Linux-Networking Digest #931, Volume #11 Sun, 18 Jul 99 13:13:32 EDT
Contents:
Re: My Dissapointment to find Linux not a viable solution (mlw)
Re: netgroups, nfs, and Redhat 6.0 (Denice)
Re: IPChains and IPMasquerading (Monte Phillips)
Re: Samba and Printers on Win95 question (Monte Phillips)
Re: Connect to ISP when phone rings: is this possible? (Peter Caffin)
Re: IP alias mystery (Larry Fahnoe)
linuxconf and ipalias error messages (Olivier Baudron)
Re: IPChains and IPMasquerading (Larry Fahnoe)
Re: HELP!!! I Need a solution - Up for a challenge? (Bill Steiner)
Re: Odd output from ipchains -L (Alex Butcher)
Re: HELP!!! I Need a solution - Up for a challenge? ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: mlw <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.advocacy,comp.security.firewalls
Subject: Re: My Dissapointment to find Linux not a viable solution
Date: Sun, 18 Jul 1999 14:26:28 +0000
mlw wrote:
Correction: PI->IP I HATE spell checkers. I must have hit replace all
instead of ignore all. Oops!
>
> Tam McLaughlin wrote:
> >
> > mlw wrote:
> >
> > >
> > > > So, I have been informed that the linux server is not secure and we need a
> > > > proper
> > > > firewall.
> > >
> > > What is a "proper" fire wall, and how is it different from the
> > > filewalling software that comes with most distributions? If you want
> > > real security use the Linux proxy server or even IP Masquerading.
> > >
> >
> > I am not sure anymore what a proper firewall is. I understood firewall to mean
> > that we
> > have some type of protection between our LAN and the rest of the word that makes
> > our
> > LAN invisible to the outside world while the the line is up. I believed that the
> > delegate proxy
> > server would do this since data has to pass between the proxy server and our
> > network/internet.
> > Also it is a sinle modem dialling up to our ISP and we are allocated a dynamic IP
> > address.
> > I do not think we require IP masquerading since this would mean we need to buy
> > some legal
> > IP addresses from our ISP ?
>
> If you have a single dynamic IP address, you don't need much of (any?) a
> firewall. PI masquerading allows other machines to use the PI connection
> through the connected machine. Since you have only one PI is is not
> possible to connect directly from the outside Internet to an inside
> machine on your network. One can tenet into the gateway machine and do
> damage from there, but that can be controlled with hosts.deny and
> hosts.allow.
>
> Firewalls are used to control communication between the outside world
> and the inside network. This is important when there is an PI mapping
> from outside to inside machines. Since no machine on your network
> (assuming 192 address) has a valid Internet PI address they are safe.
>
> >
> > >
> > > > We also need a better method of virus scanning rather than
> > > > updating
> > > > each PC each month. I believe we could use samba for this with some type of
> > > > network AV software.
> > >
> > > Anti-virus software has to execute on a PC. If you need to have company
> > > wide virus scanning, put MacAffee on a network drive. In the startup
> > > script for your NOS have the client copy it locally.
> > >
> > > Every couple months, when MacAffee has an update, simply copy the files
> > > to the network directory. Windows machines reboot at least every week,
> > > so no problem.
> > >
> > > >
> >
> > This sounds like what I want to do and would like to try this with samba
>
> Yes, samba makes a Linux box look like just another Windows machine
> sharing data. Samba can manage user log in as well.
>
> >
> > >
> > > > I know hat I could go out and buy an NT server with MSProxy or whatever and
> > > > some
> > > > email package, firewall-1 and mime-sweeper. But this would cost a hell of a
> > > > lot
> > > > or money which I dont know our company would be willing to pay for (ok, i
> > > > know all
> > > > about the importance how much is our data worth etc etc...).
