Linux-Networking Digest #898, Volume #11 Wed, 14 Jul 99 21:13:35 EDT
Contents:
Re: DSL - cannot ping reliably to home machine (Brandon Warren)
Bizzare broadcast storms with RH6? ([EMAIL PROTECTED])
Re: eth0 default interface - eth1 can't be used (Richard B. Parry)
Squid Performance Tuning ([EMAIL PROTECTED])
VERY SEXY STUFF 67883 (Anonymous)
help! my ftp service shutdown permanently! ("Json")
Re: Per user: Restricting Telnet but allowing FTP (Jeffrey Shaffer)
Re: DHCPd & dual homed server ("Brent Priddy")
Adding forwarding in firewall script (Chris McGarry)
<access data from kernel> ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Brandon Warren)
Subject: Re: DSL - cannot ping reliably to home machine
Date: 14 Jul 1999 19:20:02 GMT
I have made some progress in troubleshooting my problem-
At work, my cron job, which runs every 15 minutes, now does:
1. ping my home machine - 4 packets, 1 sec apart
2. if all 4 packets fail, then ping every 15 seconds, 32 times
When step 1 fails, and it then sends a ping packet every 15 seconds,
the pings fail until 20 packets have been sent (5 minutes), then
the rest of the packets (12 left) return without error. It is as
if my home computer goes to sleep, and it takes 5 minutes to wake it!
Another test I did was to run traceroute from work to home. I made
a note of the last hop before my home machine. I then made my cron job,
which runs every 15 minutes, do:
1. ping home machine with 4 packets
2. if all 4 packets fail, then:
2.1 ping the last hop before my home machine --> THIS PING WORKS
2.2 ping home again, to make sure it is still failing -> THESE PINGS FAIL
So, it looks like either my home machine, running Mandrake/Red Hat Linux 6.0,
is screwing up, or the router just before my home machine is not passing
the packets. Given that the packets start passing after 5 minutes, I suspect my
home machine.
Any thoughts? Thanks for reading this far!
Brandon
[EMAIL PROTECTED] (David Kennedy) writes:
>I have also noticed this. I have a small web site with some pictures
>of m kids on it. For around 70% of the day I can not access it
>remotely.
>Now, I know you are thinking the obvious, ports are blocked. I have
>also opened daytime, smtp and a few others. Same thing, I can not
>connect to them very realiably.
>I check the logs and everything seems fine.
>On 12 Jul 1999 05:12:36 GMT, [EMAIL PROTECTED] (Brandon Warren)
>wrote:
>>
>>I have a DSL connection for my Linux box at home.
>>Everything works fine when I am sitting in front
>>of my home machine. The problem is accessing from
>>the outside - sometimes it works, sometimes it does
>>not. To test this problem, I set up my home machine
>>and my work machine to ping each other every 15 minutes.
>>
>>The result after 4 hours - pings from home to work
>>were reliable, pings from work to home either went through,
>>or did not go at all. The failures occured while the pings
>>were successful in the other direction, so it's not like
>>the DSL connection was down.
>>
>>Any ideas? Thanks in advance,
>>
>>Brandon
>>
------------------------------
From: [EMAIL PROTECTED]
Subject: Bizzare broadcast storms with RH6?
Date: Wed, 14 Jul 1999 23:41:56 GMT
Ok, this is a *weird* problem, but maybe somebody out there has had
something similar happen. I'm using RH6 and Samba is running. I am
using a Linksys 10/100 card with the tulip driver. Occationally when I
boot the computer, just as it finishes starting, my NIC starts sending
packets like crazy, pauses, then sends some more, and my collision light
on my linksys 5 port hub goes red. This renders my network useless.
The only way ive been able to stop this problem is to keep rebooting
until it finally doesnt do it. (2-3 reboots) . Is it my NIC thats the
problem, the driver, or what? Can anyone help?
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Richard B. Parry <[EMAIL PROTECTED]>
Subject: Re: eth0 default interface - eth1 can't be used
Date: Wed, 14 Jul 1999 23:40:52 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Hello again;
What a wealth of replies I've recieved :)
All sacasm aside, the problem is resolved:
In article <7loue9$6nu$[EMAIL PROTECTED]>,
Richard B. Parry <[EMAIL PROTECTED]> wrote:
> Whilst I can get networking going, so to speak, the machine sends
every
> packet through eth0. So, whilst it knows that there's a directly
> connected subnet on eth1, it will send it all via eth0.
