Linux-Networking Digest #121, Volume #12 Thu, 5 Aug 99 14:13:42 EDT
Contents:
Re: PPTP won't authenticate through ipmasq (Dave Kristol)
PPP from win over Linux to HPserver Routing (Bernd Broermann)
Re: Port Scan Problem (W.G. Unruh)
ppp compression question (Joe)
Re: POP3 ("Mike Redrobe")
Re: SoundBlaster Live! & Mandrake 6.0 ("Jonathan C. Masters")
!Intel EtherExpress PRO/10+ not supported?? ([EMAIL PROTECTED])
Designing an Interesting Linux Network (Mark Doyle)
Re: PPTP won't authenticate through ipmasq ("Raouf A. Manneh")
cable modem + linux, Boston, MA (Nicholas Strugnell)
Re: Networking with linux (David C.)
Netatalk allows non-standard file names? ("Eric Rector")
Re: ip masquerading ("Raouf A. Manneh")
cant ping into linux ([EMAIL PROTECTED])
Re: Port Scan Problem ("Charles Stack")
Re: 3c509 (Stephen Satchell)
MSIE and FTP ([EMAIL PROTECTED])
SoundBlaster Live! & Mandrake 6.0 ("Terrance")
Re: IP Masq and NetMeeting ([EMAIL PROTECTED])
Re: Telnet ("Cedric Blancher")
Designing an interesting Linux network (Mark Doyle)
Re: PPTP won't authenticate through ipmasq (Yousuf Khan)
----------------------------------------------------------------------------
From: Dave Kristol <[EMAIL PROTECTED]>
Subject: Re: PPTP won't authenticate through ipmasq
Date: Thu, 05 Aug 1999 11:30:39 -0400
"David L. Vessell" wrote:
>
> John Hardin wrote:
> > David L. Vessell wrote in message ...
> > >Once I put the NT box back inside the firewall, here's what I'm seeing.
> > It
> > >seems to find the VPN server okay, and it attempts to authenticate, but
> it
> > >never does. I don't know why, and the eventual error (which is more
> like
> > a
> > >timeout) just says a session couldn't be established.
> >
> >
> > I use the rasmon status indicator (in the systray) as a debugging tool.
> If
> > the little telephone lights up, the control channel has been established.
> > If the top light blinks, outbound GRE is being sent; if the bottom light
> > blinks, inbound GRE is being received. Do you see all of these things
> > happening? If the bottom light never blinks, the firewall rules are
> > probably blocking the GRE in one or both directions.
>
> Okay, I'll try that....you're right, I'm only transmitting, not receiving.
> The only firewall rules I have are the regular "bare minimum" directives
> that I see in the ipchains HOW-TO. I don't really have any intelligent
> firewall configuration other than what seemed necessary to enable ipmasq.
I'm having an identical problem, but I've got RH Linux 5.2 (2.0.36
kernel). Here's my setup:
laptop <-> Linux firewall/NAT <-> cable modem <-> Bell Labs PPTP server
Linux:
RH 5.2, 2.0.36-3
your GRE masquerade patches installed
IP firewall, IP masquerading enabled, etc...
PPTP:
v 1.0.2 (setup works without the Linux firewall)
What's working: basic system, IP masquerading, firewalling. I can put
my laptop behind the Linux firewall/NAT and do stuff, connecting to the
local network. (For testing purposes, I'm actually inside the Bell Labs
firewall, connected to my local network, with my firewall....) I
configured the firewall according to Robert Ziegler's example script in
Linux LAN & Internet Firewall Security FAQ.
This configuration does not allow PPTP to work. I've discovered that if
I configure my default firewall policy for input to the "outside"
interface to be "accept" ("ipfwadm -I -p accept" instead of "ipfwadm -I
-p deny"), then PPTP works from within my firewall. However, filtering
the incoming packets would obviously be preferable.
So the real question is, what incantation is necessary in the firewall
setup to make this work. (I fear the answer is, "can't be done without
as-yet written patches".)