> > >
> > > The e-mail virus scanner is the only thing that Linux does not have,
> > > simply because it does not need it. However, you could easily setup an
> > > e-mail scanner that looks for attachments that end in ".doc" ".com" and
> > > ".exe."
> > >
> >
> > There have been many opinions on whethere mail should be scanned for viruses
> > on a linux (or any server). Whether there are any viruses for Linux or not is the
> > point
> > not that Linux is acting as a mail server therefore there should be some program
> > that
> > scans all incomming mail to check for viruses and either discard or notify or
> > whatever
> > before the mail gets to the desktop? To purely rely on users to scan for viruses
> > is is not
> > good enough (in my experience anyway).
>
> The issue is what do you scan? .Zip files? .arc .sit .lz .exe, .doc,
> .com? Perhaps a cursory scan for .doc files, but your best protection is
> software running on a client machine. Also, many companies have mandated
> policy that documents be exchanged in .RTF format.
>
> >
> > >
> > > >
> > > > So, why is there Linux based solution. Why is there no AV scanning software
> > > > that can
> > > > run on Linux? If there is , does anyone know of a local company that can
> > > > help us?
> > >
> > > The only thing that you are missing with the Linux system is the e-mail
> > > checker. So, assuming you will have to by NT server, 150 licenses,
> > > firewall-1, and "mime-sweeper" you are looking at a minimum of $10,000.
> > > That is 100 consultant hours at $100. If you can't write the e-mail
> > > scanner script in a day or two (with proper testing) You can hire a
> > > consultant for a full week, and still be ahead.
> > >
> >
> > I would not know where to start but would be sounds like an interesting project.
>
> I think the gains would be marginal. The only benefit would be to keep
> morons from having an issue with which to criticize.
>
> --
> Mohawk Software
> Windows 95, Windows NT, UNIX, Linux. Applications, drivers, support.
> Visit http://www.mohawksoft.com
--
Mohawk Software
Windows 95, Windows NT, UNIX, Linux. Applications, drivers, support.
Visit http://www.mohawksoft.com
------------------------------
Crossposted-To: comp.os.linux.admin,comp.os.linux.help,comp.os.linux.setup
Subject: Re: netgroups, nfs, and Redhat 6.0
From: Denice <[EMAIL PROTECTED]>
Date: 18 Jul 1999 16:46:40 +0100
"Brian Fernald" <[EMAIL PROTECTED]> writes:
>We have a bunch of SUN file servers using netgroups to control access via
>NFS. In /etc/dfs/dfstab, the share lines are as follows :
>share -F nfs -o rw=staff1, root=machine.domain.com /share
>where staff1 is the name of a netgroup. This works fine among the Sun
>clients and Redhat 5.2 clients.... however, RedHat 6.0 gives the following
>erros upon logging in :
>call_verify:server requires stronger authentication
>call_verify:unknown auth error: 5
>It allows login, and one can see the nfs mounts.. however you cannot write,
>and programs behave very strange... and Xwindows will not start.
>If I take the netgroup out of the share, ie :
>share -F nfs -o rw, root=machine.domain.com /share
>there are no problems.. however, security is lacking....
>Does anyone have a suggestion of where to begin with troubleshooting this
>one ??
strange. I have no problem at redhat 6 (nor at redhat 5, except for
performance issues). I have separate netgroups for solaris and linux, but
this is only a convenience for me to separate some of the functionality
between the two systems. A typical entry from /etc/dfs/dfstab for us is:
share -F nfs -o rw=trusted_suns:trusted_linux,root=node.domain.com
/export/stuff
where trusted_suns and trusted_linux are two netgroups.
All mounting is via automount points, and we use NIS. What are you using for
user authentication? Do you have any uid problems?
--
denice.deatrich @ NospaM.epfl.ch, EPFL - LCAV / LCM PH: +41 (21) 693-5643
(If replying by email please remove 'NospaM' from address.)
<*> This moment's fortune cookie:
A successful [software] tool is one that was used to do something
undreamed of by its author.