This was slightly erroneous.
Turns out the dodgy hardware on the machine was configuring a 3COM card
as eth0 regardless, but would (in some places) label it as eth1 (which
is what it was instructed to use).
The quick hack is of course to just tell it that the 3COM card is eth0,
and the eepro is eth1, and it works fine.
Doesn't matter which PCI slots the cards are in, what you tell it, etc.
Richard
- --
Richard Parry
[EMAIL PROTECTED]
Tonic for the thinking man.
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com>
iQEVAwUBN4x3XPVxtQ5VlW2tAQHxsAf/Xu4jLZTtUiQ3SQG3bJgcM4PSwtb3NDBw
/hXgAPc7bv+1zm/tGVGbaH9Bm4STd9EynYbD8cjRwZZDelyce82iQjl3pgV2qYlF
R6d1i25BOdVROrdONs4joj1VqsvrhNHnA8LSmjTeD0Dg9xETc547YySirB4opZfD
Exc2/DJ3KrMeKZ8ye8Ke0QtBwH3Ev8eyXLFXdiVHwr9DgnkylswjZGON7n+U36Nc
VY0hTSBQt1Nd8d+RWKMedYrszdGQ5cgfUma8RY81em7vPIfghxDijWbg24Qiulm6
ukSkZJ/cyxDEVQRKqyqmLRCVFDSu9mLu0wamMIsNwo7Aw2iQ5TxYPQ==
=4nwI
=====END PGP SIGNATURE=====
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Squid Performance Tuning
Date: Wed, 14 Jul 1999 23:57:53 GMT
Hey Everyone :)
I'm kind of hoping someone out there can help me out with either some
tips or pointers to URLS :) I've been searching the net and as we all
know finding uptodate and proper tuning information for most Linux related
applications is pretty hard to come by.
I've been given the task of setting up squid as a caching web proxy for a
fairly large number of users. As it stands right now I've be allotted a
PII-450 with 512Meg of ram and 3 9gig scsi drives with a 100Mb nic. It's a
dual Motherboard so later if need be I can add another CPU but I doubt
that will be the first of my bottlenecks :) I'm planning to get more
drives soon so that shouldn't be the first bottleneck either.
Bascially I'm looking for pointers on everything I can do to optimize the
hell out of it. I'm planning to set noatime on the mounted drives in order
to cut down on unneeded disk IO but other than that I really don't know
what would be the best way to configure it for maximum performance.
1. Should I set the drives up as a RAID0 drive or should I leave them as
"seperate" drives ?
2. Any special tweaks I can set in the squid config?
3. Any tweaks I should do to the kernel source ? Increase filedescriptors?
4. How do I find out just how close the proxy is getting to the fd limit
that's there now ?
5. Anything I haven't thought of or mentioned ? :)
--
---
Sometimes you can learn more by watching an idiot
than you can by listening to a genius.
------------------------------
Crossposted-To: comp.os.linux.misc,comp.os.linux.setup,comp.os.linux.x,comp.os.lynx
Subject: VERY SEXY STUFF 67883
Date: Wednesday, 14 Jul 1999 15:51:02 -0600
From: Anonymous <[EMAIL PROTECTED]>
ADULTS ONLY!
Click the link below:
http://www.sexbabes.nu
* 18+ Only Please!
.
t;^&uc@PQN
--------== Posted Anonymously via Newsfeeds.Com ==-------
Featuring the worlds only Anonymous Usenet Server
-----------== http://www.newsfeeds.com ==----------
------------------------------
From: "Json" <[EMAIL PROTECTED]>
Crossposted-To: it.comp.linux.setup,jaring.os.linux,linux.redhat.misc
Subject: help! my ftp service shutdown permanently!
Date: Thu, 15 Jul 1999 03:28:02 +0800
I have install redhat 6.0 to a LAN PC and connected to teh Internet
successfully. I can telnet and FTP log in to the sever from outside.
Last day i type in the command: "ftpshut now"
The service is close, and other pc cant log in it.
