RE: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP withreserved IPs on wlan0?
I have used openwrt, but not recent version of it. I have been using Ubiquiti EdgeRouters running the stock EdgeOS. Very solid routers. I even have one sitting up in a tree in a Tupperware container in the snowy mountains! I recently discovered that EdgeOS is based on Debian and you can install Debian packages on them. Michael Grant
Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?
On Mon, 8 Feb 2021 16:42:40 -0500 Dan Ritter wrote: > Celejar wrote: > > > If you are OK buying used equipment, Intel-based gigabit NICs, 4 ports > > > to a PCIe slot, cost about $35 (or $70 new). If you've got a 5 year old > > > > My understanding - please correct me if I'm wrong - is that with those > > types of cards, the ports are distinct and aren't actually switched in > > hardware, so switching occurrs at the OS / kernel level. I don't know > > how much of a load this puts on the system in practice, but my > > understanding is that it's certainly not an ideal way to design a > > switch. > > Modern processors -- even the ones 5 years old -- are really > fast. > > Linux bridging (switching) is very efficient. Fair enough. > Is it "ideal"? No. But given that you want one device which acts > as a WAP, router, firewall and switch, it should perform quite > well. If you hate the idea of doing that, though, an 8-port > gigabit switch is about the same price as a used 4-port gigabit > NIC. Not as flexible, though. > > > > desktop sitting around with 2GB or more RAM and 3 available PCIe slots, > > > you can use it as a WAP and have nine switched/routed gigabit ports, > > > counting one on the motherboard. If you only need 5 ports, you only > > > need 2 PCIe slots -- one for a WiFI NIC and one for the ethernet NIC. > > > > My understanding, although I could not find solid documentation of this, > > is that consumer wireless chipsets designed for client use don't make > > particularly performant APs. They'll work, but purpose built APs will > > perform much better, especially with their AP optimized antennas. I > > don't really know if this is true, though, and to what extent it's an > > issue, if it really is one. > > Oh, no, this is a myth. The $20-150 consumer wifi routers use > the same wifi interface chips as good PCIe cards, for the most > part. OpenWRT is actually a great source of information on > these. > > Assuming you're comparing a 3 antenna MIMO on a PCIe card to a 3 > antenna MIMO on a consumer router, you should get equivalent > range and performance. Thanks. I'd love to see actual tests comparing performance of wireless APs (consumer, enterprise, and DIY ones like we're discussing), but they seem very hard to come by. > > And the power usage on a five year old desktop (which I don't actually > > have) will be much higher than a purpose-built AIO AP / switch / router. > > That can be true. But then, the desktop can also be your server > for a bunch of other things that, perhaps, you were going to > run. Fair enough. I'm currently using an old R210 ii as my server, so I'm not one to talk ;) I suppose it might be fun to see if I can fit a modern AX200 based PCIe (perhaps a low profile one) into it and see how it performs as an AP / router ... > > But again, I don't really disagree. If I had the hardware lying around, > > and I determined that the power consumption wasn't a factor, it would > > certainly be tempting to consider this route. > > Everything is a tradeoff. Yes. Celejar
Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?
Celejar wrote: > > If you are OK buying used equipment, Intel-based gigabit NICs, 4 ports > > to a PCIe slot, cost about $35 (or $70 new). If you've got a 5 year old > > My understanding - please correct me if I'm wrong - is that with those > types of cards, the ports are distinct and aren't actually switched in > hardware, so switching occurrs at the OS / kernel level. I don't know > how much of a load this puts on the system in practice, but my > understanding is that it's certainly not an ideal way to design a > switch. Modern processors -- even the ones 5 years old -- are really fast. Linux bridging (switching) is very efficient. Is it "ideal"? No. But given that you want one device which acts as a WAP, router, firewall and switch, it should perform quite well. If you hate the idea of doing that, though, an 8-port gigabit switch is about the same price as a used 4-port gigabit NIC. Not as flexible, though. > > desktop sitting around with 2GB or more RAM and 3 available PCIe slots, > > you can use it as a WAP and have nine switched/routed gigabit ports, > > counting one on the motherboard. If you only need 5 ports, you only > > need 2 PCIe slots -- one for a WiFI NIC and one for the ethernet NIC. > > My understanding, although I could not find solid documentation of this, > is that consumer wireless chipsets designed for client use don't make > particularly performant APs. They'll work, but purpose built APs will > perform much better, especially with their AP optimized antennas. I > don't really know if this is true, though, and to what extent it's an > issue, if it really is one. Oh, no, this is a myth. The $20-150 consumer wifi routers use the same wifi interface chips as good PCIe cards, for the most part. OpenWRT is actually a great source of information on these. Assuming you're comparing a 3 antenna MIMO on a PCIe card to a 3 antenna MIMO on a consumer router, you should get equivalent range and performance. > And the power usage on a five year old desktop (which I don't actually > have) will be much higher than a purpose-built AIO AP / switch / router. That can be true. But then, the desktop can also be your server for a bunch of other things that, perhaps, you were going to run. > But again, I don't really disagree. If I had the hardware lying around, > and I determined that the power consumption wasn't a factor, it would > certainly be tempting to consider this route. Everything is a tradeoff. -dsr-
Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?
On Mon, 8 Feb 2021 11:03:35 -0500 Dan Ritter wrote: > Celejar wrote: > > > I can be glad that OpenWRT has improved their security practices > > > and simultaneously not be interested in using it. > > > > I think we are really in basic agreement. The reason I use OpenWRT is > > that I use a residential all-in-one WAP / switch / router, which Debian > > is unsuitable for. If I ever go the separate WAP / switch / router > > route, I'll probably use Debian on the router for the reasons you > > give: good support, a system I'm familiar with, etc. > > Debian works well in this situation. You just need to arrange > for enough NIC ports to meet your needs. > > If you are OK buying used equipment, Intel-based gigabit NICs, 4 ports > to a PCIe slot, cost about $35 (or $70 new). If you've got a 5 year old My understanding - please correct me if I'm wrong - is that with those types of cards, the ports are distinct and aren't actually switched in hardware, so switching occurrs at the OS / kernel level. I don't know how much of a load this puts on the system in practice, but my understanding is that it's certainly not an ideal way to design a switch. > desktop sitting around with 2GB or more RAM and 3 available PCIe slots, > you can use it as a WAP and have nine switched/routed gigabit ports, > counting one on the motherboard. If you only need 5 ports, you only > need 2 PCIe slots -- one for a WiFI NIC and one for the ethernet NIC. My understanding, although I could not find solid documentation of this, is that consumer wireless chipsets designed for client use don't make particularly performant APs. They'll work, but purpose built APs will perform much better, especially with their AP optimized antennas. I don't really know if this is true, though, and to what extent it's an issue, if it really is one. And the power usage on a five year old desktop (which I don't actually have) will be much higher than a purpose-built AIO AP / switch / router. > Debian has hostapd and dnsmasq packages. But again, I don't really disagree. If I had the hardware lying around, and I determined that the power consumption wasn't a factor, it would certainly be tempting to consider this route. Celejar
Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?
