Linux-Networking Digest #349, Volume #12 Tue, 24 Aug 99 19:13:53 EDT
Contents:
Re: 3com ISA cards and linux ("Kalkas")
Re: Firewall Rules
Re: How do you get Linux to recognize the Cisco 605??? (George Torralba)
Re: Crossover RJ45 ethernet cables - Re: Cable problem? (David C.)
Re: Help: telnet slow on dual homed host ("John Bokma")
fpting (alex)
Direct dial-up (Chad Wesley Armstrong)
Samba on a Laptop with dynamic ip
Re: PPP connection problem for non-root users (bill davidsen)
Re: networking thru a Sygate proxy/gateway server with a Linux box ("Lloyd Parsons")
Re: Is this possible? (bill davidsen)
Redhat 6.0 and NAT ("Smartpatrol")
HELP... I cannot get win98 to connecto the Liux Box (Kevin)
Re: Direct dial-up (winrip)
Re: What network identifier to use??? ("Robert_Glover")
Re: how do i connect 2 networks? ([EMAIL PROTECTED])
Re: Running DOS from Linux (Gustin Kiffney)
Re: help with slow ppp connection (Eric L. Schott)
Re: Firewall Rules
----------------------------------------------------------------------------
From: "Kalkas" <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.hardware,comp.os.linux.misc
Subject: Re: 3com ISA cards and linux
Date: Tue, 24 Aug 1999 23:20:12 +0200
Paul Sherwin <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> On Sat, 21 Aug 1999 17:50:05 +0200, "Kalkas" <[EMAIL PROTECTED]>
> wrote:
>
> >
> >How shall I get those drivers? I have been at the 3com site, but they do
not
> >mention Linux; I plan to phone them directly.
> >
> The 3C509 is one of the commonest ISA ethernet cards around.AFAIK,
> every Linux distribution includes support for this card, either
> compiled into a kernel or as a loadable module.
>
> However, you may need the DOS setup program if you don't have it
> already. I suggest you reconfigure the card, switching off PnP and
> setting IRQ and IO values manually. You get fewer problems that way.
> You can get the 3Com config program from the 3Com website.
>
> Best regards, Paul
Thanks for your help, Paul.
Sincerely yours,
Kalkas
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: Firewall Rules
Date: Tue, 24 Aug 1999 21:38:50 GMT
Reply-To: [EMAIL PROTECTED]
On Tue, 24 Aug 1999 19:02:27 GMT, YouDontKnowWho wrote:
>Could someone please post a copy of a set of firewall rules that cover
>the basic services, without completely opening the wall?
Here is a pretty generic ruleset:
/sbin/ipchains -A input -i eth0 -j DENY
/sbin/ipchains -N internet
/sbin/ipchains -A internet -p tcp -i eth0 --destination-port \
ssh -j ACCEPT
/sbin/ipchains -A internet -p tcp -i eth0 --destination-port \
1024:5999 -j ACCEPT
/sbin/ipchains -A internet -p udp -i eth0 --destination-port \
1024:5999 -j ACCEPT
/sbin/ipchains -A internet -p tcp -i eth0 --destination-port \
6064:65535 -j ACCEPT
/sbin/ipchains -A internet -p udp -i eth0 --destination-port \
6064:65535 -j ACCEPT
/sbin/ipchains -A internet -p icmp -i eth0 -j ACCEPT
/sbin/ipchains -A internet -i eth0 -j DENY -l
/sbin/ipchains -A input -j internet
/sbin/ipchains -D input 1
This is only filtering on inbound packets thru eth0. I think it's pretty
readable. First shut all inbound packets out, create a new filter
allow only ssh specifically. Then allow higher ports (above 1024, so your
returning connections are allowed in) taking into account what services are
running on those higher ports (I've excluded X11 ports in the above example).
Accept icmp, deny anything not specified logging the denies.
The last two statements apply the new filter to inbound rules and then retract
the global deny I put on to begin with.