After i restart it, i still can't login using ftp service from other
computer. Is the command change some file setting related to ftp service
that permanently disable ftp service?
if so, how to solve it? please email or post to the news server if u know
the answer.. thanx for reading my message.
------------------------------
From: Jeffrey Shaffer <[EMAIL PROTECTED]>
Subject: Re: Per user: Restricting Telnet but allowing FTP
Date: Thu, 15 Jul 1999 08:14:59 -0400
Hello,
Brian Kuschak wrote:
> Hello,
>
> I'd like to be able to allow certain users or groups to have access to
> FTP, but not allow them to login via telnet.
In order to disallow certain ip's or even ALL access to your telnet service,
you can use the /etc/hosts.deny file. RedHat 5.2 runs the different services
though your inetd (super internet deamon). If you look in the
/etc/inetd.conf you'll see the in.telnetd service is started after being
passed through the tcpd wrapper. The tcpd wrapper checks the hosts.deny and
hosts.allow in that order. Just add: in.telnetd :ALL
in the /etc/hosts.deny and that should do it.
With this you can deny ip, but not specific users.
Hope this works.
Jeff
Unix Sytem Admin.
Embry-Riddle Aeronautical University
ext. 7003
>
>
> I've tried disallowing access in /etc/security/access.conf like this
> -:username:ALL (It is the first in the list)
>
> But this seems to have no effect. Why?
>
> Would a restricted shell be the way to go, just restrict everything?
> Or is there another file that I should use, something like /etc/ftpusers
> but for telnet.
>
> Any help would be appreciated.
> Thanks,
> Brian
> [EMAIL PROTECTED]
> PS using RH 5.2
------------------------------
From: "Brent Priddy" <[EMAIL PROTECTED]>
Subject: Re: DHCPd & dual homed server
Date: Wed, 14 Jul 1999 18:42:33 -0500
This is not a joke, but switch the cables and ip addresses. it should work
fine
Brent
------------------------------
From: Chris McGarry <[EMAIL PROTECTED]>
Subject: Adding forwarding in firewall script
Date: Wed, 14 Jul 1999 17:22:04 -0700
I need to add a few forward chains to a firewall script I built at
http://rlz.ne.mediaone.net/linux/firewall/index.html without loosing the
security of it to allow for a VPN (using FreeS/WAN) to take place any
ideas where I need to add these lines:
ipchains -A forward -p all -j ACCEPT -s 192.168.57.0/24 -d
192.168.65.0/0
ipchains -A forward -p all -j ACCEPT -s 192.168.65.0/24 -d
192.168.57.0/0
ipchains -A forward -p all -j MASQ -s 192.168.57.0/24 -d 0.0.0.0/0
in this script?
#!/bin/sh
#
#
============================================================================
# Copyright (C) 1997, 1998, 1999 Robert L. Ziegler
#
# Permission to use, copy, modify, and distribute this software and its
# documentation for educational, research, private and non-profit
purposes,
# without fee, and without a written agreement is hereby granted.
# This software is provided as an example and basis for individual
firewall
# development. This software is provided without warranty.
#
# Any material furnished by Robert L. Ziegler is furnished on an
# "as is" basis. He makes no warranties of any kind, either expressed
# or implied as to any matter including, but not limited to, warranty
# of fitness for a particular purpose, exclusivity or results obtained
# from use of the material.
#
============================================================================
#
# /etc/rc.d/rc.firewall
# Invoked from /etc/sysconfig/network-scripts/ifdhcpc-done.
echo "Starting firewalling... "
# Some definitions for easy maintenance.
ANYWHERE="any/0"
#
============================================================================
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
EXTERNAL_INTERFACE="eth0" # whichever you use
LOCAL_INTERFACE_1="eth1" # whichever you use
LOCALNET_1="192.168.57.0/24" # whatever private range you use
SMTP_SERVER="any/0" # Your external server. Your relay.
POP_SERVER="any/0" # Your external server.