> I think we are really in basic agreement. The reason I use OpenWRT is > that I use a residential all-in-one WAP / switch / router, which Debian > is unsuitable for. If I ever go the separate WAP / switch / router > route, I'll probably use Debian on the router for the reasons you > give: good support, a system I'm familiar with, etc. Here's a related datapoint: For a couple years, I have used a Pi box as router+WAP, running Debian (after having used "home routers" running OpenWRT for many years before that). I was quite happy with it software side (a bit less convenient to configure than OpenWRT for the WAP part, but largely makes up for it for the ease with which I could add auxiliary services and the convenience of using the same OS as I use on all my other machines), but I was unable to make it provide a good enough wireless signal to cover my apartment. So I switched to a box dedicated to WAP+router (BT HomeHub, in my case https://openwrt.org/toh/bt/homehub_v5a), whose hardware is too limited to run Debian. IOW the problem for me was to find hardware which is low-power enough to have it "always on" yet whose wifi interface is good enough to cover my apartment: these thingies seem to be much more often able to run OpenWRT than to run Debian :-( W.r.t security, an important advantage of Debian is that upgrades are much easier and smoother (so much so that they can be fully automatic) than in OpenWRT. But I'm a very happy user of OpenWRT (and have been for many many years). Stefan PS: Another reason I went with the BT HomeHub is that it includes the modem (and that this modem is supported by OpenWRT, tho with a proprietary firmware), so it saves me having to have yet another box in that corner (I still have the Pi there since the HomeHub is not well suited to provide some of those services, which require a largish storage which I'd rather not connect via USB).
Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?
Celejar wrote: > > I can be glad that OpenWRT has improved their security practices > > and simultaneously not be interested in using it. > > I think we are really in basic agreement. The reason I use OpenWRT is > that I use a residential all-in-one WAP / switch / router, which Debian > is unsuitable for. If I ever go the separate WAP / switch / router > route, I'll probably use Debian on the router for the reasons you > give: good support, a system I'm familiar with, etc. Debian works well in this situation. You just need to arrange for enough NIC ports to meet your needs. If you are OK buying used equipment, Intel-based gigabit NICs, 4 ports to a PCIe slot, cost about $35 (or $70 new). If you've got a 5 year old desktop sitting around with 2GB or more RAM and 3 available PCIe slots, you can use it as a WAP and have nine switched/routed gigabit ports, counting one on the motherboard. If you only need 5 ports, you only need 2 PCIe slots -- one for a WiFI NIC and one for the ethernet NIC. Debian has hostapd and dnsmasq packages. -dsr-
Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?
On Mon, 8 Feb 2021 09:57:13 -0500 Dan Ritter wrote: > Celejar wrote: > > On Mon, 8 Feb 2021 08:36:34 -0500 > > Dan Ritter wrote: > > > > > OpenWRT's security process doesn't look as terrible as it used > > > to be, but it doesn't really look good right now, just trying to > > > be better. > > > > Again, let's look at specific examples of vulnerabilities present in > > both OpenWRT and Debian, and compare the projects' responses. I gave > > you one timely example: OpenWRT's SA for the dnsmasq vulnerabilities > > was issued about two weeks before Debian's. > > > > You feel that OpenWRT's security process "doesn't look good." Based on > > what? Can you provide a vulnerability that affects their software that > > they dropped the ball on? > > No, thanks. I don't need to poke at OpenWRT any further. > > I already have a Debian firewall that has had good security > support from Debian since 2014; I see no reason not to continue > using it until the hardware fails. At that point, I will buy > another relatively small fully supported Debian box, and carry > on. Among other benefits, it means that all the machines at home > have the same procedures and can be used as testbeds for each > other. E.g. the music-playing machine in the living room is now > testing out Bullseye. > > I can be glad that OpenWRT has improved their security practices > and simultaneously not be interested in using it. I think we are really in basic agreement. The reason I use OpenWRT is that I use a residential all-in-one WAP / switch / router, which Debian is unsuitable for. If I ever go the separate WAP / switch / router route, I'll probably use Debian on the router for the reasons you give: good support, a system I'm familiar with, etc. Celejar
Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?
Celejar wrote: > On Mon, 8 Feb 2021 08:36:34 -0500 > Dan Ritter wrote: > > > OpenWRT's security process doesn't look as terrible as it used > > to be, but it doesn't really look good right now, just trying to > > be better. > > Again, let's look at specific examples of vulnerabilities present in > both OpenWRT and Debian, and compare the projects' responses. I gave > you one timely example: OpenWRT's SA for the dnsmasq vulnerabilities > was issued about two weeks before Debian's. > > You feel that OpenWRT's security process "doesn't look good." Based on > what? Can you provide a vulnerability that affects their software that > they dropped the ball on? No, thanks. I don't need to poke at OpenWRT any further. I already have a Debian firewall that has had good security support from Debian since 2014; I see no reason not to continue using it until the hardware fails. At that point, I will buy another relatively small fully supported Debian box, and carry on. Among other benefits, it means that all the machines at home have the same procedures and can be used as testbeds for each other. E.g. the music-playing machine in the living room is now testing out Bullseye. I can be glad that OpenWRT has improved their security practices and simultaneously not be interested in using it. -dsr-
Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?
On Mon, 8 Feb 2021 08:36:34 -0500 Dan Ritter wrote: > Celejar wrote: > > On Mon, 8 Feb 2021 06:41:23 -0500 > > Dan Ritter wrote: > > > > > Gregory Seidman wrote: > > > > If you want a Linux router/AP, I recommend OpenWRT over Debian. It runs > > > > on > > > > ... > > > > > Debian gets security updates in a timely manner (for stable). > > > > > > How's OpenWRT's security team? > > > > I'm not sure if this is a genuine question or a rhetorical one (sorry - > > tone doesn't always come across well in email), but OpenWRT does have a > > security process, with advisories, bug fixes, etc.: > > Semi-rhetorical: my experience with OpenWRT and ddWRT is that > once a device is installed, it never gets an upgrade. I'd be > happy to learn otherwise. Rejoice, then! If you choose never to upgrade, that's your choice, but the project releases point releases every couple of months or so, and new major versions every year or two: https://downloads.openwrt.org/releases/ > > https://openwrt.org/docs/guide-developer/security > > > > I suspect the process may not be as good as Debian's, but they do fix > > at least some serious bugs fairly quickly. E.g., if I'm reading the > > following pages correctly, the Debian DSAs for the recent serious set of > > dnsmasq vulnerabilities went out on Feb. 4, whereas OpenWRT issued its > > Security Advisory on Jan. 19: > > That page lists 15 advisories over the last 3 years -- let's say > 2 years, since this year is just beginning. Four of those > advisories are for OpenWRT-only problems. > > In the 2 months of 2021, so far, Debian's security team has issued 28 notices. > Let's discount the desktop software -- that's 8 of them, by my > count -- because nobody runs desktop software on a router. I think this is a misleading comparison. It's not just a question of desktop software - Debian includes vastly more software in general, for which the security team is responsible, than OpenWRT does. Debian proudly announces that it comes with "more than 59000 packages": https://www.debian.org/intro/about OpenWRT includes merely "several thousand packages" (I can't find an exact number): https://openwrt.org/packages/start So of course Debian is going to have more SAs. > OpenWRT's security process doesn't look as terrible as it used > to be, but it doesn't really look good right now, just trying to > be better. Again, let's look at specific examples of vulnerabilities present in both OpenWRT and Debian, and compare the projects' responses. I gave you one timely example: OpenWRT's SA for the dnsmasq vulnerabilities was issued about two weeks before Debian's. You feel that OpenWRT's security process "doesn't look good." Based on what? Can you provide a vulnerability that affects their software that they dropped the ball on? > This probably doesn't matter much if you just want a WAP inside > your house, but I feel confirmed that Debian is still a much > better choice for an Internet-facing router/firewall. Celejar
Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?