-- S. C. Johnson
------------------------------
From: [EMAIL PROTECTED] (Monte Phillips)
Subject: Re: IPChains and IPMasquerading
Date: Sun, 18 Jul 1999 12:35:14 GMT
Simple, you simply add the line(s) to the bottom of the rc.local
file, it runs upon login.
the lines beginning with ipchains etc are what start it.
Have you read the IPchainsHOWTO?
Do so. It answers all of the questions you are asking. IF you do
not understand something in the HOWTO's or maybe it seems not to apply
to your situation, then come back to the newsgroups for help. Some
folks around here have little patience with lazy newbies.
<[EMAIL PROTECTED]> wrote:
>I have read many differant instructions on IPChains and Masquerading,
>and am still confused. Some talk about adding a line to the rc.local
>file, others don't. The rc.local file is a script, so where in there
>would I insert the line to run ipchains? Another talks about writing a
>ipchains script, but leaves out what folder to put it in and what name
>to call it. I have the how-to printed but shoot, that is so huge, isn't
>there an easy way, some simple instructions that don't leave out parts?
>I just have 4 pc's connected via a hub (peer to peer) and a isdn
>terminal adapter (not router) on one of the pc's. Also, if this works
>for the linux machines to access the net through the one, can win98
>machines also access the net through the linux box? And can each machine
>tell the TA to dial and disconnect? or does that have to be done on the
>one pc?
>Chip
------------------------------
From: [EMAIL PROTECTED] (Monte Phillips)
Subject: Re: Samba and Printers on Win95 question
Date: Sun, 18 Jul 1999 12:41:47 GMT
"Patrick" <[EMAIL PROTECTED]> wrote:
>I have been able to print to a Win95 box through smbclient however I cannot
>get smbmount to mount the service. I get the invalid argument error from
>mount. I have mounted the disks on both the win95 and win98 boxes so I can
>definitely see them.
>An simple fixes/solutions?
Well you said 'simple' so here it is.
(providing that your smb.conf [printers] is correct)
Simply go into Xwindows and use printtool, set up your smb shared
printer and all is well.
------------------------------
From: Peter Caffin <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.misc
Subject: Re: Connect to ISP when phone rings: is this possible?
Date: Sun, 18 Jul 1999 22:00:45 +0800
TAT wrote:
> Is it possible to have my modem detect an incoming call, hang up
> on that call and immediately run pppon? I'd like to connect to my
> home machine from office, and I don't have a modem at office.
I believe that mgetty is capable of doing this. Have a look at the
Mgetty Homepage at http://www.leo.org/~doering/mgetty/index.html
and the Usenet newsgroup de.alt.comm.mgetty.
--: _ _ _ _
_oo__ |_|_ |__ _ | _ |_|_o _ peter at ptcc dot it dot net dot au |
//`'\_ | (/_|(/_| |_(_|| | || | http://it.net.au/~pc |
/ PO Box 869, Hillarys WA 6923, AUSTRALIA |
------------------------------
From: Larry Fahnoe <[EMAIL PROTECTED]>
Subject: Re: IP alias mystery
Date: Sun, 18 Jul 1999 10:26:23 -0500
Tom,
eth0:0 is an alias interface, look at the eth0 interface itself and you
will see the TX / RX lines (use /sbin/ifconfig -i eth0). In other
words, counters are not being kept/displayed for the alias interfaces
but are for the "real" interfaces.
--Larry
Tom Ed White wrote:
>
> I've been good and followed all the instructions, having enabled both ip
> aliasing and masquerading in the kernel (ver 2.2.10) configs. The kernel,
> though, is behaving as if aliasing was not turned on. When I bring up the
> interface, it looks like this:
>
> eth0:0 Link encap:Ethernet HWaddr 00:90:27:5C:84:D8
> inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
> UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
> Interrupt:12 Base address:0xe000
>
> Note that all the RX and TX packet lines, as well as the collisions line,
> are missing.