Dave Kristol
------------------------------
Date: Thu, 05 Aug 1999 18:44:43 +0200
From: Bernd Broermann <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: PPP from win over Linux to HPserver Routing
Hi
When I connect with an Win9x PPP over a Linux PPP DialIn to connect to a
Sambaserver on a HP9000.
The HPserver changes the routing table after using the line.
The WinPPP Client uses the same Broadcast Domain as the connectet
Network.
How can I avoid the route change ?
Thanks Bernd
--
Broermann Technologie Beratung
http://www.opensource.de
<< Open-Source for your business >>
hp9000# netstat -nr
Routing tables
Destination Gateway Flags Refs Use Interface Pmtu
PmtuTime
127.0.0.1 127.0.0.1 UH 0 1125 lo0 4608
192.168.1.2 192.168.1.200 UGH 0 32 lan0 1500 #
<- this
192.168.1.10 127.0.0.1 UH 2 15538 lo0 4608
default 192.168.1.200 UG 1 489 lan0 1500
192.168.1 192.168.1.10 U 8 5111883 lan0 1500
192.168.1.2 192.168.1.2 UGHM 0 32 lan0 1500
# <- becomes this after using the ppp line
------------------------------
From: [EMAIL PROTECTED] (W.G. Unruh)
Subject: Re: Port Scan Problem
Date: 5 Aug 99 16:37:27 GMT
"Charles Stack" <[EMAIL PROTECTED]> writes:
>I'm try to figure out why, if in my hosts.deny, I have the ALL:ALL entry and
>in my hosts.allow, have nothing, that a port scan indicates that SMTP, POP3,
>Finger, and a few other services are accessible (you can actually log into
>my POP3 and SMTP servers!). The only clue I've been able to deduce is that
>these are, for the most part, services listed in inetd.conf. Can anyone
>shed some light as to how I can block these services (without actually
>removing them from my machine). I'm running RH 6.
They have to be run by tcpd
Thus you need a line like
pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d
Not
pop-3 stream tcp nowait root /usr/sbin/ipop3 ipop3d
------------------------------
From: Joe <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.setup
Subject: ppp compression question
Date: Thu, 05 Aug 1999 16:06:06 GMT
Hello,
I've been having a problem configuring ppp compression with my ISP. I have
'defalte 11,0' and bsdcomp 11,0' in my /etc/ppp/options file. Problem is,
sometimes this works (my ISP accepts it), sometimes it does not (a lot of
ComfReq/ConfRej followed by 'CCP: timeout sending Config-Requests' in my
logfile). Do I need to use 'noccp' in /etc/ppp/options, and does this
automatically disable all compression? Or will the compression still work
(I know, a potentially stupid question, but I'm not sure). I've tried using
using both deflate and bsdcomp on their own, as well as different values
for the compression; the inconsistancies remain.
I have pppd 2.3.7 and kernel 2.2.10.
Many thanks.
================== Posted via SearchLinux ==================
http://www.searchlinux.com
------------------------------
From: "Mike Redrobe" <[EMAIL PROTECTED]>
Subject: Re: POP3
Date: 05 Aug 99 17:04:16 +0000
Chris Mahmood wrote in article <[EMAIL PROTECTED]>,:
>Anthony Valentine <[EMAIL PROTECTED]> writes:
>> If you haven't already, uncomment the pop3 (and pop2 if you use pop2)
>> line(s) in the /etc/netd.conf. Then refresh inetd with:
>>
>> killall -HUP inetd
>>
>> then try to telnet to port 110, and you should get something like:
>> +OK POP3 mis3.sbs.com v7.59 server ready
>you may also want to use /etc/hosts.allow and /etc/hosts.deny to
>restrict who can use POP, etc. as it's notoriously insecure.
>-ckm
Can you setup POP3 to be read-only ?
i.e. ignore the DELE command
I'm currently using the POP3 daemon that came with IMAP4 on RH5.2
--
Mike
------------------------------
From: "Jonathan C. Masters" <[EMAIL PROTECTED]>
Crossposted-To: alt.os.linux,comp.os.linux.hardware,linux.redhat.install
Subject: Re: SoundBlaster Live! & Mandrake 6.0
Date: Thu, 05 Aug 1999 18:01:02 +0100
The drivers are only designed to allow you to play CDs etc. Creative
clearly state that (they should also state how crap they are aswell -
ifthey're going to write Linux drivers, theymight as well go the whole
hog instead of the half measures that they've done).