Celejar wrote: > On Mon, 8 Feb 2021 06:41:23 -0500 > Dan Ritter wrote: > > > Gregory Seidman wrote: > > > If you want a Linux router/AP, I recommend OpenWRT over Debian. It runs on > > ... > > > Debian gets security updates in a timely manner (for stable). > > > > How's OpenWRT's security team? > > I'm not sure if this is a genuine question or a rhetorical one (sorry - > tone doesn't always come across well in email), but OpenWRT does have a > security process, with advisories, bug fixes, etc.: Semi-rhetorical: my experience with OpenWRT and ddWRT is that once a device is installed, it never gets an upgrade. I'd be happy to learn otherwise. > https://openwrt.org/docs/guide-developer/security > > I suspect the process may not be as good as Debian's, but they do fix > at least some serious bugs fairly quickly. E.g., if I'm reading the > following pages correctly, the Debian DSAs for the recent serious set of > dnsmasq vulnerabilities went out on Feb. 4, whereas OpenWRT issued its > Security Advisory on Jan. 19: That page lists 15 advisories over the last 3 years -- let's say 2 years, since this year is just beginning. Four of those advisories are for OpenWRT-only problems. In the 2 months of 2021, so far, Debian's security team has issued 28 notices. Let's discount the desktop software -- that's 8 of them, by my count -- because nobody runs desktop software on a router. OpenWRT's security process doesn't look as terrible as it used to be, but it doesn't really look good right now, just trying to be better. This probably doesn't matter much if you just want a WAP inside your house, but I feel confirmed that Debian is still a much better choice for an Internet-facing router/firewall. -dsr-
Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?
On Mon, 8 Feb 2021 06:41:23 -0500 Dan Ritter wrote: > Gregory Seidman wrote: > > If you want a Linux router/AP, I recommend OpenWRT over Debian. It runs on ... > Debian gets security updates in a timely manner (for stable). > > How's OpenWRT's security team? I'm not sure if this is a genuine question or a rhetorical one (sorry - tone doesn't always come across well in email), but OpenWRT does have a security process, with advisories, bug fixes, etc.: https://openwrt.org/docs/guide-developer/security I suspect the process may not be as good as Debian's, but they do fix at least some serious bugs fairly quickly. E.g., if I'm reading the following pages correctly, the Debian DSAs for the recent serious set of dnsmasq vulnerabilities went out on Feb. 4, whereas OpenWRT issued its Security Advisory on Jan. 19: https://www.debian.org/security/2021/dsa-4844 https://lists.debian.org/debian-security-announce/2021/msg00026.html https://openwrt.org/advisory/2021-01-19-1 Celejar
Re: Linux router AP with reserved IPs on wlan0?
Gregory Seidman wrote: > If you want a Linux router/AP, I recommend OpenWRT over Debian. It runs on > a variety of router hardware, but also PCs: > https://openwrt.org/docs/guide-user/installation/openwrt_x86 > > Importantly, it uses UCI > <https://openwrt.org/docs/guide-user/base-system/uci> for configuration of > switches, networks, 802.11 (wifi) radios, SSIDs, firewalls, etc. which > substantially simplifies handling the issues you are encountering. Its web > interface (luci) works directly with the UCI config files, so it's easy to > switch between editing a file and working in the web UI. Debian gets security updates in a timely manner (for stable). How's OpenWRT's security team? -dsr-
Re: Linux router AP with reserved IPs on wlan0?
If you want a Linux router/AP, I recommend OpenWRT over Debian. It runs on a variety of router hardware, but also PCs: https://openwrt.org/docs/guide-user/installation/openwrt_x86 Importantly, it uses UCI <https://openwrt.org/docs/guide-user/base-system/uci> for configuration of switches, networks, 802.11 (wifi) radios, SSIDs, firewalls, etc. which substantially simplifies handling the issues you are encountering. Its web interface (luci) works directly with the UCI config files, so it's easy to switch between editing a file and working in the web UI. --Gregory On Sat, Feb 06, 2021 at 02:29:08AM -0800, John Conover wrote: > > A wireless router made with hostapd/dnsmasq/dhcpcd is fairly easy, and > works well with iptables, with one shortcoming. > > After antagonizing the Google for hours, I can not find any way to add > reserved IPs based on the the MAC address of devices connected on > wlan0, (presumably in dhcpcd.conf.) Seems kind of a simple oversight > for a wireless AP. > > Am I correct in my assumption? > > Thanks, > > John > > -- > > John Conover, cono...@rahul.net, http://www.johncon.com/ > >
Re: Linux router AP with reserved IPs on wlan0?
Tixy writes: > On Sat, 2021-02-06 at 11:00 -0800, John Conover wrote: > > Stefan Monnier writes: > > > > A wireless router made with hostapd/dnsmasq/dhcpcd is fairly easy, and > > > > works well with iptables, with one shortcoming. > > > > > > > > After antagonizing the Google for hours, I can not find any way to add > > > > reserved IPs based on the the MAC address of devices connected on > > > > wlan0, (presumably in dhcpcd.conf.) Seems kind of a simple oversight > > > > for a wireless AP. > > > > > > I'm not familiar with dhcpd, but dnsmasq's built-in DHCP server has been > > > perfectly sufficient so far and it lets you specify fixed IPs based on > > > MACs by simply putting those in the `/etc/ethers` file. > > > > > > > Thank you, Stefan. > > > > Works like a charm. The syntax of /etc/ethers is ':' delimited MAC > > address, followed by a space delimiter, followed by the IPv4 IP > > address, per IP reservation. That IP address must also be in > > /etc/hosts. > > I didn't know about /etc/ethers, on my system I allocate fixed IP > addresses and hostnames by adding a lines to dnsmasq.conf like > > dhcp-host=MAC-Address,IP-Address,Hostname,Lease-Time > > I guess there's more than one way to skin this cat. > Hi Tixy. For the archives, the documentation to configuration of dnsmasq(1) is in /etc/dnsmasq.conf, the dnsmasq configuration file. It is verbose, and there are many options. Read thoroughly. It is a very impressive accomplishment, and works well, and is fairly easy to get working, (once familiar with the configuration file.) As a closing note, the DHCP/DNS services, (for wlan0,) are configured in the /etc/dnsmasq.conf file, *_NOT_* /etc/dhcpcd.conf, which is the usual alternative. (This is where I went astray-I mean the name is dnsmasq, probably meaning it is something to do with dns, duh.) Thanks to all, John -- John Conover, cono...@rahul.net, http://www.johncon.com/
Re: Linux router AP with reserved IPs on wlan0?
On Sat, 2021-02-06 at 11:00 -0800, John Conover wrote: > Stefan Monnier writes: > > > A wireless router made with hostapd/dnsmasq/dhcpcd is fairly easy, and > > > works well with iptables, with one shortcoming. > > > > > > After antagonizing the Google for hours, I can not find any way to add > > > reserved IPs based on the the MAC address of devices connected on > > > wlan0, (presumably in dhcpcd.conf.) Seems kind of a simple oversight > > > for a wireless AP. > > > > I'm not familiar with dhcpd, but dnsmasq's built-in DHCP server has been > > perfectly sufficient so far and it lets you specify fixed IPs based on > > MACs by simply putting those in the `/etc/ethers` file. > > > > Thank you, Stefan. > > Works like a charm. The syntax of /etc/ethers is ':' delimited MAC > address, followed by a space delimiter, followed by the IPv4 IP > address, per IP reservation. That IP address must also be in > /etc/hosts. I didn't know about /etc/ethers, on my system I allocate fixed IP addresses and hostnames by adding a lines to dnsmasq.conf like dhcp-host=MAC-Address,IP-Address,Hostname,Lease-Time I guess there's more than one way to skin this cat. -- Tixy
Re: Linux router AP with reserved IPs on wlan0?
