of cat /proc/locks . Is there a map from one of the numbers
to a device node? TIA!!
Other little annoyances: cu(1) installs in a non-working state,
and the X setup installs xdm without warning.
And (not debian's fault) why does XFree86 always install with
click-to-focus? Yecch!
Nice surprise: g'zilla! Where did that come from? Neat!
Cameron
------------------------------
From: [EMAIL PROTECTED] (Durango)
Subject: Re: limit number of connected users for a ftp server ?
Date: 27 Apr 1999 19:10:08 -0500
# vi /etc/ftpaccess
add a line:
limit all 2 Any
then:
# killall -HUP inetd
That should do it.
then, to read more:
# man ftpaccess
and also try:
http://www.landfield.com/wu-ftpd/
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Set up DNS to resolve hostname to hostname:port?
Date: Wed, 28 Apr 1999 00:12:26 GMT
In article <7g5foc$n3o$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> > 1) Set up a 2-way NAT on your LAN's gateway, for the webserver, and point to
> > that IP address.
> I'm not entirely certain how to do that. The machine that I want to be the
> server doesn't have a "real" IP address... only a local 192.168.1.80 address.
> If I wanted external hosts to be able to access port 80 on that machine
> without having to specify a port like I do now?
The big issue is whether or not you have any public [routable] IP addresses
available from your service provider. I assume you have at least one, since
presumably your LAN is hooked up to the internet. Check out `natd` [man
natd], and that will give you an idea of how [N]etwork [A]ddress
[T]ranslation works.
> > 2) Run Apache on your LAN's gateway [on port 80], and have it proxy for the
> > actual webserver.
> I've been trying that today... but it doesn't seem to working out. I set up a
> VirtualHost section for palmtop.ipair.com and added:
> ProxyPass / http://www.ipair.com:7070/
> It works for text, but the image on the page (to test if it works) doesn't
> show up. Apache sends something, but I'm not sure what-- it's definitely not
> a JPG file. Strange.
Can't help you here [I've never actually set up a proxy like that myself, I
only knew that it's supposedly possible]. Try one of the apache groups.
> > 3) Create a DMZ outside your gateway, and move the webserver there.
> I feel like an idiot, but... what's a DMZ?
Sorry. DMZ means what it does in the real world -- "De-Militarized Zone". It
means sticking machines outside your gateway [firewall]. If you have extra
public IP addresses, this is a possible solution, otherwise not.
-Bill Clark
Systems Architect
ISP Channel
http://locale.ispchannel.com/
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: Joel Sloan <[EMAIL PROTECTED]>
Crossposted-To:
alt.comp.jgaa,alt.linux,alt.os.linux,comp.os.linux.admin,comp.os.linux.questions
Subject: Re: Ftpd with gui interface
Date: Wed, 28 Apr 1999 04:37:19 GMT
Ray wrote:
> Can anyone point me to a ftpd with a GUI? I really want to be able to
> monitor user activity and stats. I am used to using warftpd under NT but
> have moved to Linux..
There are a number of GUI ftp clients for Linux, but system daemons are
detatched processes -
Not only is there no GUI, there is not even an associated terminal...
Sounds like you might want to "tail -f /var/log/xferlog", and/or look at
netstat and lastlog...
jjs
------------------------------
From: [EMAIL PROTECTED] (Luca Filipozzi)
Subject: Re: 2 IPs 2 Subnets 1 Nic Is It Possible?
Date: Tue, 27 Apr 1999 17:46:40 -0700
In article <7g5723$et9$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
> In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (Luca Filipozzi) wrote:
>
> > Change the lease time to
> > something reasonable, like 1 or 2 days. Done.
>
> The only reasonable lease time for DHCP is near-infinite. Dynamic IP's are a
> bad bad bad bad bad bad bad thing. Did I mention they're bad?
>
> > This solution has the big benefit that at the end of the process you will
> > have a DHCP managed ip address pool, which is, IMHO, much better than
> > static addresses (if only so that you can change the nameserver, default
> > route, etc. in only place only).
>
> There is a difference between "static" and "hardcoded", and I'll assume you
> really meant the latter. Static IP addresses are *always* preferable to
> dynamic, _especially_ when you're talking about ones in private IP blocks
> [for which there is absolutely no reason whatsoever to use dynamic IP
> allocation]. You can still use DHCP [which has convenient features for
> network administration] to hand out static information, just set the lease
> time to something ridiculously huge [and make every effort to insure that
> machines never undergo a 'spontaneous' renumbering -- which will hose your
> DNS and result in other nastiness such as invalidation of logging records on
> proxy servers, gateways, mail servers, etc.].
>
> -Bill Clark
>
> -----------== Posted via Deja News, The Discussion Network ==----------
> http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
>
We've flogged this horse already, Bill. You think DHCP sucks. I think
it's a useful thing in private networks. Enough said.
