Linux-Networking Digest #284, Volume #12 Thu, 19 Aug 99 04:13:47 EDT
Contents:
IPCHAINS forwarding and/or 2nd nic slowing down Internet access (Ricky Ng-Adam)
APACHE ("Paulus")
Appletalk (netatalk) Security Loophole (Sharbat Oop)
pop/smtp from a win95 workstation thru eth0 (el bobo)
Linux <-= ???? =-> Win98 (sensei)
Compiling kernel ("Ji-Haw, Foo")
Re: C++ templates: More than Turing Complete? (Stephan Houben)
----------------------------------------------------------------------------
From: Ricky Ng-Adam <[EMAIL PROTECTED]>
Subject: IPCHAINS forwarding and/or 2nd nic slowing down Internet access
Date: Thu, 19 Aug 1999 10:39:40 -0400
-My system-
*Dual* 366Mhz celeron on a Abit BP6 motherboard.
128 Megs RAM
Two NIC:
eth1 -> ISA 3c509b (IRQ3 - PnP is disabled)
eth0 -> one PCI Ne2k (IRQ10)
Linux pc77 2.2.10 #3 SMP Mon Aug 9 21:33:53 EDT 1999 i686 unknown
Eth1 is connected to 192.168.1.2 (host on local network) and eth0 to the
Internet.
-The problem-
At boot, eth1 fails... So I load manually the driver (insmod 3c509)
and enable ip_masquerading (thru the script appended at the end of this
article).
First, pinging www.yahoo.com...
Everything is OK until I load a web page
from 192.168.1.2. Then, the ping time goes higher (and the network is
much
slower!)...
64 bytes from 204.71.200.67: icmp_seq=63 ttl=239 time=83.3 ms
64 bytes from 204.71.200.67: icmp_seq=64 ttl=239 time=86.7 ms
64 bytes from 204.71.200.67: icmp_seq=65 ttl=239 time=84.4 ms
64 bytes from 204.71.200.67: icmp_seq=66 ttl=239 time=79.3 ms
64 bytes from 204.71.200.67: icmp_seq=67 ttl=239 time=192.0 ms
-> loading page here from masque'd host <-
64 bytes from 204.71.200.67: icmp_seq=68 ttl=239 time=1080.1 ms
Unloading the driver for the 3c509 and restarting the network
does the trick of getting my system back into
place.
[root@pc77 rngadam]# /etc/rc.d/init.d/network stop
Shutting down interface eth0 [
OK ]
Shutting down interface eth1 [
OK ]
Disabling IPv4 packet forwarding [
OK ]
[root@pc77 rngadam]# modprobe -r 3c509
[root@pc77 rngadam]# /etc/rc.d/init.d/network start
Bringing up interface lo [ OK ]
Bringing up interface eth0 [ OK
]
PING www.yahoo.com (204.71.200.74): 56 data bytes
64 bytes from 204.71.200.74: icmp_seq=0 ttl=240 time=80.4 ms
64 bytes from 204.71.200.74: icmp_seq=1 ttl=240 time=87.0 ms
64 bytes from 204.71.200.74: icmp_seq=2 ttl=240 time=77.4 ms
64 bytes from 204.71.200.74: icmp_seq=3 ttl=240 time=76.5 ms
64 bytes from 204.71.200.74: icmp_seq=4 ttl=240 time=83.9 ms
64 bytes from 204.71.200.74: icmp_seq=5 ttl=240 time=92.2
ms
-The 50000$ question-
WHY?
Thanks,
Ricky
PS: Here's my script adapted from http://www.nerdherd.net/ipchains/
===================================================================
#!/bin/sh
#TEMPORARILY DISABLE FORWARDING
echo 0 > /proc/sys/net/ipv4/ip_forward
#
# IPCHAINS-FIREWALL V1.6-MASQUERADE
#
# ----------------------------------------- Ipchains Firewall and MASQ
Script -
#
# Original script by Ian Hall-Beyer ([EMAIL PROTECTED])
#
# Contributors:
# terminus ([EMAIL PROTECTED]) (ICQ & DHCP, @home testing)
# ----------------------------------------------------------------
Interfaces -
# Local Interface
# This is the interface that is your link to the world
LOCALIF="eth0"
# Internal Interface
# This is the interface for your local network
# NOTE: INTERNALNET is a *network* address. All host bits should be 0
INTERNALNET="192.168.1.0/24"