NEWS_SERVER="news.pacbell.net"
NAMESERVER_1="206.13.31.12"
NAMESERVER_2="206.13.28.12"
#
============================================================================
IPADDR="xxx.xxx.xxx.xxx"
LOOPBACK_INTERFACE="lo"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
MULTICAST="240.0.0.0/3"
BROADCAST_0="0.0.0.0"
BROADCAST_1="255.255.255.255"
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:65535"
RESTRICTED_PORTS="2049" # (TCP/UDP) NFS
RESTRICTED_OPENWINDOWS="2000" # (TCP) openwindows
# X Windows port allocation begins at 6000 and increments
# for each additional server running.
RESTRICTED_XWINDOWS="6000:6001" # (TCP) X windows
# SSH starts at 1023 and works down to 513 for
# each additional simultaneous incoming connection.
SSH_PORTS="1023" # range for SSH privileged ports
#
============================================================================
# Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING connections
# Remove all existing rules belonging to this filter
ipchains -F
# Set the default policy of the filter to deny.
ipchains -P input DENY
ipchains -P output DENY
ipchains -P forward DENY
#
============================================================================
# Network Ghouls
# Deny access to jerks
# /etc/rc.d/rc.firewall.blocked contains a list of
# ipchains -A input -i $EXTERNAL_INTERFACE -s address -j DENY
# rules to block from any access.
# Refuse any connection from problem sites
if [ -f /etc/rc.d/rc.firewall.blocked ]; then
. /etc/rc.d/rc.firewall.blocked
fi
#
============================================================================
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.
# Refuse spoofed packets pretending to be to or from the external
address.
ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -l -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -d $IPADDR -l -j REJECT
# Refuse packets claiming to be to or from a Class A private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j REJECT
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j REJECT
# Refuse packets claiming to be to or from a Class B private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j REJECT
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j REJECT
# Refuse packets claiming to be to or from a Class C private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j REJECT
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j REJECT
# Refuse packets claiming to be to or from the loopback interface
ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -l -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $LOOPBACK -l -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -l -j REJECT
ipchains -A output -i $EXTERNAL_INTERFACE -d $LOOPBACK -l -j REJECT
# Refuse broadcast address SOURCE packets
ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_1 -l -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_0 -l -j DENY
# Refuse multicast/anycast/broadcast addresses (in.h) (NET-3-HOWTO)
ipchains -A input -i $EXTERNAL_INTERFACE -s $MULTICAST -j DENY
#
============================================================================
# ICMP
# To prevent denial of service attacks based on ICMP bombs,
filter
# incoming Redirect (5) and outgoing Destination Unreachable (3).
# Note, however, disabling Destination Unreachable (3) is not
# advisable, as it is used to negotiate packet fragment size.
# For bi-directional ping.
# Message Types: Echo_Reply (0), Echo_Request (8)
# To prevent attacks, limit the src addresses to your ISP range.
#
# For outgoing traceroute.
# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded
(11)
# default UDP base: 33434 to base+nhops-1
#
# For incoming traceroute.
# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded
(11)
# To block this, deny OUTGOING 3 and 11
# 0: Echo_Reply
# 3: Dest_Unreachable, Network_Unavailable, Service_Unavailable,
etc.
# 4: Source_Quench
# 5: Redirect
# 8: Echo_Request
# 11: Time_Exceeded
# 12: Parameter_Problem
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 0 -d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 3 -d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 4 -d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 11 -d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 12 -d $IPADDR -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 3 -d $ANYWHERE -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 4 -d $ANYWHERE -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 8 -d $ANYWHERE -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 12 -d $ANYWHERE -j ACCEPT
#
============================================================================
# Disallow certain outgoing traffic to protect yourself from mistakes.
# openwindows: establishing a connection
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
-s $IPADDR \
-d $ANYWHERE $RESTRICTED_OPENWINDOWS -j REJECT
# Xwindows: establishing a connection
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
-s $IPADDR \
-d $ANYWHERE $RESTRICTED_XWINDOWS -j REJECT
# SOCKS: establishing a connection
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
-s $IPADDR \
-d $ANYWHERE 1080 -j REJECT
#
============================================================================
# LOOPBACK
# Unlimited traffic on the loopback interface.
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
#
============================================================================
# NOTE:
# The symbolic names used in /etc/services for the port numbers
vary by
# supplier. Using them is less error prone and more meaningful,
though.
