Linux-Networking Digest #351, Volume #12 Tue, 24 Aug 99 22:13:48 EDT
Contents:
Re: Firewall Rules ("Jeff")
UDP for net games behind a firewall I have no control of. (Sean)
CAP_NET_RAW (Steven Berson)
ipfwadm message log question (Scott)
Re: how do i connect 2 networks? (Tiberio, David)
PPP+assyncronous mode+leased line (Domingos Saraiva de Oliveira)
shutdown and remote users ([EMAIL PROTECTED])
Re: Samba Peer to Peer?
SSL problems bigtime ... ("Dax")
Re: 2nd NIC Problem (M O'Neill)
Re: Linux Webserver Security
Re: How do you create a hard link? (Peter Moore)
Re: RH 6 network error (Chris Mahmood)
Re: ipfwadm message log question (Chris Mahmood)
Re: Using NS Communicator to read local mail. (Chris Mahmood)
Re: 3com ISA cards and linux ("Kalkas")
Re: Help.... Selectively disaling Masq (Bernd Eckenfels)
Re: ipchains -P forward DENY ? ([EMAIL PROTECTED])
Re: Linux Cookbook Project Officially begins! (Chris Mahmood)
Re: named configuration. (Chris Mahmood)
Re: how do i connect 2 networks? (Chris Mahmood)
Re: Help: telnet slow on dual homed host (Robert S)
Machine with ONLY web browser? (Greg Leblanc)
Re: How do you create a hard link? (Bob_Deep)
Re: Linux IP router (Nick Rout)
Getting Netware 4.x user passwords migrated to /etc/passwd file? (Tkrin)
----------------------------------------------------------------------------
Reply-To: "Jeff" <[EMAIL PROTECTED]>
From: "Jeff" <[EMAIL PROTECTED]>
Subject: Re: Firewall Rules
Date: Wed, 25 Aug 1999 00:19:38 GMT
While I have peeked at this group for the last couple of years (and so I
have known of BD's helpful contributions) I must agree that constructive,
rather than destructive, is of great importance to this discussion group.
Care to add your own example, minus a coupla' 'home grown' tactics...?
<[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> On 24 Aug 1999 22:24:58 GMT, bill davidsen <[EMAIL PROTECTED]> wrote:
> >In article <[EMAIL PROTECTED]>,
> > <[EMAIL PROTECTED]> wrote:
> >| On Tue, 24 Aug 1999 19:02:27 GMT, YouDontKnowWho wrote:
> >| >Could someone please post a copy of a set of firewall rules that cover
> >| >the basic services, without completely opening the wall?
> >
> >This is about totally wide open to any kind of even moderate probe.
> [snip]
> >When it comes to firewalling I'm a devout fundamentalist paranoid, lay
> >preacher of the sermon "cover your ass." I think the example is very
> >clearly written, but way too permissive.
>
> That's all well and good and I'm in total agreement, but the question
> asked for an example of rules that cover *basic* services. That is what
> was offered. If you'd like to add to it, I encourage you to offer you
> own example elaborating on your particular paranoid views which would no
> doubt be very helpful to a lot of people, more so than a critique of
> an example.
>
> R. Marc
------------------------------
From: Sean <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.misc,comp.os.linux.setup
Subject: UDP for net games behind a firewall I have no control of.
Date: Tue, 24 Aug 1999 20:30:56 GMT
I want to ba able to run net games which require UDP packets. I'm behind a
firewall that I have no control of. It blocks almost everything and I
can't even connect to IRC (I get disconnected every time I try to connect).
This also aplies to Windows (obviously) and I'd like to be able to play
starcraft on battle.net under either windows or wine (I don't really care).
I'm rather new to Linux and I like playing Quake and Q3Atest, preferably
over the net. By the way is there a way to get unreal working under wine
(I have 990815), I also tried it on 990731 and 990704 and I still couldn't
get it to work.
================== Posted via CNET Linux Help ==================
http://www.searchlinux.com
------------------------------
From: Steven Berson <[EMAIL PROTECTED]>
Subject: CAP_NET_RAW
Date: Tue, 24 Aug 1999 17:50:31 -0700
The man page for ip(4) and raw(4) says that either a process with
effective ID 0 or a process with CAP_NET_RAW set is allowed to
create a raw socket. Checking the kernel seemed to verify this.
However, I can't figure how to set or change my capabilities. My
current capabilties from /proc/4770/status are as follows:
CapInh: 00000000fffffeff
CapPrm: 0000000000000000
CapEff: 0000000000000000
How do I change or add capabilities, particularly CAP_NET_RAW? Any
help would be appreciated.