# ------------------------------------------------------- Variable
definition -
#
# Set the location of ipchains.
IPCHAINS="/sbin/ipchains"
# You shouldn't need to change anything in the rest of this section
LOCALIP=`ifconfig $LOCALIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
LOCALMASK=`ifconfig $LOCALIF | grep Mask | cut -d : -f 4`
LOCALNET="$LOCALIP/$LOCALMASK"
echo "Internal: $INTERNALNET"
echo "External: $LOCALNET"
REMOTENET="0/0"
# -------------------------------------- Flush everything, start from
scratch -
echo -n "Flushing rulesets.."
# Incoming packets from the outside network
$IPCHAINS -F input
echo -n "."
# Outgoing packets from the internal network
$IPCHAINS -F output
echo -n "."
# Forwarding/masquerading
$IPCHAINS -F forward
echo -n "."
echo "Done!"
# ---------------------------------- Allow all connections within the
network -
echo -n "Internal.."
$IPCHAINS -A input -s $INTERNALNET -d $INTERNALNET -j ACCEPT
$IPCHAINS -A output -s $INTERNALNET -d $INTERNALNET -j ACCEPT
echo -n ".."
echo "Done!"
# -------------------------------------------------- Allow loopback
interface -
echo -n "Loopback.."
$IPCHAINS -A input -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPCHAINS -A output -i lo -s 0/0 -d 0/0 -j ACCEPT
echo -n ".."
echo "Done!"
# --------------------------------------------------------------
Masquerading -
echo -n "Masquerading.."
# don't masquerade internal-internal traffic
$IPCHAINS -A forward -s $INTERNALNET -d $INTERNALNET -j ACCEPT
echo -n "."
# don't Masquerade external interface direct
$IPCHAINS -A forward -s $LOCALNET -d $REMOTENET -j ACCEPT
echo -n "."
# masquerade all internal IP's going outside
$IPCHAINS -A forward -s $INTERNALNET -d $REMOTENET -j MASQ
echo -n "."
# set Default rule on MASQ chain to Deny
$IPCHAINS -P forward DENY
echo -n "."
# --------------------- Allow all connections from the network to the
outside -
$IPCHAINS -A input -s $INTERNALNET -d $REMOTENET -j ACCEPT
$IPCHAINS -A output -s $INTERNALNET -d $REMOTENET -j ACCEPT
echo -n ".."
echo "Done!"
# ----------------------------------Set telnet, www and FTP for minimum
delay -
# This section manipulates the Type Of Service (TOS) bits of the
# packet. For this to work, you must have CONFIG_IP_ROUTE_TOS enabled
# in your kernel
echo -n "TOS flags.."
$IPCHAINS -A output -p tcp -d 0/0 www -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 telnet -t 0x01 0x10
$IPCHAINS -A output -p tcp -d 0/0 ftp -t 0x01 0x10
echo -n "..."
# Set ftp-data for maximum throughput
$IPCHAINS -A output -p tcp -d 0/0 ftp-data -t 0x01 0x08
echo -n "."
echo "Done!"
# ---------------------------------------------------------- Trusted
Networks -
# Add in any rules to specifically allow connections from hosts/nets
that
# would otherwise be blocked.
# echo -n "Trusted Networks.."
# $IPCHAINS -A input -s [trusted host/net] -d $LOCALNET <ports> -j
ACCEPT
# echo -n "."
# echo "Done!"
# ----------------------------------------------------------- Banned
Networks -
# Add in any rules to specifically block connections from hosts/nets
that
# have been known to cause you problems. These packets are logged.
# echo -n "Banned Networks.."
# This one is generic
# $IPCHAINS -A input -l -s [banned host/net] -d $LOCALNET <ports> -j
DENY
# echo -n "."
# This one blocks ICMP attacks
# $IPCHAINS -A input -l -b -i $LOCALIF -p icmp -s [host/net] -d
$LOCALNET -j DENY
# echo -n "."
# echo "Done!"
# ------------------------------------------------------ @home-specific
rules -
# This @home stuff is pretty specific to me (terminus). I get massive
port
# scans from my neighbors and from pokey admins at @home, so I just got
harsh
# and blocked all their stuff, with a few exceptions, listed below.
#
# If someone out there finds out the ip ranges of JUST tci@home, let me
know
# so i don't end up blocking ALL cablemodems like it's doing now.
echo -n "Cable Modem Nets.."