>
> Also, here is /proc/net:
>
> arp ip_fwchains netlink rt_cache udp
> dev ip_fwnames netstat snmp unix
> dev_mcast ip_masq raw sockstat
> dev_stat ip_masquerade route tcp
>
> Note that the alias file is not there!
>
> Perhaps I should enable ip aliasing as a module and explicitly load it?
>
> Thanks,
> Tom Ed White
--
Larry Fahnoe, Fahnoe Technology Consulting, [EMAIL PROTECTED]
612/925-0744 Minneapolis, Minnesota [EMAIL PROTECTED]
------------------------------
From: Olivier Baudron <[EMAIL PROTECTED]>
Subject: linuxconf and ipalias error messages
Date: Sun, 18 Jul 1999 17:18:36 +0200
When my lo interface is activated by "ifup lo", I obtain 50 error messages
saying that modprobe could not find the module lo (???)
I isolated the problem in the command "linuxconf --hint ipalias lo" from the
script /etc/sysconfig/network-script/ifup-aliases.
Is the linuxconf (version 1.14r4 on a RH6.0) broken ?
Olivier.
------------------------------
From: Larry Fahnoe <[EMAIL PROTECTED]>
Subject: Re: IPChains and IPMasquerading
Date: Sun, 18 Jul 1999 10:52:05 -0500
One thing about the difference between the Windows world and the UNIX
world: the former was designed to protect users from themselves, the
later was not. You have a bunch of homework to do before things become
easy, but once there, things that you consider mysterious are simple
puzzles to be enjoyed.
Here is an answer to your ipchains question. /etc/rc.d/rc.local is run
only at boot time. If you chase down how your interfaces get
configured, your system may invoke /sbin/ifup-local as the last step of
interface configuration. If this is so (i.e. on Red Hat systems) I
would suggest adding the ipchains commands there rather than in
rc.local. Here is an example of how to create the /sbin/ifup-local
script for use with interface ppp0. Obviously you will need to change
this to suit your system.
0) log on as root
1) is the script already there? if so go to step 4
2) touch /sbin/ifup-local
3) chmod 755 /sbin/ifup-local
4) cat >> /sbin/ifup-local
#!/bin/sh
# /sbin/ifup-local
# Called by /etc/sysconfig/network-scripts/ifup-post
IPCHAINS=/sbin/ipchains
# Enable IP Masquerade on ppp0
if [ ${1} = ppp0 ]
then
${IPCHAINS} -F
${IPCHAINS} -P forward DENY
${IPCHAINS} -A forward -i ppp0 -j MASQ
echo 1 > /proc/sys/net/ipv4/ip_forward
fi
exit
^D
5) edit the script as your needs dictate.
Good luck on your journey.
--Larry
root wrote:
>
> I have read many differant instructions on IPChains and Masquerading,
> and am still confused. Some talk about adding a line to the rc.local
> file, others don't. The rc.local file is a script, so where in there
> would I insert the line to run ipchains? Another talks about writing a
> ipchains script, but leaves out what folder to put it in and what name
> to call it. I have the how-to printed but shoot, that is so huge, isn't
> there an easy way, some simple instructions that don't leave out parts?
> I just have 4 pc's connected via a hub (peer to peer) and a isdn
> terminal adapter (not router) on one of the pc's. Also, if this works
> for the linux machines to access the net through the one, can win98
> machines also access the net through the linux box? And can each machine
> tell the TA to dial and disconnect? or does that have to be done on the
> one pc?
> Chip
--
Larry Fahnoe, Fahnoe Technology Consulting, [EMAIL PROTECTED]
612/925-0744 Minneapolis, Minnesota [EMAIL PROTECTED]
------------------------------
From: Bill Steiner <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.admin,comp.os.linux.questions,comp.os.linux.setup
Subject: Re: HELP!!! I Need a solution - Up for a challenge?