This is on a 450 MHz P-III running Redhat 6.0.
Thanks,
Steve
------------------------------
From: [EMAIL PROTECTED] (Scott)
Subject: ipfwadm message log question
Date: Tue, 24 Aug 1999 19:28:39 GMT
Reply-To: [EMAIL PROTECTED]
what does this mean?
Aug 23 21:33:36 ns1 kernel: IP fw-in rej eth1 TCP xxx.xxx.xxx.xxx:110
255.255.255.255:1040 L=44 S=0x00 I=59711 F=0x0040 T=63
the ip address was outside of my network. i have quite a lot of these
connections from various source ip's. is this a legitimate request?
there are no other users who should be attempting a pop connection to
my machine but me.
also, does anyone have a good link to help interpret connection types?
thanks!
------------------------------
From: Tiberio, David <[EMAIL PROTECTED]>
Subject: Re: how do i connect 2 networks?
Date: Tue, 24 Aug 1999 12:41:29 -0700
while the reference you directed me to seems like it has
a lot of information, I still do not understand what to
do.
I have 2 networks, via 2 different dsl providers. I want the
machines to communicate to each other without having to
go out on the internet.
should I be building a bridge? or a router? or a gateway?
can I just put 2 nics in each machine, one for each network?
someone told me just to put one nic in each machine and
link them to a switch, and put both lines into the switch,
but obviously that didn't work.
these questions are not answered clearly by that document.
so what do i have to build?
I think I have a gateway working but I can't seem to route
traffic through it.
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
>
>
>See The Linux Network Administrator's Guide, Chapter 5,
"Configuring
>TCP/IP Network"
>
>http://metalab.unc.edu/mdw/index.html#guide
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: Domingos Saraiva de Oliveira <[EMAIL PROTECTED]>
Subject: PPP+assyncronous mode+leased line
Date: Tue, 24 Aug 1999 21:21:58 -0400
Hi.
I 've been configured:
ISP LAN
/ 200.195.5.0
/ ROUTERS PPP USING
LEASED LINE
Internet WWW SERVER
=============================== LINUX BOX ========= SCHOOL ( 15 PC's)
RAS SERVER / AND
ASSYNCRONOUS MODENS 192.168.0.0
EMAIL SERVER / 128
Kbits
PROXY SERVER -- /
On THE ISP
side:
ON the school:
Proxy server -
Linux
Linux box:
ETH0 address -
200.195.5.9 eth0
address - 192.168.0.2
PPP address -
200.195.5.35 PPP address
- 192.168.0.1
/etc/ppp/options.ttyS1:
crtscts
idem
mru
1500
idem
mtu
1500
idem
passive
idem
200.195.5.35:192.168.0.1
192.168.0.1: 200.195.5.35
-chap
default route
modem
idem
-pap
idem
persist
idem
proxyarp
i had to add an static route on the proxy server ( rc.local ) : route
add -net 192.168.0.0 255.255.255.0 ppp0
Then, this link is work fine. But, when don't have class in the school
( link is idle and only linux box is connected ), the route for the lan
disappear..
What is wrong ?
[]s,
Thanks...
Domingos Saraiva de Oliveira
[EMAIL PROTECTED]
Ouro Preto - Minas Gerais - Brasil
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: shutdown and remote users
Date: Tue, 24 Aug 1999 20:11:37 GMT
Is there some mechanism in shutdown or ssh that prevents a shutdown
issued from a remote user from taking effect?
I get a login on a remote linux machine through ssh. I mistakenly
issued "shutdown -r now" and sure enough, the " going down for reboot"
message appeared on my monitor and my session went dead. I waited a
short while, then pinged the remote machine successfully.
"Wonderful. The machine has come back up," I thought as I logged back
in through ssh. But I noticed previous manua entries into the routing
table that should have been destroyed by the reboot were mysteriously
still there. And uptime showed 13 days. Quick look at man pages for
shutdown, ssh, and sshd didn't explain, but...
Is there some mechanism in either shutdown or ssh that limits the
power to shut down to local users only?
------------------------------
From: <[EMAIL PROTECTED]>
Subject: Re: Samba Peer to Peer?
Date: Tue, 24 Aug 1999 21:54:43 +0100
I think your post may well have been misunderstood?
You just want your Linux box which is replacing your
Win98 box to show in Network Neighbourhood.