Question answered!
Terrance wrote:
> I downloaded and installed the latest Live! drivers. I've tried the
> latest SBLive!/E-mu APS and SBLive! Linux drivers. In each case, I
> can only play audio CDs. No .wav or .mid files. The drivers bombs
> when attempting to play these files. Has anyone had success with
> these drivers? If so, how?
--
Jonathan C. Masters ([EMAIL PROTECTED])
PGP: www.brookes.ac.uk/~95227860/KEY
"Upon this rock I will build my church,
and the gates of hell shall not prevail against it".
-- Matthew 16, 17-18
------------------------------
From: [EMAIL PROTECTED]
Subject: !Intel EtherExpress PRO/10+ not supported??
Reply-To: [EMAIL PROTECTED]
Date: Thu, 05 Aug 1999 17:03:22 GMT
I have a machine with an Intell EtherExpress PRO/10+ (ISA)
== Machine freezes up when I try to configure the adapter.
== RedHat tells me it's not supported under Linux
I have another machine with an IBM PCI Ethernet Adapter
== it has a PCnet - PCI II chip (AM79c970AKC) cntrlr chip
== Machine freezes up when I try to configure
== RedHat tells me it's not supported under Linux
HELP!!
Is there a way to make these work? If so . . . HOW??
Ralph
------------------------------
From: [EMAIL PROTECTED] (Mark Doyle)
Subject: Designing an Interesting Linux Network
Date: Thu, 05 Aug 1999 14:56:52 GMT
I am exploring migration options for a medium sized Banyan Vines
network (don't ask). If anyone would like to share ideas,
experiences, or just point me in worthwhile directions, I would
appreciate it. Linux looks pretty solid as a LAN server, but my
headache is the enterprise side. e.g. add a user on LAN-A, the user
needs to be able to login at any LAN and have access to resources
based on group memberships; all transparent and without extra effort
by the admins.
For discussion purposes figure:
- 3,500 users spread among 15 locations ranging from 15 to 900 users.
- users are all low-load file and print users, no graphics,
multimedia, or large DB.
- users have Win98 on the desktop.
- fully switched LAN, 10mb users / 100mb backbone
- partially meshed WAN all T-1s.
- Servers are dual PII-333 with 512mb ram; 36gb RAID5 with multiple
100mb NICs, 40 servers to play with.
- Internet access, routing, e-mail gateway, web proxy, firewall are
all handled upstream and are secure.
- Day-to-day admins have limited NOS expertise but are fast / eager
learners.
Given that to start with....
- What DS options are out there for networks built around Linux?
- What hybrid options might be worthwhile (e.g. Linux/Samba for file
print; NT for directory/authentication)?
- Once the network is built, how much training for people who do the
admin?
- Are there any white papers or case studies that are worth reading?
Thanks in advance for any replies,
-Mark
------------------------------
From: "Raouf A. Manneh" <[EMAIL PROTECTED]>
Subject: Re: PPTP won't authenticate through ipmasq
Date: Thu, 5 Aug 1999 12:14:53 -0400
Hi everyone,
I have just joined the discussion. I am sorry to interfer, but I am trying
to establish a PPTP connexion between to PCs (window). The problems I have
are :
- Both 2 PCs are behind Linux firewalls
- My connexion to Internet is ADSL. Linux server assumes masquerading.
If anyone have a detailed procedure, I'll apreciate.
Thanks.
------------------------------
From: Nicholas Strugnell <[EMAIL PROTECTED]>
Subject: cable modem + linux, Boston, MA
Date: Thu, 5 Aug 1999 12:22:54 -0400
Reply-To: [EMAIL PROTECTED]
Hi,
Does anyone know of any cable modem ISPs in Boston, MA that are
linux-friendly? For that matter, does anyone know the names of the cable
companies in Boston - I don't know anyone with cable and have had trouble
finding out. I tried RCN who are linux-friendly but they don't run to my
area (Fenway/St. Mary's for those who are local).