Date: Sun, 18 Jul 1999 08:51:40 -0700
Wayne:
RHL6.0 Workstation Class installation does not include an ftp server; Server
Class installation does, FYI. You can install the wu-ftpd package and get it
running, then you'll be able to contact your Linux box from your Windows box.
Check RH's errata. It vaguely recall a new version of wu-ftp is out. Or maybe it
was at Linuxberg (TuCows).
Good luck!
Wayne Larimore wrote:
> I recently installed RH Linux 6.0 on a 486-100mhz 1.2G PC. That's all it
> has on it. I installed it with RH's workstation class install. I
> temporarily hooked up a CDrom from another PC I have on my home LAN network.
> After installation I took the CDrom off of the newly built Linux box and put
> it back into my Win95 box. My logic was that I could use the Win95 CDrom
> unit to simply ftp the files to the Linux box. My problem lies in the fact
> that I cannot get my Win95 to successfully ftp to my Linux PC. What is the
> best way to gain access to my CDrom unit on the Win95 machine. Remember, I
> don't have the ability to copy any files directly to the Linux box.
>
> Thanks for your help,
> Wayne Larimore
> [EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (Alex Butcher)
Crossposted-To: uk.comp.os.linux
Subject: Re: Odd output from ipchains -L
Date: Sun, 18 Jul 1999 16:13:22 GMT
Reply-To: [EMAIL PROTECTED]
On 17 Jul 1999 18:09:23 +0100, John Winters <[EMAIL PROTECTED]> wrote:
>In article <[EMAIL PROTECTED]>,
>Alex Butcher <[EMAIL PROTECTED]> wrote:
>[snip]
>>If you don't mind making life easy on yourself, try using gfcc to set up
>>ipchains. It exports to a shell script in version 0.7.0 too...
>>
>><http://joayo.net/~tri/>
>
>That's the trouble with Open Source. No sooner do I think, "Hey, I
>could knock up a little graphical utility to create these files."
>than I find some pest has already gone and done it.
I know, frustrating, innit? :)
Personally, I've 'resigned' myself to contributing small patches and articles
to newsgroups and the like until I come up with my 'killer package'...
>Ta muchly.
>
>John
No probs,
Alex.
--
Alex Butcher Using Linux since '95 - because windows are too easy to break.
Berkshire, UK URLBLAST:slashdot.org:www.freshmeat.net:www.dejanews.com:
PGP:0x33489FD3 lwn.net:www.tomshardware.com:www.stardiv.de:www.gimp.org:
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: comp.os.linux.admin,comp.os.linux.questions,comp.os.linux.setup
Subject: Re: HELP!!! I Need a solution - Up for a challenge?
Date: Sun, 18 Jul 1999 16:10:23 GMT
In article <7mri39$ppj$[EMAIL PROTECTED]>,
"Wayne Larimore" <[EMAIL PROTECTED]> wrote:
> I recently installed RH Linux 6.0 on a 486-100mhz 1.2G PC. That's all
it
> has on it. I installed it with RH's workstation class install. I
> temporarily hooked up a CDrom from another PC I have on my home LAN
network.
> After installation I took the CDrom off of the newly built Linux box
and put
> it back into my Win95 box. My logic was that I could use the Win95
CDrom
> unit to simply ftp the files to the Linux box. My problem lies in the
fact
> that I cannot get my Win95 to successfully ftp to my Linux PC. What
is the
> best way to gain access to my CDrom unit on the Win95 machine.
Remember, I
> don't have the ability to copy any files directly to the Linux box.
first, enable networking on both machines
make sure you can successfully ping both machines from each other,
by name and adress.
make sure you can telnet to linux from win95
you can do this?
enable the ftp you need in /etc/ftpaccess
restart the inetd/daemon
that should do the full trick
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.networking) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Networking Digest
******************************