Easy - Samba allows you to export Linux filesystems
to Windows using the SMB Protocol (File and Printersharing
Service under win95). This is easy to install. See
http://www.samba.org
You want to be able to use shared resources on your win95
box. You need smbmount. It may now come as part of the
samba package. If not it should not be hard to find
on Sunsite etc. (ftp://metalab.unc.edu)
To use a share called 'work' on your win95 box called
'win95' you would then type 'smbmount //win95/work /mnt/mountpoint'
changing the mount point etc.
Depending on your Win95 Proxy, it should be as easy as changing
preferances in Netscape or your Linux web browser to gain access.
Check your browser documentation.
Hope this helps
Alex H
[EMAIL PROTECTED]
Chris Testa <[EMAIL PROTECTED]> wrote:
: I've had a peer-to-peer network set up between a windows 95 and 98 machines
: for about a year. The 95 is in a room with a phone line, so we have been
: using that one to connect to the internet, and then letting the 98 acess the
: internet through the network. Recently (Sunday) I installed Red Hat 6.0 on
: the machine with 98. My question is how should i go about setting up a
: network between Linux and 95 (peer to peer style), and then even dial into
: the internet with the 95 and access it with Linux on the other system (like
: i have been doing with windows 98)? From what i understand Samba seems to
: be what I need, but i'm confused to how everything should work. I have
: found info on setting up Linux as a server, but nothing on a Peer-To-Peer
: between the two O/S. Thanks anyone who can help me...
: --
: - Chris
------------------------------
From: "Dax" <[EMAIL PROTECTED]>
Subject: SSL problems bigtime ...
Date: Tue, 24 Aug 1999 13:43:31 -0700
HELP!! Stressed and frustrated. I have a hundred VirtHosts running on
apache on 6.0 ... life is good. I installed RH secure server 2.0 and it
blew out my regular httpd server and I cannot get it functioning at all.
The idea was to run a secure and non-secure server on the same machine, as
it says is the default. While I was waiting for the certificate I would
simply run the non-secure server. Should be no problem ...
WRONG. Httpd is blown out it seems and httpds won't even start.
Help is appreciated.
------------------------------
From: M O'Neill <[EMAIL PROTECTED]>
Subject: Re: 2nd NIC Problem
Date: Tue, 24 Aug 1999 18:04:35 -0700
On Tue, 17 Aug 1999, Mark Jablonski wrote:
{snip}
> I then decided to just go and get a cheap NE2000 card, program the
> eprom to a base address of 220 and the IRQ at 11. I made damn sure
> nothing else was using those resources to avoid conflicts as well. I
> then updated my /etc/conf.module file as follows:
>
> # /etc/conf.modules
> alias eth0 smc-ultra
> alias eth1 eexpress
> options ne io=220 irq=11
>
Since you changed cards to NE2000, try...
alias eth1 ne
#options ne io=0x220
#options ne irq=11
Sometimes the cards don't like you telling it both the io and irq so try
the different options above. If the module is not compiled into the
kernel then there is no point in telling lilo to look for eth1.
Check out http://cesdis1.gsfc.nasa.gov/linux/drivers/
------------------------------
From: <[EMAIL PROTECTED]>
Subject: Re: Linux Webserver Security
Date: Tue, 24 Aug 1999 21:41:46 +0100
I know I'll get flamed for this but my sugestion for
a server that is quick and tighter than a gnat's butt
would be FreeBSD! Sorry.
If you must use RedHat, there is bound to be a security
faq on RedHat's site!
Hope this helps
Alex H
[EMAIL PROTECTED] (rm edy!)
[EMAIL PROTECTED] wrote:
: I am setting up a webserver for the first time.
: I have just installed Redhat Linux 6.0 onto a
: Dell Poweredge 1300 server and I need information
: on securing the server, anything from blocking
: unauthorized access to setting up SSL. I am
: using the most recent versions of Apache, Perl &
: MySQL. I would appreciate any information or
: point me in the right direction, as I want to
: make the security on this box tighter than a
: gnats butt.
: Thanks !
: Sent via Deja.com http://www.deja.com/
: Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (Peter Moore)
Crossposted-To: comp.os.linux.setup,linux.redhat.install
Subject: Re: How do you create a hard link?
Date: 24 Aug 1999 21:17:17 GMT
>Hard link will point to the original and will act as an original even when
>you delete hard link (when you delete it this will delete the original file
>as well!).
Not quite... The file contents are removed when the last hard link to them is
removed. I'm not sure what what happens if the last hard link is removed and there
are still soft links... Check the man page for ln: man ln
------------------------------
From: Chris Mahmood <[EMAIL PROTECTED]>
Crossposted-To: redhat.networking.general
Subject: Re: RH 6 network error
Date: 24 Aug 1999 16:20:11 -0700
it could be lots of things. what's the output from 'route -n',
ifconfig? What does your /etc/hosts file look like?