Stefan Monnier writes: > > A wireless router made with hostapd/dnsmasq/dhcpcd is fairly easy, and > > works well with iptables, with one shortcoming. > > > > After antagonizing the Google for hours, I can not find any way to add > > reserved IPs based on the the MAC address of devices connected on > > wlan0, (presumably in dhcpcd.conf.) Seems kind of a simple oversight > > for a wireless AP. > > I'm not familiar with dhcpd, but dnsmasq's built-in DHCP server has been > perfectly sufficient so far and it lets you specify fixed IPs based on > MACs by simply putting those in the `/etc/ethers` file. > Thank you, Stefan. Works like a charm. The syntax of /etc/ethers is ':' delimited MAC address, followed by a space delimiter, followed by the IPv4 IP address, per IP reservation. That IP address must also be in /etc/hosts. John -- John Conover, cono...@rahul.net, http://www.johncon.com/
Re: Linux router AP with reserved IPs on wlan0?
> A wireless router made with hostapd/dnsmasq/dhcpcd is fairly easy, and > works well with iptables, with one shortcoming. > > After antagonizing the Google for hours, I can not find any way to add > reserved IPs based on the the MAC address of devices connected on > wlan0, (presumably in dhcpcd.conf.) Seems kind of a simple oversight > for a wireless AP. I'm not familiar with dhcpd, but dnsmasq's built-in DHCP server has been perfectly sufficient so far and it lets you specify fixed IPs based on MACs by simply putting those in the `/etc/ethers` file. Stefan
Re: Linux router AP with reserved IPs on wlan0?
John Conover wrote: > > A wireless router made with hostapd/dnsmasq/dhcpcd is fairly easy, and > works well with iptables, with one shortcoming. > > After antagonizing the Google for hours, I can not find any way to add > reserved IPs based on the the MAC address of devices connected on > wlan0, (presumably in dhcpcd.conf.) Seems kind of a simple oversight > for a wireless AP. host conoverlaptop { hardware ethernet 00:14:d3:11:22:32; fixed-address 192.168.0.20; }
Re: Linux router AP with reserved IPs on wlan0?
On Sat, Feb 06, 2021 at 02:29:08AM -0800, John Conover wrote: > > A wireless router made with hostapd/dnsmasq/dhcpcd is fairly easy, and > works well with iptables, with one shortcoming. > > After antagonizing the Google for hours, I can not find any way to add > reserved IPs based on the the MAC address of devices connected on > wlan0, (presumably in dhcpcd.conf.) Seems kind of a simple oversight > for a wireless AP. > > Am I correct in my assumption? I think the jargon is "DHCP reservation" or thereabouts. Do these ([1], [2]) fit your quest? And oh, BTW. Don't antagonize Google. They don't love you (besides, they don't make for good neighbours, but I disgress). My search provider just gave me those results in exchange for a moderate amount of effort (~15 min). Cheers :) [1] https://servercomputing.blogspot.com/2012/02/reserve-ip-address-in-dhcp-server-linux.html [2] https://askubuntu.com/questions/392599/how-to-reserve-ip-address-in-dhcp-server - t signature.asc Description: Digital signature
Linux router AP with reserved IPs on wlan0?
A wireless router made with hostapd/dnsmasq/dhcpcd is fairly easy, and works well with iptables, with one shortcoming. After antagonizing the Google for hours, I can not find any way to add reserved IPs based on the the MAC address of devices connected on wlan0, (presumably in dhcpcd.conf.) Seems kind of a simple oversight for a wireless AP. Am I correct in my assumption? Thanks, John -- John Conover, cono...@rahul.net, http://www.johncon.com/
Re: Linux router para ISP con posibles problemas
El Fri, 09 Aug 2013 15:28:00 -0300, Mauro Antivero escribió: El 09/08/13 10:32, Camaleón escribió: (...) Aquí tienes una configuración muy completa para un equipo con Debian que hace de router de alto rendimiento (para un ISP): http://itservice-bg.net/?p=1122 Perdón, no me funciona el enlace. Puede ser que esté mal o es una simple casualidad? Yo lo cargo bien. Prueba a acceder al sitio desde otra conexión (p. ej., módem UMTS) o a través de un proxy: http://www.hidemyass.com/ Si sigues con problemas me dices y te mando el contenido de la página web por mensaje privado. Saludos, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2013.08.10.09.21...@gmail.com
Re: Linux router para ISP con posibles problemas
El 09/08/13 04:36, Mauro Antivero escribió: Estimados: En mi lugar de trabajo tenemos un router Linux (Debian Squeeze corriendo en un Dell PowerEdge R210-II) por el cual cursa todo el tráfico de la red de usuarios del ISP. El problema que estamos teniendo es que pareciera ser que cuando el tráfico total que atraviesa al servidor llega a los 550 Mbps se estanca, es decir no suele crecer mucho más que ese valor. Esto nos parece extraño puesto que según estimamos el tráfico debería estar llegando a los 650 Mbps aprox. En su momento se modificó lo que es el valor de: /proc/sys/net/ipv4/netfilter/ip_conntrack_max Puesto que cuando el tráfico llegaba a 200 Mbps aprox. el mismo en lugar de subir comenzaba a bajar y con dmesg obteníamos el siguiente mensaje: nf_conntrack: table full, dropping packet si, quizas haya algun valor mas a nivel de /proc que se podria mirar, aunque ahora a bote pronto no sabria decirte, pero el de ip_conntrack era el que yo tambien mire en su dia. Posteriormente a esto, en un servidor mucho menos potente que el actual hubo que jugar con los parámentros de la placa de red (Intel Gigabit, no recuerdo bien el modelo ahora) para que pueda manejar las interrupciones y además hubo que hacer un bondig entre dos de estas placas de red para que pueda manejar todo el tráfico. En el servidor por el cual ahora les consulto no fue necesario hacer un bonding, pero si modificar el valor de ip_conntrack_max. bueno, obviamente tienes que ver cual es el tráfico generado y hasta donde da la tarjeta de red, en cualquier caso, teniendo un equipo como router corporativo, si tienes alguna tarjeta adicional, yo pondria bonding SI o SI, no solo por el balanceo sino como alta disponibilidad El tema es que ahora como les decía, a simple vista, no estamos teniendo ninguno de estos problemas, pero tenemos la sensación de que algo está pasando. Les quería consultar entonces qué parámetros tendría que ir mirando y controlando para ver si realmente estamos teniendo un problema en el servidor o no. Un detalle que creo muy importante es que a veces, sin razón aparente, la interfaz de red dropea paquetes. Pero como les decía esto, si bien no tiene que pasar, pasa poco. Acá van los datos de la interfaz por la cual ingresa el tráfico: ifconfig eth0 eth0 Link encap:Ethernet HWaddr d0:67:e5:e7:d7:45 inet addr:172.30.0.1 Bcast:172.30.0.255 Mask:255.255.255.0 inet6 addr: fe80::d267:e5ff:fee7:d745/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:232816986602 errors:462 dropped:1606 overruns:0 frame:462 TX packets:337849634947 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:67228041135161 (61.1 TiB) TX bytes:317032238655465 (288.3 TiB) Interrupt:16 Memory:c000-c0012800 Les agradecería mucho sus comentarios y ayuda para así determinar si el problema está en el servidor o no. Espero no haber omitido cualquier dato que sea útil, cualquier cosa me avisan. el ifconfig no dice nada del otro barrio, si hay paquetes dropped pero no sabemos ni la velocidad, si esta a full duplex, el TSO... en fin. la salida completa de ethtool, por ejemplo hay muchos valores que podrian influir, fijate lo que he sacado del mio... /proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout 600 - /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_sent 120 - /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_sent2 120 - /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_recv 60 - /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established 432000 - /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_fin_wait 120 - /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close_wait 60 - /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_last_ack 30 - /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait 120 - /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close 10 - /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_max_retrans 300 - /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose 1 - /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal 0 - /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_max_retrans 3 - /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout 30 - /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout_stream 180 - /proc/sys/net/ipv4/netfilter/ip_conntrack_icmp_timeout 30 - /proc/sys/net/ipv4/netfilter/ip_conntrack_max 65536 - /proc/sys/net/ipv4/netfilter/ip_conntrack_count 269 - /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets 16384 - /proc/sys/net/ipv4/netfilter/ip_conntrack_checksum 1 - /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid 0 - Como puedes ver hay muchas variables, y desde luego no te aconsejo que toques sin saber exactamente que. Una prueba sencilla que puedes