# so we can check mail, use the proxy server, hit @home's webpage.
# you will want to set these to your local servers, and uncomment them
# $IPCHAINS -A input -p tcp -s ha1.rdc1.wa.home.com -d $LOCALNET
1023:65535 -j ACCEPT
# $IPCHAINS -A input -p tcp -s mail.tcma1.wa.home.com -d $LOCALNET
1023:65535 -j ACCEPT
# $IPCHAINS -A input -p tcp -s www.tcma1.wa.home.com -d $LOCALNET
1023:65355 -j ACCEPT
# $IPCHAINS -A input -p tcp -s proxy.tcma1.wa.home.com -d $LOCALNET
1023:65535 -j ACCEPT
# echo -n "...."
# so we can resolve the above hostnames, allow dns queries back to us
# $IPCHAINS -A input -p tcp -s ns1.home.net -d $LOCALNET 1023:65535 -j
ACCEPT
# $IPCHAINS -A input -p tcp -s ns2.home.net -d $LOCALNET 1023:65535 -j
ACCEPT
# $IPCHAINS -A input -p udp -s ns1.home.net -d $LOCALNET 1023:65535 -j
ACCEPT
# $IPCHAINS -A input -p udp -s ns2.home.net -d $LOCALNET 1023:65535 -j
ACCEPT
# echo -n ".."
# linux ipchains building script page (I think)
# $IPCHAINS -A input -p tcp -s 24.128.61.117 -d $LOCALNET 1023:65535 -j
ACCEPT
# echo -n "."
# Non-@home users may want to leave this uncommented, just to block all
# the wannabe crackers. Add any @home hosts you want to allow BEFORE
this line.
# Blast all other @home connections into infinity and log them.
$IPCHAINS -A input -l -s 24.0.0.0/8 -d $LOCALNET -j DENY
echo -n "."
echo "Done!"
# ---------------------------- Specific port blocks on the external
interface -
# This section blocks off ports/services to the outside that have
# vulnerabilities. This will not affect the ability to use these
services
# within your network.
echo -n "Port Blocks.."
# NetBEUI/Samba
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 139 -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 139 -j DENY
echo -n "."
# Microsoft SQL
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 1433 -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 1433 -j DENY
echo -n "."
# Postgres SQL
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 5432 -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 5432 -j DENY
echo -n "."
# Network File System
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 2049 -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 2049 -j DENY
echo -n "."
# X Displays :0-:2-
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 5999:6003 -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 5999:6003 -j DENY
echo -n "."
# X Font Server :0-:2-
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 7100 -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 7100 -j DENY
echo -n "."
# Back Orifice (logged)
$IPCHAINS -A input -l -p tcp -s $REMOTENET -d $LOCALNET 31337 -j DENY
$IPCHAINS -A input -l -p udp -s $REMOTENET -d $LOCALNET 31337 -j DENY
echo -n "."
# NetBus (logged)
$IPCHAINS -A input -l -p tcp -s $REMOTENET -d $LOCALNET 12345:12346 -j
DENY
$IPCHAINS -A input -l -p udp -s $REMOTENET -d $LOCALNET 12345:12346 -j
DENY
echo -n "."
echo "Done!"
# --------------------------------------------------- High Unprivileged
ports -
# These are opened up to allow sockets created by connections allowed by
# ipchains
echo -n "High Ports.."
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 1023:65535 -j
ACCEPT
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 1023:65535 -j
ACCEPT
echo -n "."
echo "Done!"
# ------------------------------------------------------------ Basic
Services -
echo -n "Services.."