Cheers,
Nick
Dept. of Geography | Phone (Office): +1 (617) 353-8031
Boston University | Phone (Home): +1 (617) 247-6292
675 Commonwealth Avenue | Fax: +1 (617) 353-8399
Boston, MA 02215-1401, USA | WWW: http://crsa.bu.edu/~nstrug/
------------------------------
From: [EMAIL PROTECTED] (David C.)
Crossposted-To: comp.os.linux.hardware,redhat.networking.general
Subject: Re: Networking with linux
Date: 05 Aug 1999 12:12:41 -0400
Dave Cotterill <[EMAIL PROTECTED]> writes:
>
> I'm currently managing a small 10mbps bus network and have recently
> been given the task of upgrading a section of it to 100mbps star
> network. All machines must still be able to communicate with each
> other and I am therefore looking for help on the subject. The best
> method I could come up with due to lack of hubs allowing a 10mbps BNC
> bus network to be connected to them is to use a linux machine with a
> 100mbps and a 10mbps card to forward all networking data to/from.
> While installing a 100mbps hub for the upgraded machines.
>
> a) would this work?
> a2) if so how would I setup the linux box?
> b) Any better ideas of experiences would be greatly appreciated.
What you propose should work.
As for the Linux box, don't worry about it. If each box is compatible
with the Ethernet card(s) installed within, Linux won't care about the
wiring outside the box.
Here are some things to keep in mind. In no particular order.
Many 10M Ethernet cards have a 15-pin "AUI" connector in addition to
their BNC or RJ45 jacks. If you have one of these, you can get a
tranceiver to attach your favorite flavor of 10M Ethernet to the card
(10Base2, 10Base5 or 10BaseT).
You can also get in-line tranceivers to convert between 10Base2, 10Base5
and 10BaseT.
Most inexpensive hubs are repeaters. They have no intelligence. They
blindly forward packets to all ports. Logically, there is no difference
between using one and actual shared media (like 10Base2 and 10Base5).
When repeater-hubs are used, all ports must run at the same speed
(usually 10M, although there are 100M repeater-hubs as well.)
Since most 100M Ethernet cards are actually dual-speed 10/100 cards,
they will auto-detect when they are plugged into a 10M or a 100M hub and
will set themselves to whatever speed is appropriate.
Repeater-hubs with 10M BNC connectors can be purchased. They work fine.
The hub will act as a repeater for that segment of network, feeding all
the 10Base2 traffic into the 10BaseT ports and vice versa.
Repeater-hubs with 10M AUI connectors can also be purchased. You'll
need a tranceiver to attach your favorite media to this port.
100M repeater-hubs do not ever have BNC or AUI connectors. Those kinds
of connections only work at 10M speeds.
If you want to mix and match 10M and 100M computers and don't want the
100M computers to run at 10M speeds, you will need to use a switch (also
known as a bridge or a switch-hub). A switch actually has some amount
of processing capability within it. It will snoop the Ethernet frames
to figure out what computer(s) are behind each port. It will examine
the destination address of each frame and only send traffic to the
computer it is destined to, not sending it to other ports. In addition
to greatly reducing useless traffic from the network, they can link 10M
and 100M computers without either one slowing down.
If a full switch is too expensive, you can also get repeater/switch
hybrids, sometimes known as 10/100 dual-speed hubs. These are actually
two repeater-hubs, with a single 2-port switch between them. The hub
will identify which computers are 10M and which are 100M and will
connect each one to the appropriate internal repeater. The 2-port
switch will allow traffic to cross from the 10M side to the 100M side
and vice versa. This will let both your 10M and 100M computers talk at
full speed, although overall throughput won't be as good as what a full
switch will give you.
-- David
------------------------------
From: "Eric Rector" <[EMAIL PROTECTED]>
Subject: Netatalk allows non-standard file names?