This should get you started without leaving you wide open. You can then add
or retract based on your particular site needs.
R. Marc
------------------------------
From: [EMAIL PROTECTED] (George Torralba)
Subject: Re: How do you get Linux to recognize the Cisco 605???
Date: Tue, 24 Aug 1999 20:18:59 GMT
I think you're SOL. I hear there's no driver for the 605 in Linux.
George
On Mon, 23 Aug 1999 23:56:42 -0500, "User" <[EMAIL PROTECTED]> wrote:
>Hello,
>
>I am a newbie to Linux. I was running win98, but decided to switch over to
>Linux. I have a USWest DSL connection using a cisco 605. I was wondering
>if anybody in this newsgroup knows how to setup up the cisco 605 in Linux.
>I have no clue on what to do in Linux. Any help would be greatly
>appreciated. I am running Mandrake Linux 6.0...........I think it's also
>called Venus, or something like that.
>
>Thanks,
>
>Nong Khai
>[EMAIL PROTECTED]
>
------------------------------
From: [EMAIL PROTECTED] (David C.)
Subject: Re: Crossover RJ45 ethernet cables - Re: Cable problem?
Date: 24 Aug 1999 12:14:12 -0400
David Crooke <[EMAIL PROTECTED]> writes:
>
> It still doesn't excuse it - they caould have used 1-2 and 8-7 as the
> two ethernet pairs, hence allowing flipover to make crossover cables
> with the flat or twisted-pair-ribbon type cable, leaving the centre
> two (or four) pins free for US-style RJ11 phone cabling.
BTW, ATM-over-Cat5 does just this - they use the two outer pairs.
> Hindsight is a powerful tool, and no doubt they had some other weird
> standard which they were trying to accomodate which now seems deeply
> irrelevant.
They're accomodating still-used EIA premesis wiring standards. The
standards are T568A and T568B. Here's a slide I dug up on the web that
shows them: http://www.bicsi.org/techsem/sld008.htm
Since the graphic is small, here's what it describes:
T568A T568B
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
| | | | | | | | | | | | | | | |
\ / | \ / | \ / \ / | \ / | \ /
| | | | | | | | | |
3 | 1 | 4 2 | 1 | 4
\ / \ /
\ / \ /
\ / \ /
| |
2 3
Pair 1 (centered in both) is what's always used for voice. Ethernet
does not use this pair because you don't want to blow out equipment if
someone should accidentally patch an Ethernet port to a voice port. You
may not care, but manufacturers really don't like replacing blown parts,
and customers don't like being denied warrantee service.
Note that pairs 2 and 3 are oppositely numbered in the two standards.
If you've got a T568A patch panel and you need to patch something over
to a T568B panel, you need a crossover cable that swaps pairs 2 and 3.
The decision to use 2 and 3 for Ethernet makes perfect sense in this
context, because you don't need to design new crossover cables. The
same cables you use for linking different-standard patch panels can be
used to link Ethernet cards and hubs.
In other words, using this standard means there are only two kinds of
cables - straight and crossover. Instead of three - straight,
crossover-for-Ethernet and crossover-for-panels. Being able to keep
only two kinds of patch-cords on hand instead of three is a big win for
any department that has to maintain the wiring. It's a similarly big
win for the cable manufacturers, who only need two versions of every
cable in their catalog instead of three.
Making it easy for individuals to build their own crossover cables was
probably never a concern. It is expected that you know what you're
doing if you're making your own cables. "Premesis wiring for dummies"
just doesn't make sense.
-- David
------------------------------
From: "John Bokma" <[EMAIL PROTECTED]>
Crossposted-To:
comp.os.linux.help,comp.os.linux.network,linux.redhat.misc,comp.os.linux.admin
Subject: Re: Help: telnet slow on dual homed host
Date: Tue, 24 Aug 1999 19:12:41 +0200
[EMAIL PROTECTED] wrote in message
<[EMAIL PROTECTED]>...