Re: Linux router para ISP con posibles problemas
On 2013-08-09 09:34, Alberto wrote: El 09/08/13 04:36, Mauro Antivero escribió: (...) Posteriormente a esto, en un servidor mucho menos potente que el actual hubo que jugar con los parámentros de la placa de red (Intel Gigabit, no recuerdo bien el modelo ahora) para que pueda manejar las interrupciones y además hubo que hacer un bondig entre dos de estas placas de red para que pueda manejar todo el tráfico. En el servidor por el cual ahora les consulto no fue necesario hacer un bonding, pero si modificar el valor de ip_conntrack_max. bueno, obviamente tienes que ver cual es el tráfico generado y hasta donde da la tarjeta de red, en cualquier caso, teniendo un equipo como router corporativo, si tienes alguna tarjeta adicional, yo pondria bonding SI o SI, no solo por el balanceo sino como alta disponibilidad +1 a mirar el rendimiento que da la tarjeta de red. Puedes usar iperf para eso, pero claro, para obtener valores fiables debería ser fuera de producción. El tema es que ahora como les decía, a simple vista, no estamos teniendo ninguno de estos problemas, pero tenemos la sensación de que algo está pasando. Les quería consultar entonces qué parámetros tendría que ir mirando y controlando para ver si realmente estamos teniendo un problema en el servidor o no. Un detalle que creo muy importante es que a veces, sin razón aparente, la interfaz de red dropea paquetes. Pero como les decía esto, si bien no tiene que pasar, pasa poco. Acá van los datos de la interfaz por la cual ingresa el tráfico: ifconfig eth0 eth0 Link encap:Ethernet HWaddr d0:67:e5:e7:d7:45 inet addr:172.30.0.1 Bcast:172.30.0.255 Mask:255.255.255.0 inet6 addr: fe80::d267:e5ff:fee7:d745/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:232816986602 errors:462 dropped:1606 overruns:0 frame:462 TX packets:337849634947 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:67228041135161 (61.1 TiB) TX bytes:317032238655465 (288.3 TiB) Interrupt:16 Memory:c000-c0012800 Les agradecería mucho sus comentarios y ayuda para así determinar si el problema está en el servidor o no. Espero no haber omitido cualquier dato que sea útil, cualquier cosa me avisan. el ifconfig no dice nada del otro barrio, si hay paquetes dropped pero no sabemos ni la velocidad, si esta a full duplex, el TSO... en fin. Además de lo que comenta Alberto, los paquetes dropped pueden indicar saturación del interfaz de red [1]. Por eso si todos las configuraciones del interfaz de red son correctas (ethtool, proc...), interesa hacer pruebas de carga para descartar que no sea éste el motivo. [1] http://stackoverflow.com/questions/8987926/how-to-find-which-packets-got-dropped Salut, jors -- To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/fb3d3637e7adb5a78aee7f7cbc50a...@enchufado.com
Re: Linux router para ISP con posibles problemas
El Thu, 08 Aug 2013 23:36:18 -0300, Mauro Antivero escribió: En mi lugar de trabajo tenemos un router Linux (Debian Squeeze corriendo en un Dell PowerEdge R210-II) por el cual cursa todo el tráfico de la red de usuarios del ISP. El problema que estamos teniendo es que pareciera ser que cuando el tráfico total que atraviesa al servidor llega a los 550 Mbps se estanca, es decir no suele crecer mucho más que ese valor. Esto nos parece extraño puesto que según estimamos el tráfico debería estar llegando a los 650 Mbps aprox. (...) Aquí tienes una configuración muy completa para un equipo con Debian que hace de router de alto rendimiento (para un ISP): http://itservice-bg.net/?p=1122 Lo interesante creo que viene al final, donde dice: NOTE: settings in /proc/sys/net are essential to enable the Linux kernel to pass big traffic. Echa un ojo a los parámetros que tunea para ver si alguno te pudiera resultar útil en tu caso. Saludos, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2013.08.09.13.33...@gmail.com
Re: Linux router para ISP con posibles problemas
El 09/08/13 10:32, Camaleón escribió: El Thu, 08 Aug 2013 23:36:18 -0300, Mauro Antivero escribió: En mi lugar de trabajo tenemos un router Linux (Debian Squeeze corriendo en un Dell PowerEdge R210-II) por el cual cursa todo el tráfico de la red de usuarios del ISP. El problema que estamos teniendo es que pareciera ser que cuando el tráfico total que atraviesa al servidor llega a los 550 Mbps se estanca, es decir no suele crecer mucho más que ese valor. Esto nos parece extraño puesto que según estimamos el tráfico debería estar llegando a los 650 Mbps aprox. (...) Aquí tienes una configuración muy completa para un equipo con Debian que hace de router de alto rendimiento (para un ISP): http://itservice-bg.net/?p=1122 Lo interesante creo que viene al final, donde dice: NOTE: settings in /proc/sys/net are essential to enable the Linux kernel to pass big traffic. Echa un ojo a los parámetros que tunea para ver si alguno te pudiera resultar útil en tu caso. Saludos, Muchas gracias a todos por sus respuestas. Voy a leer un poco y verificar mejor la configuración del server. Cuando tenga algo más concreto comento como me fue. Saludos, Mauro. -- To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/520533ee.5050...@gmail.com
Re: Linux router para ISP con posibles problemas
El 09/08/13 10:32, Camaleón escribió: El Thu, 08 Aug 2013 23:36:18 -0300, Mauro Antivero escribió: En mi lugar de trabajo tenemos un router Linux (Debian Squeeze corriendo en un Dell PowerEdge R210-II) por el cual cursa todo el tráfico de la red de usuarios del ISP. El problema que estamos teniendo es que pareciera ser que cuando el tráfico total que atraviesa al servidor llega a los 550 Mbps se estanca, es decir no suele crecer mucho más que ese valor. Esto nos parece extraño puesto que según estimamos el tráfico debería estar llegando a los 650 Mbps aprox. (...) Aquí tienes una configuración muy completa para un equipo con Debian que hace de router de alto rendimiento (para un ISP): http://itservice-bg.net/?p=1122 Perdón, no me funciona el enlace. Puede ser que esté mal o es una simple casualidad? Saludos y gracias, Mauro. Lo interesante creo que viene al final, donde dice: NOTE: settings in /proc/sys/net are essential to enable the Linux kernel to pass big traffic. Echa un ojo a los parámetros que tunea para ver si alguno te pudiera resultar útil en tu caso. Saludos, -- To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/520534b0.4050...@gmail.com
Linux router para ISP con posibles problemas