--
Luca Filipozzi <[EMAIL PROTECTED]>
------------------------------
From: "D. C. & M. V. Sessions" <[EMAIL PROTECTED]>
Subject: Re: @home anyone? is it worthwhile or not?
Date: Tue, 27 Apr 1999 21:56:01 -0700
[EMAIL PROTECTED] wrote:
>
> Greetings & Salivations.
>
> I'm starting to setup RHL 5.2 on a small ethter net, 3 linux machines, a
> mac and an STe, and I'm considering using the @home cablemodem service
> for my net connection. I've heard some say it's really cool, others
> call it bunk. Anyone here have personal experience with it?
The point may be moot. @home has a TOS that forbids all kinds of
servers, not excepting file and print servers. They seem to be
pretty fixed on Win9x boxes connected directly to the cable modem.
> Another thing I've heard a while back from fellow linux user who has it
> is that he end up with a static ip address! anyone else have this
> experience?
AWUI it varies by service area. Some @home services run behind a
masquerading firewall; there's a page on NAT hanging off of www.home.net
--
Windows: "We can get availability on some NT servers up to 99.5% !!!!"
*nix: "Our server availability is 99.99937%.
We're working on the problem."
D. C. & M. V. Sessions [EMAIL PROTECTED]
------------------------------
From: "D. C. & M. V. Sessions" <[EMAIL PROTECTED]>
Subject: Re: 10/100 hub connect with both networks?
Date: Tue, 27 Apr 1999 21:59:32 -0700
[EMAIL PROTECTED] wrote:
> I'm quite new to the network, and any help is appreciated.
>
> We have a 100 Base-T PC and several Linux network, and have a SUN
> workstation, but only with 10Mb NIC. Is this SUN can connect with the
> network using 10/100 hub, or only either 10 or 100, but not both?
Since the hub has no way of detecting which device is the destination
of a transfer, and since the computers do their rate selection
statically,
you're pretty well stuck with one or the other. (If a 100TX job sends
a packet, what speed should the hub use? How does the sender know what
speed setting to use? What about a broadcast packet? Stuff like that.)
--
Windows: "We can get availability on some NT servers up to 99.5% !!!!"
*nix: "Our server availability is 99.99937%.
We're working on the problem."
D. C. & M. V. Sessions [EMAIL PROTECTED]
------------------------------
From: Malcolm Ferguson <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.setup,comp.os.linux.questions,redhat.networking.general
Subject: Re: Advice: Linux + ADSL - internal or external modem (ANT?)
Date: Tue, 27 Apr 1999 23:37:35 -0600
Thanks for the feedback and advice - very helpful.
I hadn't heard about these modems running hot before.
It sounds like external is probably the best - most flexible, lowest risk.
I'll also get an ethernet card out of it that I shall be able to use for
other things if need be.
------------------------------
From: Malcolm Ferguson <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.setup,comp.os.linux.questions,redhat.networking.general
Subject: Re: Advice: Linux + ADSL - internal or external modem (ANT?)
Date: Tue, 27 Apr 1999 23:42:13 -0600
Thanks for the feedback and advice - very helpful.
I hadn't heard about these modems running hot before.
It sounds like external is probably the best - most flexible, lowest
risk.
I'll also get an ethernet card out of it that I shall be able to use for
other things if need be.
------------------------------
From: "Keith & Tracy Davisson" <[EMAIL PROTECTED]>
Subject: modem
Date: Tue, 27 Apr 1999 18:21:11 -0700
I am trying to get my pci modem to recognize in linux. I am running a 56k
pci with a Rockwell chipset on com 3. I see in the dev editor that the link
is not bound? and I can't dial out of the minicom. can you walk me through
the proper setup please. Keith
--
Keith and Tracy Davisson
------------------------------
From: Steven J Rann <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.help,udel.linux
Subject: Re: Another IP Masquerading problem
Date: Wed, 28 Apr 1999 05:09:19 +0000
OEL,
Try manually setting the default route of
your Linux box to the far end ppp0 interface after
the ppp dial up and ip addr are assigned.
Then try to get out from the WINDOZE boxes.
The network unreachable messages on the
WINDOZE boxes strongly suggest a route
problem. However, your message was
pretty complete and it appears that things
are set up properly.
Below are the commands I use to invoke ip forwarding --
via an S56ipmasq symlink to /etc/rc.d/init.d/ipmasq in
/etc/rc.d/rc3.d -- thought they might be useful.
[/etc/rc.d/init.d/]> more ipmasq
#!/bin/sh
echo
echo Beginning the masquerade ......