>>
>> I have configured a Linux (RH 6.0) dual homed host. However
>> telnet to eth1 is deadly slow. It takes almost a few minutes
>> before I have a connection.
>>
>
>Sounds like the symptoms of a name resolution problem. Post your
>network specifics.
Hi,
We telnet using ip nr, so i don't think that name resolution has anyting
to do with it... I am not on location but try to obtain the files a.s.a.p.
Thanks,
John
------------------------------
From: alex <[EMAIL PROTECTED]>
Subject: fpting
Date: Tue, 24 Aug 1999 21:11:44 GMT
i have a netfinity server running red hat 6, i did the server default
install, and it found my nic and all is smooth, except for the video
card, but thats another story, anyhow, i have another computer right
next to it adn there both connected to a hub, both show up on the hub's
lights, and i can ping back and forth, ( i gave a server an ip of
100.100.100.1, and the other computer 100.100.100.10) but i cant ftp or
telnet, why not? i have a bunch of books but none of them seem to
address this.... this server will be at the local Jr. high in 2 weeks
web serving, and i need to have ftping up.
any help will be greatly appreciated
thanks
alex
------------------------------
From: Chad Wesley Armstrong <[EMAIL PROTECTED]>
Subject: Direct dial-up
Date: Tue, 24 Aug 1999 15:24:39 -0600
Is there a way to do a direct dial-up into a modem in Linux, similar to
Windows Hyperterminal or Mac's Communications (under Claris/Applework)?
Chad Armstrong
[EMAIL PROTECTED]
------------------------------
From: <[EMAIL PROTECTED]>
Subject: Samba on a Laptop with dynamic ip
Date: Tue, 24 Aug 1999 21:30:56 GMT
Hi,
Here is my setup:
Laptop computer with pcmcia ethernet card.
Samba 2.0.5
Caldera Open Linux 2.2
I obtain an ip address via dhcp for eth0 (wich is my pcmcia ethernet
adapter).
The problem I have is when I do not specify an ip/mask in the "interfaces"
field, my computer does not appear in netwrork neibourghoud on winNT or
Win95 machines. I run a Win95 in VMWare and it does appear in the network
neighbourghoud on other windows machines.
If I put the IP address obtained by dhcp in the "interfaces" field in
"[global]" and restart samba, then it appear in network neighbourghoud.
How can I configure samba or my machine so I do not have to manually change
the ip/mask in "interfaces" with myt dynamic ip?
Thank's in advance for the answer!
================== Posted via CNET Linux Help ==================
http://www.searchlinux.com
------------------------------
From: [EMAIL PROTECTED] (bill davidsen)
Subject: Re: PPP connection problem for non-root users
Date: 24 Aug 1999 21:46:22 GMT
In article <7pkpi5$im5$[EMAIL PROTECTED]>, bran <[EMAIL PROTECTED]> wrote:
| I done all the chmods as you suggested but there seems to be a problem in
| verifying the password.
| After a while this message is given :
| "Timeout expired while waiting for the PPP interface to comeup".
| What could be the problem as my connection setup is exactly the same as
| root's?
I will give you one thought on making ppp work as user... unless you
have a real need to allow only certain users to start ppp, don't bother.
Instead, start ppp, once, in demand mode, at boot time. It will not
dial, it will sit there. Then, when any process attempts to make a net
access, it will dial and provide service, then idle out.
In general, all the things which let normal users use ppp are can raise
some security issues. If you just want the machine to call when someone
needs the line up, let the machine do it for you.
I've been running this way for several years, and have been having no
problems.
--
bill davidsen <[EMAIL PROTECTED]> CTO, TMR Associates, Inc
The Internet is not the fountain of youth, but some days it feels like
the fountain of immaturity.