Estimados: En mi lugar de trabajo tenemos un router Linux (Debian Squeeze corriendo en un Dell PowerEdge R210-II) por el cual cursa todo el tráfico de la red de usuarios del ISP. El problema que estamos teniendo es que pareciera ser que cuando el tráfico total que atraviesa al servidor llega a los 550 Mbps se estanca, es decir no suele crecer mucho más que ese valor. Esto nos parece extraño puesto que según estimamos el tráfico debería estar llegando a los 650 Mbps aprox. En su momento se modificó lo que es el valor de: /proc/sys/net/ipv4/netfilter/ip_conntrack_max Puesto que cuando el tráfico llegaba a 200 Mbps aprox. el mismo en lugar de subir comenzaba a bajar y con dmesg obteníamos el siguiente mensaje: nf_conntrack: table full, dropping packet Posteriormente a esto, en un servidor mucho menos potente que el actual hubo que jugar con los parámentros de la placa de red (Intel Gigabit, no recuerdo bien el modelo ahora) para que pueda manejar las interrupciones y además hubo que hacer un bondig entre dos de estas placas de red para que pueda manejar todo el tráfico. En el servidor por el cual ahora les consulto no fue necesario hacer un bonding, pero si modificar el valor de ip_conntrack_max. El tema es que ahora como les decía, a simple vista, no estamos teniendo ninguno de estos problemas, pero tenemos la sensación de que algo está pasando. Les quería consultar entonces qué parámetros tendría que ir mirando y controlando para ver si realmente estamos teniendo un problema en el servidor o no. Un detalle que creo muy importante es que a veces, sin razón aparente, la interfaz de red dropea paquetes. Pero como les decía esto, si bien no tiene que pasar, pasa poco. Acá van los datos de la interfaz por la cual ingresa el tráfico: ifconfig eth0 eth0 Link encap:Ethernet HWaddr d0:67:e5:e7:d7:45 inet addr:172.30.0.1 Bcast:172.30.0.255 Mask:255.255.255.0 inet6 addr: fe80::d267:e5ff:fee7:d745/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:232816986602 errors:462 dropped:1606 overruns:0 frame:462 TX packets:337849634947 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:67228041135161 (61.1 TiB) TX bytes:317032238655465 (288.3 TiB) Interrupt:16 Memory:c000-c0012800 Les agradecería mucho sus comentarios y ayuda para así determinar si el problema está en el servidor o no. Espero no haber omitido cualquier dato que sea útil, cualquier cosa me avisan. Saludos y muchas gracias. Mauro. -- To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/520455a2.1000...@gmail.com
Re (5): Configuration for a Linux router with a client having a public address
* From: Bob Proulx b...@proulx.com * Date: Fri, 3 Sep 2010 23:45:50 -0600 Since those are old diagrams they don't show where carnot fits into things. * From: Jes#xFA;s M. Navarro jesus.nava...@undominio.net * Date: Sun, 5 Sep 2010 23:47:48 +0200 There's neither carnot nor Allied Telesis 3612TR in your provided diagram Open http://142.103.107.138/NetworksPage.html and you will see links Extant Network and Proposed Network. I tried the Proposed Network with a bridge as you explained. Connectivity for Dalton and Carnot was as intended. Oddly, Cantor remained connected to the LAN but lost connectivity to the Internet; as if masquerading had failed. Further ideas and suggestions are welcome. Also the Shorewall list might help. I'll guess that routing can achieve a result similar to bridging in this case. Bridging is more efficient? Some of the details in the configurations listings are probably outdated. I'll review and update as time is available. Regards, ... Peter E. -- Telephone 1 360 450 2132. 7785886232 is gone. Shop pages http://carnot.yi.org/ accessible as long as the old drives survive; installation of NetBSD on new drives pending. Personal pages, http://members.shaw.ca/peasthope/ . -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/171056664.40404.37...@cantor.invalid
Re (5): Configuration for a Linux router with a client having a public address
* From: Bob Proulx b...@proulx.com * Date: Fri, 3 Sep 2010 23:45:50 -0600 Since those are old diagrams they don't show where carnot fits into things. * From: Jes#xFA;s M. Navarro jesus.nava...@undominio.net * Date: Sun, 5 Sep 2010 23:47:48 +0200 There's neither carnot nor Allied Telesis 3612TR in your provided diagram Open http://142.103.107.138/NetworksPage.html and you will see links Extant Network and Proposed Network. I tried the Proposed Network with a bridge as you explained. Connectivity for Dalton and Carnot was as intended. Oddly, Cantor remained connected to the LAN but lost connectivity to the Internet; as if masquerading had failed. Further ideas and suggestions are welcome. Also the Shorewall list might help. I'll guess that routing can achieve a result similar to bridging in this case. Bridging is more efficient? Some of the details in the configurations listings are probably outdated. I'll review and update as time is available. Regards, ... Peter E. -- Telephone 1 360 450 2132. 7785886232 is gone. Shop pages http://carnot.yi.org/ accessible as long as the old drives survive; installation of NetBSD on new drives pending. Personal pages, http://members.shaw.ca/peasthope/ . -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/171056664.50088.37...@cantor.invalid
Re (4): Configuration for a Linux router with a client having a public address
* From: Bob Proulx b...@proulx.com * Date: Fri, 3 Sep 2010 23:45:50 -0600 Since those are old diagrams they don't show where carnot fits into things. * From: Jes#xFA;s M. Navarro jesus.nava...@undominio.net * Date: Sun, 5 Sep 2010 23:47:48 +0200 There's neither carnot nor Allied Telesis 3612TR in your provided diagram The original diagram turned up late Friday. I'll update and add the hypothetical configuration, scan and post on the server as soon as possible. Thanks for the help, Peter E. -- Telephone 1 360 450 2132. 7785886232 is gone. Shop pages http://carnot.yi.org/ accessible as long as the old drives survive; installation of NetBSD on new drives pending. Personal pages, http://members.shaw.ca/peasthope/ . -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/171056644.38722.338...@heaviside.invalid
Re (3): Configuration for a Linux router with a client having a public address
From: Bob Proulx b...@proulx.com Date: Fri, 03 Sep 2010 23:45:50 -0600 ... carnot is already on the public internet with 142.103.107.138? OK, we've discussed two distinct configurations and that wasn't clear. Friday I reinstated the old configuration and checked just now that carnot is still running. Click here == http://142.103.107.138/ . If you don't get the home page, the most likely explanation is disk drive failure. I thought that you had it on a private network and were trying to tunnel it onto the public internet. That was the recent investigative configuration. In the old configuration, http://142.103.107.138/ connected through the AT 3612TR was accessible to the public from 2002 until a few months ago. I shut it down a few months back because the disk drives were failing. Powered it up again Friday, but a drive might fail any time. For years I've had a private network with Dalton routing connectivity to Cantor. My objective in the past week was to consider whether the AT 3612TR can be eliminated with routing through Dalton. The private subnet to Carnot is incidental to my study of how the objective might be reached. And of course carnot isn't on the diagram so I feel I am just missing the mark here. Carnot and the AT 3612TR being absent from the diagram is a bad deficiency. I'll add them on Tuesday or Wednesday when back at work. The AT 3612TR is between dalton and the Internet. Carnot is connected to the AT 3612TR beside Dalton. What is carnot's first card's address and which wire is it hooked to? It has only one interface. In the old configuration the address is 142.103.107.138 and it is connected to the AT 3612TR. If carnot is already on 142.103.107.138 then why does it need a private address ... The primary objective is find whether the AT 3612TR can be eliminated by routing through dalton. The private subnet to Carnot was part of my study of whether and how this objective might be reached. Typically, a Linux router has private subnets. ... and what looks like an openvpn point to point link between it [carnot] and dalton? As you said a little earlier, carnot is not on the diagram. The tunnel is between dalton and joule and has no relevance to my present objective. The scanned image from a penciled sketch isn't good but zooming bigger will help. In iceweasel left click. No wire? Then why have it [second Ethernet adapter]? In the previous message I asked whether and how carnot could have two addresses. A second interface seems an obvious possibility. Simply add the other address. ... up ip addr add 192.168.1.100/24 brd 192.168.1.255 dev eth0 label eth0:0 ... That's easy but not obvious; thanks! I'd guess it's documented or described somewhere but not in interfaces.man. ... It enables two different subnets to co-exist on the same wire. ... That idea helps. I thought of another question, probably more directly relevant to my objective. Will post it with subject Linux hub. Thanks, ... Peter E. -- VoIP 7785886232 is gone. Please use 13604502132. Shop pages http://carnot.yi.org/ accessible as long as the old drives survive; installation of netbsd on new drives pending. Personal pages, http://members.shaw.ca/peasthope/ . -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/171056612.87856.784...@heaviside.invalid