Date: Thu, 5 Aug 1999 12:49:44 -0400
I'm running Netatalk on a Red Hat 6.0 distribution of Linux to allow the
Mac's on our network to share files with the rest of the LAN.
Everything works well, but I've noticed that Linux can't handle the Mac file
names (with spaces, and all kinds of puctuation) from the BASH shell. Is
there another shell that can deal with these file names? Or is there a
utility for renaming all the file names on the Linux server to Linux
allowable characters?
Thanks in advance,
Eric Rector
[EMAIL PROTECTED]
(delete "NOSPAM")
Harborside Graphics Sportswear
------------------------------
From: "Raouf A. Manneh" <[EMAIL PROTECTED]>
Subject: Re: ip masquerading
Date: Thu, 5 Aug 1999 12:21:22 -0400
Try the diald software on http://www.linux.org/apps/networking.html
Tell us if it works.
root <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> I've build a Suse 6.1 Linux machine with ip masquerading, everthing
> works fine but a want the machine to make an internet connection
> automaticly when one of the clients request it (e.g. they want to start
> browsing the internet). After a timeout of e.g. 5 minutes I want the
> connection to close,
>
> any suggestions how to do this,
> Martijn
------------------------------
From: [EMAIL PROTECTED]
Subject: cant ping into linux
Date: Thu, 05 Aug 1999 16:08:34 GMT
I have a Caldera 2.2 Linux server configured as a web server. We are
using a CNet ethernet card which we had to compile a new module for. We
have input the settings for the configuation in the rc.modules file,
with an 'ifconfig down' command followed by the 'ifconfig eth0
192.168.63.138 netmask 255.255.255.128 broadcast 192.168.63.255 up'
command and lastly a 'route add -net 192.168.63.128' command. There is
nothing referenced in the /etc/sysconfig/network-scripts file. I can
ping out, but I can not ping in.
When I run ifconfig it shows the proper configuration and my route as
shown by route is correct.
The network is a Novell network, with a subnet for email where there is
an NT server, and some routers to another network.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "Charles Stack" <[EMAIL PROTECTED]>
Subject: Re: Port Scan Problem
Date: Thu, 5 Aug 1999 13:16:04 -0400
> They have to be run by tcpd
> Thus you need a line like
> pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d
> Not
> pop-3 stream tcp nowait root /usr/sbin/ipop3 ipop3d
My line reads:
pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d
So, why can't I block this? Is there something else that needs to be done?
Charles
------------------------------
Subject: Re: 3c509
From: [EMAIL PROTECTED] (Stephen Satchell)
Date: Tue, 03 Aug 1999 17:38:59 GMT
20 seconds? The problem is with DHCP, not with the card itself. Sounds
like your ISP's DHCP server and your system don't like each other.
Determine which DHCP client you are using. Then start fiddling with
options until the DHCP server gives you an IP address.
What did it for me (after getting the latest version of pump for my Red
Hat 6.0 system) was to send the host name to the DHCP server -- it was
wanting to see that.
[EMAIL PROTECTED] (Matt Menze) wrote in <[EMAIL PROTECTED]>:
>I am having trouble getting my 3c509B ethernet card to be recognized by
>Linux. Kernel version is 2.2.5. On bootup, it attempts to initialize
>eth0, but after about 20 seconds it says "Operation Failed." When I
>type ifconfig, all that is found is the loopback. I am loading the
>driver as a module right now. Do I need to compile support for this
>driver in the kernel?
>
>
------------------------------
From: [EMAIL PROTECTED]
Subject: MSIE and FTP
Date: Thu, 05 Aug 1999 15:01:19 GMT
Hi,
Found a serious problem with MSIE and any Unix
boxes tested so far. When a valid user and
password from a site uses ftp:// to get a
directory listing of files.
Example:
ftp://username:[EMAIL PROTECTED]
So far tested, MSIE 4.x defaults to root no
matter what your home directory is or permissions
are. MSIE 5.x seemed to get the home dir correct,
but did not pay attention to permissions and does
allow root directory as default.