# ftp-data (20) and ftp (21)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 20 -j ACCEPT
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 21 -j ACCEPT
# echo -n ".."
# ssh (22)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 22 -j ACCEPT
# echo -n "."
# telnet (23)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 23 -j ACCEPT
# echo -n "."
# smtp (25)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 25 -j ACCEPT
# echo -n "."
# DNS (53)
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT
echo -n ".."
# DHCP on LAN side (to make @Home DHCP work) (67/68)
# $IPCHAINS -A input -i $INTERNALIF -p udp -s $REMOTENET -d
255.255.255.255/24 67 -j ACCEPT
# $IPCHAINS -A output -i $INTERNALIF -p udp -s $REMOTENET -d
255.255.255.255/24 68 -j ACCEPT
# echo -n ".."
# http (80)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 80 -j ACCEPT
# echo -n "."
# POP-3 (110)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 110 -j ACCEPT
# echo -n "."
# identd (113)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 113 -j ACCEPT
# echo -n "."
# nntp (119)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 119 -j ACCEPT
# echo -n "."
# https (443)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 443 -j ACCEPT
# echo -n "."
# ICQ Services (it's a server service) (4000)
# $IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 4000 -j ACCEPT
# echo -n "."
echo "Done!"
# ----------------------------------------------------------------------
ICMP -
echo -n "ICMP Rules.."
# Use this to deny ICMP attacks from specific addresses
# $IPCHAINS -A input -b -i $EXTERNALIF -p icmp -s <address> -d 0/0 -j
DENY
# echo -n "."
# Allow incoming ICMP
$IPCHAINS -A input -p icmp -s $REMOTENET -d $LOCALNET -j ACCEPT
$IPCHAINS -A input -p icmp -s $REMOTENET -d $LOCALNET -j ACCEPT
echo -n ".."
# Allow outgoing ICMP
$IPCHAINS -A output -p icmp -s $LOCALNET -d $REMOTENET -j ACCEPT
$IPCHAINS -A output -p icmp -s $LOCALNET -d $REMOTENET -j ACCEPT
$IPCHAINS -A output -p icmp -s $INTERNALNET -d $REMOTENET -j ACCEPT
$IPCHAINS -A output -p icmp -s $INTERNALNET -d $REMOTENET -j ACCEPT
echo -n "...."
echo "Done!"
# -------------------------------------------------------- set default
policy -
$IPCHAINS -A input -j DENY
$IPCHAINS -A output -j ACCEPT
echo ""
echo "Finished Establishing Firewall."
#ENABLE FORWARDING AGAIN...
echo 1 > /proc/sys/net/ipv4/ip_forward
------------------------------
Reply-To: "Paulus" <[EMAIL PROTECTED]>
From: "Paulus" <[EMAIL PROTECTED]>
Subject: APACHE
Date: Thu, 19 Aug 1999 12:46:21 +0700
How to setup Apache using 3 virtual host?
www.intern.company --> home/website/www
admin.intern.company.com -> home/public_html/useradm
user.intern.company.com ->home/public_html/usermenu
I use SUSE 61 & Apache 1.3.4
------------------------------
From: Sharbat Oop <[EMAIL PROTECTED]>
Subject: Appletalk (netatalk) Security Loophole
Date: Thu, 19 Aug 1999 05:57:19 GMT
Running netatalk-1.4b2
Yellow Dog Linux (PPC) CS 1.1
When mac users connected to the Linux box via Appletalk throw anything
away, they create a "Network Trash Folder" in their login directory
which is WORLD WRITEABLE.
Depending upon where this folder is created, it's a pretty obscure but
pesky loophole.
Anyone know how to disable netatalk from creating this folder? (When
connected to a PC via PC MACLAN for example, the mac user is told they
can't store items in the trash; they must delete them immediately.)