Re (2): Configuration for a Linux router with a client having a public address
From: Bob Proulx b...@proulx.com Date: Thu, 02 Sep 2010 20:55:04 -0600 Excellent diagram! Thank you very much for sharing it. Welcome. Until I have a definite plan, the old configuration with carnot on the AT 3612TR is restored. All of these should work as long as the old disk drives hold up. http://142.103.107.138/ http://carnot.yi.org/ http://carnot.pathology.ubc.ca/ My network is documented in http://carnot.yi.org/NetworksPage.html with a link under Miscellaneous Links in the home page. The .137 is in the diagram as attached to dalton. I know you said that was an old diagram. But is that perhaps reversed with .138? The configuration in the diagram is current. dalton = 142.103.107.137 carnot = 142.103.107.138 There are two main directions that I would suggest, and one of those main directions has two sub-directions. One way is to have dalton configured for *both* addresses ... Another way would be to use the Linux netfilter interface to port forward the desired ports. If carnot had extra space on a bus, I'd think of adding a second Ethernet card with address 142.103.107.138. The existing Ethernet on carnot would be 172.24.2.2 connected to dalton's 172.24.2.1. The second Ethernet on carnot would have no cable attached of course. Assuming dalton receives 142.103.107.138 packets, as well as its own, it would simply route the 142.103.107.138 packets out through 172.24.2.1. No translation of address or port would be required. In this respect dalton would work as the AT hub does. There is no simple means of adding a second Ethernet adapter to carnot. Can two addresses be assigned to one interface? Is there anything which might be called a phantom interface? Similar to localhost. If such a thing exists it should serve for 142.103.107.138. Thanks,... Peter E. -- VoIP 7785886232 is gone. Please use 13604502132. Shop pages http://carnot.yi.org/ accessible as long as the old drives work; installation of netbsd on new drives pending. Personal pages, http://members.shaw.ca/peasthope/ . -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/171056611.78577.536...@cantor.invalid
Re: Re (2): Configuration for a Linux router with a client having a public address
peasth...@shaw.ca wrote: http://142.103.107.138/ So now I am really confused. carnot is already on the public internet with 142.103.107.138? I thought that you had it on a private network and were trying to tunnel it onto the public internet. I am really confused now. Sorry. My network is documented in http://carnot.yi.org/NetworksPage.html with a link under Miscellaneous Links in the home page. Since those are old diagrams they don't show where carnot fits into things. On which wire will carnot be placed? That part I am not clear about. Thanks. The configuration in the diagram is current. dalton = 142.103.107.137 carnot = 142.103.107.138 And of course carnot isn't on the diagram so I feel I am just missing the mark here. If carnot had extra space on a bus, I'd think of adding a second Ethernet card with address 142.103.107.138. What is carnot's first card's address and which wire is it hooked to? The existing Ethernet on carnot would be 172.24.2.2 connected to dalton's 172.24.2.1. If carnot is already on 142.103.107.138 then why does it need a private address and what looks like an openvpn point to point link between it and dalton? The second Ethernet on carnot would have no cable attached of course. No wire? Then why have it? I am much confused! Can two addresses be assigned to one interface? Yes. Easily. Simply add the other address. I prefer to use the 'ip' tool for these kinds of things. Make sure you have the 'iproute' package installed. Then you can say # ip addr add 192.168.1.100/24 brd 192.168.1.255 dev eth0 label eth0:0 # ip addr del 192.168.1.115/24 dev eth0 label eth0:0 and you can put those in up and down directives in your /etc/network/interfaces file. allow-hotplug eth0 iface eth0 inet static address 172.16.1.200 netmask 255.255.255.0 network 172.16.1.0 broadcast 172.16.1.255 gateway 172.16.1.1 up ip addr add 192.168.1.100/24 brd 192.168.1.255 dev eth0 label eth0:0 down ip addr del 192.168.1.100/24 dev eth0 label eth0:0 That adds an address with a label when the interface comes up and removes it when the interface is brought down. It enables two different subnets to co-exist on the same wire. This machine knows about both subnets and can talk to either. A machine with an IP on only one of those subnets would only know about that one and not the other. It isn't a security arrangement since if an interface were in promiscuous mode it would observe all packets on both networks. It is useful in some situations such as IP renaming transitions and other cases. Bob signature.asc Description: Digital signature
Configuration for a Linux router with a client having a public address
Given linux router dalton, eth 3, connected to a local machine carnot, eth0, with a cross-over cable, I need some help to set the configurations properly. #dalton:/etc/network/interfaces ... iface eth3 inet static address 172.24.2.1 up route add -host 142.103.107.138 down route del -host 142.103.107.138 #carnot:/etc/network/interfaces ... iface eth0 inet static address 142.103.107.138 gateway 172.24.2.1 Obviously these specifications are deficient; but there is no point in fretting details until I understand the concepts. The link must be in a network. How can 172.24.2.1 and 142.103.107.138 be in one network? Does carnot need a local address along with its public address? Incidental points. http://www.linuxrouter.org/ appears to be defunct although many links to it exist. At least one in tldp.org. r...@dalton:~# /etc/init.d/networking restart Running /etc/init.d/networking restart is deprecated because it may not enable a gain some interfaces ... (warning). So networking restart deprecated. What is the new way? Thanks, ... Peter E. -- VoIP 7785886232 is gone. Please use 13604502132. Sparcstation 2 netboots netbsd; installation pending. Personal site works; http://members.shaw.ca/peasthope/ . -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/171056610.45123.417...@cantor.invalid
Re: Configuration for a Linux router with a client having a public address
peasth...@shaw.ca wrote: Given linux router dalton, eth 3, connected to a local machine carnot, eth0, with a cross-over cable, I need some help to set the configurations properly. #dalton:/etc/network/interfaces ... iface eth3 inet static address 172.24.2.1 up route add -host 142.103.107.138 down route del -host 142.103.107.138 So dalton has address 172.24.2.1 in the RFC1918 private address space. And additionally you are adding a host route to ip address 142.103.107.138 which will be locally connected. This seems like trouble since you do not have a local address on that network. #carnot:/etc/network/interfaces ... iface eth0 inet static address 142.103.107.138 gateway 172.24.2.1 So carnot has address 142.103.107.138, missing a netmask and network configuration, but has a gateway that is not on the local subnet? That is trouble. Strictly speaking it would need a gateway to reach the defined gateway. That isn't good. Obviously these specifications are deficient; but there is no point in fretting details until I understand the concepts. If you want a point to point network between two machines on a crossover cable then both hosts should be on the same subnet. The link must be in a network. How can 172.24.2.1 and 142.103.107.138 be in one network? You have asked the question but it is your configuration! Why did you configure it