However, Netscape for Linux and Windows, passed
with flying colors. It did not allow root
directory access if permissions did not allow,
and placed you in the correct home directory.
Some may say - so what...
Well, on some old systems that don't support
password shadowing, MSIE can become a security
breech because it allows any valid user to gain
access to the etc directory, and to the passwd
file which containts all your accounts and
password hashes.
So, current users on the system can do that now.
True. But what about remote users? Customers
you allow to FTP to your site, can now get to
your /etc/passwd file via MSIE.
Does anyone know how to stop this or control it?
It appeared when we wanted to allow customers to
view files via a browser. I had strict
permissions set on the ftp directory which was
working out properly for FTP clients. No one
could traverse or see other accounts. Then the
browser was introduced, and showed everything
including things we didn't want to be exposed.
What we are trying to set up is to have a strict
ftp site, where no one can traverse directories,
and no one can see any other folders than theirs,
restricted to their home. Is this possible?
Thanks in Advance
Rich
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "Terrance" <[EMAIL PROTECTED]>
Crossposted-To: alt.os.linux,comp.os.linux.hardware,linux.redhat.install
Subject: SoundBlaster Live! & Mandrake 6.0
Date: Thu, 5 Aug 1999 11:51:03 -0500
I downloaded and installed the latest Live! drivers. I've tried the
latest SBLive!/E-mu APS and SBLive! Linux drivers. In each case, I
can only play audio CDs. No .wav or .mid files. The drivers bombs
when attempting to play these files. Has anyone had success with
these drivers? If so, how?
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: IP Masq and NetMeeting
Date: Thu, 05 Aug 1999 15:14:51 GMT
In article <H0an3.979$[EMAIL PROTECTED]>,
"Moses Kamai" <[EMAIL PROTECTED]> wrote:
> Yep. There are two groups of TCP?UDP setting you must have and
there's no
> guarantee it will work with your linux version/distribution. I have
> Slackware 4.0 (2.2.6) and had Slackware 3.6 (2.0.35) and neither
worked.
>
> You have to port forward TCP 389, 582, 1503, 1720, and 1731. Then you
have
> open UDP ports 1024-65535 (all of them above, and including 1024) for
> dynamic port allocation. The problem lies in how Netmeeting embeds
your
> workstation IP address that runs Netmeeting and it doesn't get changed
when
> the whole packet get forwarded. Guess what? The other end can't find
you.
>
> I'm working with Equivalence to try to get their Phonepatch software
to work
> with my NM 3.01 on my NT and Win95 workstations from my LAN through
linux
> connected to the internet.
>
> Still waiting on them to respond to the latest serious of tests.
>
> MikeH <[EMAIL PROTECTED]> wrote in message
> news:ig9n3.19879$[EMAIL PROTECTED]...
> > Hi,
> > Does anyone know any reasons why Netmeeting might
> > not work through IP Masq?
> > People receive my audio and video fine, but I can't recieve
thiers.
> >
> > Thanks in advance,
> > Mike H.
> >
> >
>
Hi Moses,
did you manage to get phonepatch work with NetMeeting 3.0.1?? I have
done quite a lot of testing and I cannot receive video.. My result is
like this:
1. Call using Directory My other end can receive voice and video..
BUT I cannot receive video and audio from the other end
2. Call using IP address I can send and receive audio but no video can
be sent and receive!!
I have contacted Phonepatch techsupport but they have no idea also..
They do not reply at all for a week already!! what a company!!
So is there any phonepatch users out there that have solved this
problem.. is there any tweak has to be done on my Linux masq firewall??
Thanks
Ken
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "Cedric Blancher" <[EMAIL PROTECTED]>
Subject: Re: Telnet
Date: Thu, 5 Aug 1999 17:07:40 +0200
> I can ftp to the localhost as root , but can't telnet as root to the
> localbox.
Ftp a box as root is a bad idea... To prevent that, add a line "root" to
your /etc/ftpusers file which contains all users who can't ftp your box.
> Other accounts (non-su) can telnet and ftp without problems, but the
root
> telnet is a pain.