Thanks,
-Sharbat
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (el bobo)
Subject: pop/smtp from a win95 workstation thru eth0
Date: Thu, 19 Aug 99 06:36:04 GMT
hi there folks.. having a bit of a struggle getting win95/etc workstations to be able
to access my ISPs POP/SMTP servers thru the network. Have Debian potato as server
with a 56k modem holding up the ISP connection. The workstations can happily browse
the web thru the network by using Squid proxy. But I want them to be able to do email
as well. Now I have a stock exim install/config going, which with a little fiddling
is allowing the workstations to send email via smtp (but I believe it's not actually
getting anywhere at the moment.. hmm..) but I haven't figured out what I require to
forward pop requests on to the ISP..
if this is the wrong newsgroup for this, apologies, and please point me in the
direction of the right one :)
Cheers
Matt
------------------------------
From: sensei <[EMAIL PROTECTED]>
Subject: Linux <-= ???? =-> Win98
Date: Wed, 18 Aug 1999 23:32:41 +1700
I have two machines, one linux, one win98.
They are connected via an ethernet cable and as far as I can
tell they are talking to each other on a hardware level.
I can ping each from the other no problem.
I have the linux machine connected to the internet, and I
would like to be able to access the internet from the win98
machine also.
When I try to access the linux box form Win98 Network
Neighborhood, It asks me for a password. I haven't got a
clue as to what I should do. All and any passwords that I
have used to configure both machines do not work.
How do I get them to talk to each other on a software level
that is meaningful?
Also,
In my DNS setup, do I need to put in some lines to identify
the win98 host through the linux host (using the 192.168.?.?
addressing scheme)?
Please help ...
Luke
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: "Ji-Haw, Foo" <[EMAIL PROTECTED]>
Crossposted-To:
comp.os.linux.questions,comp.os.linux.setup,linux.dev.config,linux.dev.newbie
Subject: Compiling kernel
Date: Thu, 19 Aug 1999 09:10:49 +0200
I am using Mandrake 6 with KDE support. I have downloaded the 2.2.11 kernel,
and am trying to compile it. A RedHat book I bought suggested the command
line make dep; make Image; make zImage. When I was using Slackware, I always
use make dep; make clean; make zlilo. Which is the better way to compile my
2.2 kernel?
--
regards,
Foo Ji-Haw
Berkom
raum 6067
extension 3150
------------------------------
From: Stephan Houben <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.development.apps,comp.os.linux.development.system
Subject: Re: C++ templates: More than Turing Complete?
Date: 19 Aug 1999 09:28:09 +0200
[EMAIL PROTECTED] (Davin McCall) writes:
>
> Incidentally, if a C++ compiler couldn't compile the example given to
> demonstrate "why not all C++ programs can be compiled to finite
> assembly code" (although some that can't could be run as a script), it
> is a problem with the compiler design rather than any logical
> impossibility.
>
> eg
>
> ==== begin ====
>
> template <class t> func(T x, int i)
> {
> if( i > 0 ) func(&x, i - 1);
> }
>
> main()
> {
> int i;
> func(i, 10);
> }
>
> ===== end ====
>
> This ought to be compilable, as it is algorithmically identical to the
> following C program:
>
> func2(void *x, int i)
> {
> if(i > 0) func2((void *)&x, i - 1);
>
> func1(int x, int i)
> {
> if( i > 0 ) func2((void *)&x, i - 1);
> }
>
> main()
> {
> int i;
> func1(i, 10);
> }
>
> ==== end ====
>
>
> The key is that func2 handles all the cases where 'x' is a pointer
> sufficiently. As it never dereferences a pointer, and int * and an int
> ****** can be treated the same way.
What you have described is essentially a "homogenous mapping" for
the template, i.e. all instances of the template are implemented
by the same code. C++ compilers generally implment templates in
a "heterogenous" way (i.e. create new code for every instance of
the template). This is the cause of the well-known critique that
C++ templates creates ""code bloat".
Heterogenous templates lead to a lot of other problems, too,
because it makes separate compilation of templates difficult.
Depending on how the templates are used (i.e. which instances
are required), different code has to be generated. This problem
is solved in different ways in different C++ compilers, which means
that code for a C++ compiler that uses a "template repository"
to solve the problem might not work on a C++ compiler that
takes the naive view that every template should have a definition
in the current compilation unit.
So far for a "standard" language...
Although it is, I think, theoretically possible to implement a C++
compiler with homogenous templates, the way templates are defined
in C++ makes this difficult. Personally, that's my main problem with
the C++ template mechanism.
Greetings,
Stephan
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.networking) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Networking Digest
******************************