------------------------------
From: "Lloyd Parsons" <[EMAIL PROTECTED]>
Subject: Re: networking thru a Sygate proxy/gateway server with a Linux box
Date: Tue, 24 Aug 1999 15:51:25 -0500
OK, I thought I did say how to use it.
1. Linux doesn't seem to like the DHCP server from Sygate,
so change the IP of your ethernet card to the address that
you want it to have.
2. edit resolv.conf for gateway and dns entries. See the
howto's for the specifics.
Then I reboot, because I can never remember just how to make
it see my changes after that, but a reboot does it every
time.
You don't have to change a thing in any app, just use them
as if they were the only thing looking for that web page,
ftp site or whatever. DO NOT set proxy in the web browser!
Lloyd
Ahhhh wrote in message ...
>ok, the NAT is right
>but were is the solution???
>or were you just responding to point out the service that
Sygate is using?
>
>why do so many just point out that they have it working
without the details
>of how?
>
>
>Lloyd Parsons wrote in message
<7ps2jg$[EMAIL PROTECTED]>...
>>OK, first Sygate is a NAT, not a proxy server. So, you
>>cannot expect it to function in that mode. Secondly, my
>>luck with getting Linux to pickup the needed info from
>>Sygate's DHCP server has been flakey, at best.
>>
>>So, I used fixed addressing, manually massaging the files
on
>>the linux box to see the gateway. Mine is working good
>>configured this way, regardless of which OS is on my
client
>>side.
>>
>>Lloyd
>>
>>Ahhhh wrote in message
>><6oIv3.777$[EMAIL PROTECTED]>...
>>>using a w98 box with Sygate installed as a proxy/gateway
>>server. I can use
>>>Sygate for windows box's without installing a client, by
>>using the dhcp
>>>server Sygate uses and setting apps to proxy use with the
>>w98 box as the
>>>gateway.
>>>I should be able to set up the linux box to do the same,
>>while i can setup
>>>accounts on the linux box to ftp into and all the other
>>boxs can use the
>>>linux box, the linux box is the only one that can't seem
to
>>ping or
>>>traceroute any further then the ISP's primary DNS. I know
>>the solution has
>>>to be simple but it's eluding me, (think I am to close to
>>the problem to see
>>>the solution).
>>>any ideas or help would be appreciated
>>>--
>>>disclaimer:
>>> all the preceding information is for all purposes
to
>>be
>>> considered fictional, and not an admission of any
>>kind!
>>>
>>>
>>
>>
>
>
------------------------------
From: [EMAIL PROTECTED] (bill davidsen)
Subject: Re: Is this possible?
Date: 24 Aug 1999 22:02:00 GMT
In article <mqtv3.1089$[EMAIL PROTECTED]>,
tick <[EMAIL PROTECTED]> wrote:
| I've got dsl and one ip address with mydomain.com registered to it. Would
| it be possible to register a my2nddomain.com with the same ip address but
| then redirect it to an internal web server.
Anything is possible, but this is not going to be really easy, because
with the same IP address, the redirector will have to parse some HTML to
get the name from the URL.
Alternatively, you could just redirect all the http port traffic
internal, and get non-firewall stuff off the firewall. You must be
getting a bunch of hits to need to sread the load with such a thin pipe
out.
--
bill davidsen <[EMAIL PROTECTED]> CTO, TMR Associates, Inc
The Internet is not the fountain of youth, but some days it feels like
the fountain of immaturity.
------------------------------
From: "Smartpatrol" <[EMAIL PROTECTED]>
Subject: Redhat 6.0 and NAT
Date: Tue, 24 Aug 1999 11:34:21 -0600
Has anyone sucessfully configured Redhat 6.0 as a NAT server with two
network cards?. I can't find any documentation on configuring the newer
Linux kerenel to do this. When I ifup eth1 it says it is delaying
initialization. WHat am I missing? or does anyone know where I can find
info on this topic for redhat 6.0?