In your /etc/securetty are listed console you consider secure enough to
let someone connect as root on it. Usually, there are only local
consoles, and that's a good idea.
If someone is snffing the network, he will be able to catch
login/password couples from ftp and telnet connections. That's why you
should not allow them. Therefore, you can su from your account to root
account in a telnet session as password sniffers only catch passwords on
connection.
--
C�dric Blancher
Communication Management Consulting
Dpt Inofrmatique
James Lilburne <[EMAIL PROTECTED]> a �crit dans le message :
Uahq3.5273$[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (Mark Doyle)
Subject: Designing an interesting Linux network
Date: Thu, 05 Aug 1999 15:04:52 GMT
I am exploring migration options for a medium sized Banyan Vines
network (don't ask). If anyone would like to share ideas,
experiences, or just point me in worthwhile directions, I would
appreciate it. Linux looks pretty solid as a LAN server but my
headache is the enterprise side. e.g. add a user on LAN-A, the user
needs to be able to login at any LAN and have access to resources
based on group memberships; all transparent and without extra effort
by the admins.
For discussion purposes figure:
- 3,500 users spread among 15 locations ranging from 15 to 900 users.
- users are all low-load file and print users, no graphics,
multimedia, or large DB.
- users have Win98 on the desktop.
- fully switched LAN, 10mb users / 100mb backbone
- partially meshed WAN all T-1s.
- Servers are dual PII-333 with 512mb ram; 36gb RAID5 with multiple
100mb NICs, 40 servers to play with.
- Internet access, routing, e-mail gateway, web proxy, firewall are
all handled upstream and are secure.
- Day-to-day admins have limited NOS expertise but are fast / eager
learners.
Given that to start with....
- What DS options are out there for networks built around Linux?
- What hybrid options might be worthwhile (e.g. Linux/Samba for file
print; NT for directory/authentication)?
- Once the network is built, how much training for people who do the
admin?
- Are there any white papers or case studies that are worth reading?
Thanks in advance for any replies,
-Mark
doyle7.ihatespam.mindspring.com
(to e-mail me take out the ihatespam)
------------------------------
From: Yousuf Khan <[EMAIL PROTECTED]>
Subject: Re: PPTP won't authenticate through ipmasq
Date: Thu, 05 Aug 1999 17:01:57 GMT
In article <[EMAIL PROTECTED]>,
Dave Kristol <[EMAIL PROTECTED]> wrote:
> I'm having an identical problem, but I've got RH Linux 5.2 (2.0.36
> kernel). Here's my setup:
>
> laptop <-> Linux firewall/NAT <-> cable modem <-> Bell Labs PPTP
server
>
> Linux:
> RH 5.2, 2.0.36-3
> your GRE masquerade patches installed
> IP firewall, IP masquerading enabled, etc...
>
> PPTP:
> v 1.0.2 (setup works without the Linux firewall)
>
> What's working: basic system, IP masquerading, firewalling. I can
put
> my laptop behind the Linux firewall/NAT and do stuff, connecting to
the
> local network. (For testing purposes, I'm actually inside the Bell
Labs
> firewall, connected to my local network, with my firewall....) I
> configured the firewall according to Robert Ziegler's example script
in
> Linux LAN & Internet Firewall Security FAQ.
>
> This configuration does not allow PPTP to work. I've discovered that
if
> I configure my default firewall policy for input to the "outside"
> interface to be "accept" ("ipfwadm -I -p accept" instead of "ipfwadm -
I
> -p deny"), then PPTP works from within my firewall. However,
filtering
> the incoming packets would obviously be preferable.
>
> So the real question is, what incantation is necessary in the firewall
> setup to make this work. (I fear the answer is, "can't be done
without
> as-yet written patches".)
Have you tried adding only the IP address(es) of the outbound PPTP
server(s) to your acceptance list? Something like "ipfwadm -I -p deny"
followed by "ipfwadm -F -a ...{localnet}...", followed by "ipfwadm -F -
a ...{outside PPTP network}...".
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.networking) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Networking Digest
******************************