#
============================================================================
# TCP UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.
# Deny access to the NFS, openwindows and X windows unpriveleged
ports
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
-d $IPADDR $RESTRICTED_PORTS -l -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
-d $IPADDR $RESTRICTED_OPENWINDOWS -l -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
-d $IPADDR $RESTRICTED_XWINDOWS -l -j DENY
# SOCKS: incoming connection
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
-s $ANYWHERE \
-d $IPADDR 1080 -j DENY
#
============================================================================
# UDP UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-d $IPADDR $RESTRICTED_PORTS -l -j DENY
# UDP INCOMING TRACEROUTE
# traceroute usually uses -S 32769:65535 -D 33434:33523
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $ANYWHERE 32769:65535 \
-d $IPADDR 33434:33523 -l -j DENY
#
============================================================================
# DNS client (53)
# ---------------
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_2 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_2 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NAMESERVER_2 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_2 53 -j ACCEPT
#
============================================================================
# TCP accept only on selected ports
# ---------------------------------
# ------------------------------------------------------------------
# HTTP client (80)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 80 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 80 -j ACCEPT
# ------------------------------------------------------------------
# HTTPS client (443)
# ------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 443 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 443 -j ACCEPT
# ------------------------------------------------------------------
# POP client (110)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $POP_SERVER 110 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $POP_SERVER 110 -j ACCEPT
# ------------------------------------------------------------------
# NNTP NEWS client (119)
# ----------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NEWS_SERVER 119 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NEWS_SERVER 119 -j ACCEPT
# ------------------------------------------------------------------
# FINGER client (79)
# ------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 79 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 79 -j ACCEPT
# ------------------------------------------------------------------
# AUTH server (113)
# -----------------
# Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE \
-d $IPADDR 113 -j REJECT
# AUTH client (113)
# -----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 113 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 113 -j ACCEPT
# ------------------------------------------------------------------
# SMTP client (25)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $SMTP_SERVER 25 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $SMTP_SERVER 25 -j ACCEPT
# ------------------------------------------------------------------
# FTP server (20, 21)
# -------------------
# incoming request
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 21 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 21 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# PORT MODE data channel responses
#
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 20 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR 20 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# FTP client (20, 21)
# -------------------
# outgoing request
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 21 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 21 -j ACCEPT
# NORMAL mode data channel
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE 20 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# NORMAL mode data channel responses
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 20 -j ACCEPT
# PASSIVE mode data channel creation
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# PASSIVE mode data channel responses
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# WHOIS client (43)
# -----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 43 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 43 -j ACCEPT
#
============================================================================
# UDP accept only on selected ports
# ---------------------------------
# ------------------------------------------------------------------
# OUTGOING TRACEROUTE
# -------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 32769:65535 \
-d $ANYWHERE 33434:33523 -j ACCEPT
#
============================================================================
# Unlimited traffic within the local network.
# All internal machines have access to the fireall machine.
ipchains -A input -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -j ACCEPT
ipchains -A output -i $LOCAL_INTERFACE_1 -d $LOCALNET_1 -j ACCEPT
#
============================================================================
# Masquerade internal traffic.
# All internal traffic is masqueraded externally.
ipchains -A forward -i $EXTERNAL_INTERFACE -s $LOCALNET_1 -j MASQ
#
============================================================================
# Enable logging for selected denied packets
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -d $IPADDR -l -j
DENY
ipchains -A input -i $EXTERNAL_INTERFACE -p udp -d $IPADDR
$PRIVPORTS -l
-j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -p udp -d $IPADDR
$UNPRIVPORTS
-l -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 5 -d $IPADDR -l -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 13:18 -d $IPADDR -l -j DENY
#
============================================================================
echo "done"
exit 0
Thank you very much for your time,
Chris McGarry
------------------------------
From: [EMAIL PROTECTED]
Subject: <access data from kernel>
Date: Wed, 14 Jul 1999 23:53:41 GMT
Hi,
Since doing on my project, I got to modify kernel on linux. The thing is
that how can I send parameters from user domain to kernel ( the function
I created) and get the result back. Can anyone point out a "easy way" to
do it? I saw a lot of information which recorded on /proc. Is it
possible doing by that way. (kernel-->/proc/logfile--->userprogram, but
how about user---? ---> kernel)
TIA,
C.L.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.networking) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Networking Digest
******************************