Smartpatrol
------------------------------
From: [EMAIL PROTECTED] (Kevin)
Subject: HELP... I cannot get win98 to connecto the Liux Box
Date: Tue, 24 Aug 1999 21:55:09 GMT
What I am trying to do is have Win98 access the Internet Thru the Red
Hat 6 Linux box
I cannot get win98 to connect othe Linux box ( I can't ping Linux Box)
and Linux connects to @home fine
Sory This is Long but this the oly things I have changed ... I have
been working on this for a week and I am ready o give up
Please help !!!!!
these are m settings
Whn I run NETCONF:
Host name cr929929-a
===================Adapter 1==================
[ X ] Enabled
Config Mode- Manual
Primary Name +Domain-- MrBurns.poseidon.com
Alias -- MrBurns
IP Address -- 192.168.1.1
Netmask --255.255.255.0
Net Driver -- eth0
Kernal Module -- 3c905 ( this is a 3com enthernet III ISA card )
===================Adapter 2==================
[ X ] Enabled
Config Mode- Manual
Primary Name +Domain-- cr929929-a.flfrd1.on.wave.home.com
Alias -- cr929929-a
IP Address -- 24.11233.245
Netmask -- 255.255.252.0
Net Driver -- eth1
Kernal Module -- tulip
( this is the card that came with @home it is a SMC PCI )
**************************************************************************
NAME SERVER SPECIFICATION
DNS Usage [ X ] DNS id Required fr Normal Operation
Name server 1 -- 24.2.9.34
Name server 2 -- 24.2.9.35
Search Domain 1- cr929929-a.flfrd1.on.wave.home.com
Search Domain 2- poseidon.com
**************************************************************************
ROUTING AND GATEWAYS
Set Default -- Default Gateway -24.112.88.1
[ ] Enable Routing
Other Routes to networks -
Network --24.112.88.1
Netmask - 255.255.252.0 Gateway -- 24.112.88.1
CONFIGURE- The Routed Daemon
[ X ] Does not export any routes
**************************************************************************
HOST NAME SEARCH PATH
[ X ] Multiple Ip's for one Host
( 0 ) Hosts, DNS
**************************************************************************
MISC:
Information about other hosts
192.168.1.2 Homer (its the name of win98 ) I also tryed
Homer.poseidon.com
192.168.1.1 MrBurns.poseidon.com (Linux Box )
24.112.33.245 cr929929-a.flfrd1.on.wave.home.com
127.0.0.1 Local Host
Information about other networks
IP Number --24.112.33.245
Name + Alias -- cr929929-a.flfrd1,on.wave.home.com
Alias cr929929-a
Comment - Wave Connection
**************************************************************************
**************************************************************************
In XWindows
NAMES BUTTON
Hostname -- cr929929-a
Domain -- flfrd1.on.wave.home.com
Search for hostnames In Additional Domains -- poseidon.com
Names Servwer : 24.2.9.34
24.2.9.35
**************************************************************************
HOST BUTTON
IP NAME NICKNAMES
127.0.0.1 Localhost localhost.localdomain
192.168.1.1 MrBurns.poseidon.com MrBurns
24.112.33.245 cr929929-a.flfrd1.on.wave.com cr929929-a
192.168.1.2 Homer.poseidon.com Homer
**************************************************************************
INTERFACES BUTTON
Interface IP Proto atboot Status
LO 127.0.0.1 None Yes Active
eth0 192.168.1.1 None Yes Active
eth1 192.168.1.2 None Yes Active
**************************************************************************
Routing BUTTON
[ X ] Network Packet forwarding
Default Gateway -- 24.112.88.1
Default Gateway Device --eth1
Interface Network Address Netmask Gateway
eth1 24.112.88.1 255.255.252.0 24.112.88.1
**************************************************************************
**************************************************************************
In WIN 98
set ip to 192.168.12
host --cr929929
Domain -- flfrd1.on.wave.home.com
DNS -- 24.2.9.34 & 24.2.9.35 ( @home DNS servers )
Edited the C:\win98\hosts
Added :
127.0.0.1 localhost
192.168.1.1 MrBurns.poseidon.com
24.112.33.245 cr929929-a.flfrd1.on.wave.home.com
**************************************************************************
**************************************************************************
AND THE LAST THING is In Linux I ran :
ipchains -P forward DENY
ipchains -A forward -s 192.168.1.2/32 -j MASQ
Rebooted Both Machines
------------------------------
Date: Tue, 24 Aug 1999 15:57:11 -0400
From: winrip <[EMAIL PROTECTED]>
Subject: Re: Direct dial-up
Chad Wesley Armstrong wrote:
> Is there a way to do a direct dial-up into a modem in Linux, similar to
> Windows Hyperterminal or Mac's Communications (under Claris/Applework)?