-ckm
------------------------------
From: Chris Mahmood <[EMAIL PROTECTED]>
Subject: Re: ipfwadm message log question
Date: 24 Aug 1999 16:53:48 -0700
[EMAIL PROTECTED] (Scott) writes:
> what does this mean?
> Aug 23 21:33:36 ns1 kernel: IP fw-in rej eth1 TCP xxx.xxx.xxx.xxx:110
> 255.255.255.255:1040 L=44 S=0x00 I=59711 F=0x0040 T=63
>
> the ip address was outside of my network. i have quite a lot of these
> connections from various source ip's. is this a legitimate request?
> there are no other users who should be attempting a pop connection to
> my machine but me.
If you don't know who they are then it's not legit. I'd be very
suspicious of anyone trying to connect to tcp/110--POP is a horrible
security hole. If you are using tcpwrappers you may want to try to
safe finger them to get a name.
-ckm
------------------------------
From: Chris Mahmood <[EMAIL PROTECTED]>
Subject: Re: Using NS Communicator to read local mail.
Date: 24 Aug 1999 16:48:33 -0700
Walter Francis <[EMAIL PROTECTED]> writes:
> Reason? I am on a dialup line, controlled by diald. I can create a
> cronfile to see if I'm online, if so fire off fetchmail. Otherwise,
> don't.. So if I'm online I check mail every 10 minutes, if I'm offline
> it doesn't try to connect.
Blech! use your ip-up and ip-down scripts to start and stop the
fetchmail daemon and run sendmail in 'expensive' so the outgoing mail
gets queued.
-ckm
------------------------------
From: "Kalkas" <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.hardware,comp.os.linux.misc
Subject: Re: 3com ISA cards and linux
Date: Tue, 24 Aug 1999 23:21:53 +0200
Stephen R. Savitzky <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> "Kalkas" <[EMAIL PROTECTED]> writes:
>
> > Stephen R. Savitzky <[EMAIL PROTECTED]> wrote in message
> > news:[EMAIL PROTECTED]...
> > > "Kalkas" <[EMAIL PROTECTED]> writes:
> > >
> > Thanks Steve!
> > That was good news indeed!
> >
> > I also assume now that Linux should support my monitor and my audio
card. My
> > audio card is Creative Sound Blaster PCI 128, and my monitor is MAG
> > InnoVision DX15F. Am I correct in my assumption?
>
> I understand that the SB PCI128 is supported; I remember seeing
> something to that effect on one of the newsgroups recently. (I'm
> usually too lazy to get sound working, myself.)
>
> I have a MAG monitor of some sort, but in general there's no problem
> with monitors. One suggestion: track down your monitor's specifications
> before trying to configure X. You'll want to know the horizontal and
> vertical frequency limits so that X can set timings that don't fry the
> monitor (it's happened to me). If you don't have the information,
> specifying your monitor as a "generic multisync" usually works with
> anything that's not too old.
Steve,
Thanks for your answer!
Every help I get is valuable:)
Sincerely yours,
Kalkas
------------------------------
From: Bernd Eckenfels <[EMAIL PROTECTED]>
Subject: Re: Help.... Selectively disaling Masq
Date: 24 Aug 1999 21:27:57 GMT
Chris Anderson <[EMAIL PROTECTED]> wrote:
> target prot opt source destination ports
> MASQ all ------ 192.168.88.0/24 !192.168.88.0/24 n/a
can us end us please all the chains?
Greetings
Bernd
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: ipchains -P forward DENY ?
Date: Wed, 25 Aug 1999 00:49:17 GMT
I got it! Thanks Bob.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Chris Mahmood <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.advocacy,comp.os.linux.help,comp.os.linux.setup
Subject: Re: Linux Cookbook Project Officially begins!
Date: 24 Aug 1999 16:45:26 -0700
[EMAIL PROTECTED] (Douglas Bollinger) writes:
> W.A. Scheer at [EMAIL PROTECTED] says...
>
> As a relative Linux newbie myself, I found it much easier to do
> things with the command line interface, especially when setting up
> things like IP Chains and such.
Bravo! I'm getting really tired of trying to answer questions like "I
tried to setup my PPP connection with kppp and it gave me an
error!"
The most useful Linux book I have is a Solaris Sys Admin book.
-ckm
------------------------------
From: Chris Mahmood <[EMAIL PROTECTED]>
Subject: Re: named configuration.