# deny all initially
/sbin/ipfwadm -F -p deny
# open it up to local network only by adding forwarding,
# masquerading of all protocols from local net eth0 to the
# default gateway on Linux box -- ppp0
/sbin/ipfwadm -F -a m -P all -S <your local net ip>/8 -D default/0
/sbin/ipfwadm -M -s 7200 10 120
echo Finished !
echo
Forwarding in my set up is relying on a default route
being setup after ppp is running. This is done automatically
for me by diald. How is this happening on your system
is the question I think. I believe pppd can be configured
to do it for you -
defaultroute
Add a default route to the system routing tables,
using the peer as the gateway, when IPCP negotia-
tion is successfully completed. This entry is
removed when the PPP connection is broken. This
option is privileged if the nodefaultroute option
has been specified.
Do the man thing on pppd for more info. Also, pppd
will need to be setuid to root to change the routing
table. May be some security issues here, but get it
to work and fine tune as a second phase.
If the Linux box can find destinations on other
networks it may be a bit misleading --
a box with multiple interfaces inside behaves
differently then those without multiple interfaces.
I admin 2 networks with dial on demand routing and
ip masq -- WIN95 and WIN98 with Linux RH 5.x .
I sympathize with you ! It is frustrating at times,
but it is a 'beautiful thing' when you get comfortable
with it AND IT IS WORKING.
Good luck ! Let me know how it goes.
Steve Rann
[EMAIL PROTECTED]
OEL wrote:
>
> Hello,
>
> I realize that IP-Masq has been beat to death in the newsgroups, but digging
> through the web and dejanews, I haven't had any real luck at all.
> The situation: trying to setup IP Masq for a win9x peer-to-peer network
> (tcp/ip 192.168.1.x) via the linux box (192.168.1.1, RH 5.2 [2.0.36], ppp
> working fine). The win machines appear to be setup fine -- the gateway is
> set to 192.168.1.1, static IP 192.168.1.yyy w/255.255.255.0, and dns is
> setup for the ISP dns IPs, with domain is dol.net. The host is the login
> name of the ppp account. Now, all machines ping each other fine, however,
> when the linux box is connected via ppp, it can get out, but won't route
> anything else out. FTP, http, ping, etc. from any win machine just fails.
> With dns names, says can't resolve. With IP #s, gives unreachable-type
> errors (so not a dns problem).
>
> The commands to initiate IP masq all reside in /etc/rc.d/rc.inet1, following
> the setup of the eth0 info. The lines are right out of the HowTo:
>
> /sbin/depmod -a
> /sbin/modprobe ip_masq_ftp
> echo "1" > /proc/sys/net/ipv4/ip_forwarding (even though
> FORWARD_IPV4=yes)
> ipfwadm -F -p deny
> ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0
> {{i've even added a route -net 192.168.1.0 command here with no change}}
>
> It really seems like a pretty easy thing to setup, but I've had zero luck.
> Hitting some chat rooms, it was suggested that I check out tcpdump. Some of
> its output and my comments follow:
>
> First, watch 2 network machines ping each other. When 192.168.1.6 pings
> 192.168.1.22 we see:
> 15:04:47.51696 arp who-hasq 192.168.1.22 tell 192.168.1.6
> 15:04:47.501696 arp reply 192.168.1.22 is-at 0:10:4b:2d:51:9e
> then .6 > .22 icmp: echo request
> and .22 > .6 icmp: echo reply
> (the #s are .22's correct adapter #)
>
> Okay, all looks fine here. Now, lets startup ftp on the .22 machine and try
> to reach outside world (a site i know was up):
>
> 15:11:26.321696 arp who-has 192.168.1.1 tell 192.168.1.22
> 15:11:26.331696 arp reply 192.168.1.1 is-at 0:10:5a:23:71:7b
> 15:11:29.541696 arp who-has 192.168.1.1 tell 192.168.1.22
> 15:11:29.541696 arp reply 192.168.1.1 is-at 0:10:5a:23:71:7b
>
> hmm. looks like .22 is asking about the gateway, gets a response, then asks
> again. I think this is not good. Can anyone verify this?
>
> Whenever I kill the tcpdump, it ends with something similar to:
> 85 packets received by fileter
> 0 packets dropped by kernel
> which, again, seems fine.
>
> Okay. That there is my situation. If you can lend _any_ hints at all, I'd be
> very grateful. I'm pretty much at my wits end here (and haven't even gotten
> to the diald part).
> Feel free to respond to the thread, or if you're afraid of looking silly in
> front of the linux gods, just reply to me via email: estewart at udel dot
> edu.
>
> Thanks for your time,
> -ed
------------------------------
From: Hans Dumbrajs <[EMAIL PROTECTED]>
Subject: Re: Network Card Hanging
Date: Tue, 27 Apr 1999 13:56:09 +0300
Bernard Mwenda wrote:
> Hi,
>
> I am running Linux 2.0.29 slackware on my box which also is my proxy
> server. Everything works fine but from time to time the box ceases to see
> the rest of the network. Any Ideas?
>
> Bernard
Uhm.. what do you expect people to answer to a question like this?!?!?!?!
How about sending some log files and giving some more info??
There could be hundreds of reasons for your problem.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.networking) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Networking Digest
******************************