>
> Chad Armstrong
> [EMAIL PROTECTED]
minicom is the prgram you want to run.
------------------------------
From: "Robert_Glover" <Please_reply_to@newsgroup>
Subject: Re: What network identifier to use???
Date: Tue, 24 Aug 1999 19:47:28 -0000
There are blocks of addresses reserved for private networks (RFC
1918).
Class A private networks
10.n.n.n
Class B private networks
172.16.n.n
through
172.31.n.n
Class C Private networks
192.168.n.n
You can use private network addresses any way you want (sort of). By
design, these addresses cannot travel across the internet -- that
keeps them "private". Any self-respecting internet router will refuse
to forward packets to/from these addresses. That means that you
should never see a private address in one of those ranges unless
perhaps your ISP uses one of them. In that case your mail server,
news server, etc. might be visible to you as a private address. If
your ISP uses a private address range, then avoid using that yourself.
You might ask: How do I get on the internet when I have a private
address? The answer is simple: it is the interface (network card,
modem PPP connection, etc.) that has an IP address, not the computer.
Computers can and do have more than one interface. So your computer
can simultanesously have a private address of 192.168.88.8 and a
public IP address of 204.205.206.207.
When you dial up you are temporarily assigned a globally valid IP
address for the duration of your session. It gets re-assigned to the
next caller when you hang up (or get hung up on).
Will Muldrew wrote in message <[EMAIL PROTECTED]>...
>I've just connected by two linux machines together, recompiled kernel
>many times to install hardware, and am now trying to get a tiny
network
>going. I connect to the internet via a dial up using pppd. I can
>telnet between my two machines - but so far I've just used some
>arbitrary network identifier
>
>My question is, what network address should I use for my machines -
the
>x.x.x.mymachine bit...? Does it matter if there's another network
out
>there with the same address? I know you have to register domain
names,
>but what about IP addresses?
>
>Forgive me if I'm being an idiot - I'm quite pleased I've got this
far!!
>
>Will Muldrew
>
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: how do i connect 2 networks?
Date: Tue, 24 Aug 1999 17:57:55 GMT
See The Linux Network Administrator's Guide, Chapter 5, "Configuring
TCP/IP Network"
http://metalab.unc.edu/mdw/index.html#guide
Tiberio, David <[EMAIL PROTECTED]> wrote:
>I have 2 networks that I would like to connect together
>
>what is the proper way to do this? are there any faqs or
>instructions anywhere? I have not seen any that where
>helpful.
>
>
>1. what needs to be compiled in my kernel?
>2. what should my rc.inet1 look like (slackware)?
>3. do I need only one machine to connect the 2 networks?
>4. does every machine on each network need a second nic?
>5. does every machine need additional routing commands?
>6. do i need any special hardware like a switch, bridge,
>etc?
>
>* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
>The fastest and easiest way to search and participate in Usenet - Free!