Date: 24 Aug 1999 16:34:07 -0700
Stephen Torri <[EMAIL PROTECTED]> writes:
> *** Can't find server name for address 127.0.0.1: No response from
> server
> *** Can't find server name for address 10.0.0.6: No response from server
> *** Default servers are not available
>
> I'm using bind for the DNS server. Where should the configuration files
> be? I have them presently in /var/log/named.
named isn't running (try 'ps aux | fgrep named'). You need to make
sure it starts at boot by adding symlinks to /etc/rc.d/rc[2,3].d (or
however your distro. does it) from /etc/rc.d/named.
Read the DNS howto, it's very well written.
-ckm
------------------------------
From: Chris Mahmood <[EMAIL PROTECTED]>
Subject: Re: how do i connect 2 networks?
Date: 24 Aug 1999 16:58:43 -0700
Tiberio, David <[EMAIL PROTECTED]> writes:
> should I be building a bridge? or a router? or a gateway?
those are pretty much synonymous.
> can I just put 2 nics in each machine, one for each network?
> someone told me just to put one nic in each machine and
> link them to a switch, and put both lines into the switch,
> but obviously that didn't work.
I'd recommend you pick up a good Unix (or Linux) networking book and
read the URL that dmorgan suggested.
-ckm
------------------------------
From: Robert S <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.help,comp.os.linux.network,linux.redhat.misc
Subject: Re: Help: telnet slow on dual homed host
Date: Mon, 23 Aug 1999 18:59:34 -0500
[EMAIL PROTECTED] wrote:
> >
> > I have configured a Linux (RH 6.0) dual homed host. However
> > telnet to eth1 is deadly slow. It takes almost a few minutes
> > before I have a connection.
> >
>
> Sounds like the symptoms of a name resolution problem. Post your
> network specifics.
>
> rick
I had a similar problem. When I added to my hosts file, the problem
disappeared. DNS should work too.
------------------------------
From: Greg Leblanc <[EMAIL PROTECTED]>
Crossposted-To: linux.redhat.install,linux.redhat.misc
Subject: Machine with ONLY web browser?
Date: Wed, 25 Aug 1999 01:02:19 GMT
I have a number of public computers which are connected to our
university network. I would like to make them into strictly email
machines, running Linux. The email access is through a web browser.
They should also have access to our Intranet page. What I would like to
do is have the machines boot into X (without logging in, if possible),
without a window manager running. I'm not sure I can do that, because
we are using web access to our Microsoft Exchange server, and it spawns
other windows. Even if a window manager is running, that doesn't change
much. If a user quits Netscape (or other browser if somebody recomends
something else), it should either reboot the machine, or re-spawn
Netscape. Anybody know how to do this? Thanks,
Greg
--
It's pronounced "sexy" not "scuzzy"!
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Bob_Deep <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.setup,linux.redhat.install
Subject: Re: How do you create a hard link?
Date: Tue, 24 Aug 1999 22:36:47 +0000
Peter Moore wrote:
> I'm not sure what what happens if the last hard link is removed and there
> are still soft links...
The file get's deleted and the softlink remains... though it points to
nothin.
--
-= Bob =-
Hey.. This is my mail and I charge for SPAM I receive...
------------------------------
From: [EMAIL PROTECTED] (Nick Rout)
Subject: Re: Linux IP router
Date: Wed, 25 Aug 1999 13:09:37 +1200
The Linux Router Project (www.linuxrouter.org) It is a single floppy
based router system with all sorts of uses. There is a chart on the home
page showing typical configs :)
In article
<[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
> "Ying Q. Li" schrieb:
> >
> > hello, all, I would like to configure a linux IP router to connect two
> > subnets, does any have detail instruction how to do that, or any usefull
> > links. there is none specific router related HowTo available. thanks in
> > advance.
> > Li
>
> I can't agree. There is a mini HowTo named IP-Subnetworking.
>
> CU Thomas
>
------------------------------
From: Tkrin <[EMAIL PROTECTED]>
Subject: Getting Netware 4.x user passwords migrated to /etc/passwd file?
Date: Wed, 25 Aug 1999 01:55:01 +0000
Reply-To: [EMAIL PROTECTED]
Is it possible to extract users and passwords from a Netware 4.x server
to create a passwd file? I do not care if I can see the passwords, I
just want to convert them. I am installing a samba server, and want to
setup users in the easiest manner available.
--
===============================
Dan Hill
Manager of Information Services
Metaullics Systems Co. LP
31935 Aurora Road
Solon, OH 44139
440-349-8800
[EMAIL PROTECTED]
===============================
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.networking) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Networking Digest
******************************