>
------------------------------
From: Gustin Kiffney <[EMAIL PROTECTED]>
Subject: Re: Running DOS from Linux
Date: Tue, 24 Aug 1999 21:55:26 GMT
[posted and mailed]
Yes, your dosemu can 'see' the netware servers - look
for 'ipxsupport' in /etc/dosemu.conf. If you want to do it from
the command line, do
dosemu -i "ipxsupport on"
and then from the dos window run 'netx' or 'vlm'
The only thing that doesn't work is packet burst support
but everything else should work.
In article <[EMAIL PROTECTED]>,
Luiz Guilherme B Damiano <[EMAIL PROTECTED]> wrote:
> I would like to run my old Clipper applications in a Linux based
> computer.
>
> My problem is that the Clipper executables are located in a Netware
> server im my local network. I can see the programs there but in
Linux I
> could not run it. If I start the DOSEMU, I do not "see" the LAN.
>
> There is any solution to this? Could I run a Netware client over the
> DOSEMU and then get access to the LAN?
>
> Any answer will be appreciate.
>
>
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Eric L. Schott <[EMAIL PROTECTED]>
Subject: Re: help with slow ppp connection
Date: 24 Aug 1999 14:02:08 -0400
Samuel Davidoff <[EMAIL PROTECTED]> writes:
> And 1500 is the default setting of pppd so I don't think that's my
> problem. Thanks anyway though. Any other suggestions?
The TrinityOS project suggests setting the TCP window to 8192:
Both Slackware and Redhat, out of the box, do NOT optimize the TCP/IP
window size. This can make a BIG difference with performance. For more
information, check out [URLs in Section 5]:
RFC 1106 - High Latency WAN links - Section 4.1
RFC 793 - Transmission Control Protocol
Redhat5:
NOTE: Users that have NOT installed the initscripts-3.67-1.i386.rpm
patch RPM, the correct line numbers will be 119 and 134.
Personally, I recommend that you just install the RPM NOW!
Edit "/etc/sysconfig/network-scripts/ifup" and around
lines 134, 136, 141, 149, and 158, find the lines:
134: "route add -net ${NETWORK} netmask ${NETMASK} ${DEVICE}"
and
136: "route add -host ${IPADDR} ${DEVICE}"
and
141: "route add default gw ${GATEWAY} metric 1 ${DEVICE}"
and
149: "route add default gw ${GATEWAY} ${DEVICE}"
and
158: "route add default gw $gw ${DEVICE}"
and change them to:
134: "route add -net ${NETWORK} netmask ${NETMASK} window 8192 ${DEVICE}"
and
136: "route add -host ${IPADDR} window 8192 ${DEVICE}"
and
141: "route add default gw ${GATEWAY} window 8192 metric 1 ${DEVICE}"
and
149: "route add default gw ${GATEWAY} window 8192 ${DEVICE}"
and
158: "route add default gw $gw window 8192 ${DEVICE}"
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: Firewall Rules
Date: Tue, 24 Aug 1999 22:51:15 GMT
Reply-To: [EMAIL PROTECTED]
On 24 Aug 1999 22:24:58 GMT, bill davidsen <[EMAIL PROTECTED]> wrote:
>In article <[EMAIL PROTECTED]>,
> <[EMAIL PROTECTED]> wrote:
>| On Tue, 24 Aug 1999 19:02:27 GMT, YouDontKnowWho wrote:
>| >Could someone please post a copy of a set of firewall rules that cover
>| >the basic services, without completely opening the wall?
>
>This is about totally wide open to any kind of even moderate probe.
[snip]
>When it comes to firewalling I'm a devout fundamentalist paranoid, lay
>preacher of the sermon "cover your ass." I think the example is very
>clearly written, but way too permissive.
That's all well and good and I'm in total agreement, but the question
asked for an example of rules that cover *basic* services. That is what
was offered. If you'd like to add to it, I encourage you to offer you
own example elaborating on your particular paranoid views which would no
doubt be very helpful to a lot of people, more so than a critique of
an example.
R. Marc
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.networking) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Networking Digest
******************************