that way if you already realize that it won't work? Practically they can't. Hypothetically you could join them together but you don't really want to do that. Instead define a subnet for both hosts and put each host on that subnet. Does carnot need a local address along with its public address? You have given carnot the 142.103.107.138 address. That is in the public address space. But it looks like it is on a private network behind another router. Are you trying to put a host up on the public Internet and trying to place it behind a firewall/router? Is dalton a router on the public Internet? (It would help to know if it is a WRT54G type of router or if it is a full functionality Debian host.) Is carnot a machine on your private network that you want to actually host the public Internet service (HTTP, SMTP, SSH)? Are you trying to port forward public Internet services through dalton to carnot? I am guessing it is something like that. In that case it is your public Internet router dalton that should get the public IP address. (Or at least an arp proxy, but I think that is more complicated.) Then have it port forward to carnot for the services that you want to host on carnot. At least this is one way to do it. There are several different ways. And each of them have subtle things that if not configured correctly will cause things not to work as desired. r...@dalton:~# /etc/init.d/networking restart Running /etc/init.d/networking restart is deprecated because it may not enable a gain some interfaces ... (warning). So networking restart deprecated. What is the new way? The new way is with ifup and ifdown. sudo ifdown eth0 sudo ifup eth0 In the old days interfaces were quite static on systems. But with the coming of removable and hotplug devices such as PCMCIA or USB network interface cards there was a need to move to a more dynamic system. Before networking needed to come online at boot time and go offline at shutdown time. But that isn't sufficient now. Now devices come online when they are plugged in and go offline when they are disconnected. Everything has been rewritten to be event driven. For those of us who were used to the old static boot time system it is a little bit of a change in mind set but a worthwhile one because of the new capabilities that it provides. Basically this means that you rarely if ever should have the need to run /etc/init.d/networking stop but would bring an individual interface offline with ifdown eth0 instead. Bob signature.asc Description: Digital signature
Re: Configuration for a Linux router with a client having a public address
From: Bob Proulx b...@proulx.com Date: Thu, 02 Sep 2010 14:00:20 -0600 So dalton has address 172.24.2.1 in the RFC1918 private address space. Dalton has external address 142.103.107.137 and several internal addresses including 172.24.2.1. Here is an old sketch. Dalton is on the left. We're not concerned with Joule. http://members.shaw.ca:80/peasthope/Network.jpg Until my current tinkering, Carnot and Dalton were both connected to the network through an old Allied Telesis CentreCOM 3612TR not in the sketch. The current objective is to eliminate the 3612TR and route to Carnot through Dalton. Two benefits: less machinery running; faster communication to Dalton. The 3612TR is 10BASE-T. If you want a point to point network between two machines on a crossover cable then both hosts should be on the same subnet. Both ends of a cable must be on one subnet. is an axiom of networking? That's crucial. Instead define a subnet for both hosts and put each host on that subnet. For example, Carnot gets address 172.24.2.2 connecting to Dalton at 172.24.2.1. Still, the outside world expects to find Carnot at 142.103.107.138. Continued below. Is dalton a router on the public Internet? (It would help to know if it is a WRT54G type of router or if it is a full functionality Debian host.) Dalton is a Linux router running Debian Squeeze with public address 142.103.107.137. The firewall will prevent a response by ping. ssh 142.103.107.137 should indicate it exists. Is carnot a machine on your private network that you want to actually host the public Internet service (HTTP, SMTP, SSH)? Correct. HTTP SSH are sufficient. ... dalton that should get the public IP address. ... have it port forward to carnot for the services that you want to host on carnot. Dalton gets 142.103.107.138 while carnot has only a local address; neither machine uses 142.103.107.137. There are several different ways. And each of them have subtle things that if not configured correctly will cause things not to work as desired. OK. It's a learning exercise for now. The new way is with ifup and ifdown. sudo ifdown eth0 sudo ifup eth0 ... bring an individual interface offline with ifdown eth0 instead. Right oh. Will try these ideas tomorrow morning or next week. Thanks,... Peter E. -- VoIP 7785886232 is gone. Please use 13604502132. Sparcstation 2 netboots netbsd; installation pending. Personal site works; http://members.shaw.ca/peasthope/ . -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/171056610.63433.417...@cantor.invalid
Re: Configuration for a Linux router with a client having a public address
peasth...@shaw.ca wrote: Bob Proulx wrote: So dalton has address 172.24.2.1 in the RFC1918 private address space. Dalton has external address 142.103.107.137 and several internal addresses including 172.24.2.1. Here is an old sketch. Dalton is on the left. We're not concerned with Joule. http://members.shaw.ca:80/peasthope/Network.jpg Excellent diagram! Thank you very much for sharing it. Until my current tinkering, Carnot and Dalton were both connected to the network through an old Allied Telesis CentreCOM 3612TR not in the sketch. The current objective is to eliminate the 3612TR and route to Carnot through Dalton. Two benefits: less machinery running; faster communication to Dalton. The 3612TR is 10BASE-T. And it is a hub instead of a switch too. Good box in its day though. If you want a point to point network between two machines on a crossover cable then both hosts should be on the same subnet. Both ends of a cable must be on one subnet. is an axiom of networking? That's crucial. Yes. Keep both ends of the cable on the same subnet. Instead define a subnet for both hosts and put each host on that subnet. For example, Carnot gets address 172.24.2.2 connecting to Dalton at 172.24.2.1. Yes. Exactly. Still, the outside world expects to find Carnot at 142.103.107.138. Continued below. I see and note that that address is one over from dalton's public IP address. Is dalton a router on the public Internet? (It would help to know if it is a WRT54G type of router or if it is a full functionality Debian host.) Dalton is a Linux router running Debian Squeeze with public address 142.103.107.137. Good to know. It opens up additional possibilities. The firewall will prevent a response by ping. ssh 142.103.107.137 should indicate it exists. Yes. Note that you can get one level lower and connect to the ssh port 22 directly. I like to use 'connect' but others will use 'nc' or 'socat' or other favorite tools. But everyone has telnet. $ telnet example.com 22 Escape character is '^]'. SSH-2.0-OpenSSH_5.1p1 Debian-5 However to exit telnet you have to be able to read the message Escape character is '^]'. and then type that in and then q or quit to get out. You would be surprised at how many times I have had people have trouble there. So I like 'connect' which is 8-bit clean and can be interrupted. apt-get install connect-proxy $ connect example.com 22 SSH-2.0-OpenSSH_5.1p1 Debian-5 Is carnot a machine on your private network that you want to actually host the public Internet service (HTTP, SMTP, SSH)? Correct. HTTP SSH are sufficient. Oh good. ... dalton that should get the public IP address. ... have it port forward to carnot for the services that you want to host on carnot. Dalton gets 142.103.107.138 while carnot has only a local address; neither machine uses 142.103.107.137. The .137 is in the diagram as attached to dalton. I know you said that was an old diagram. But is that perhaps reversed with .138? It doesn't really matter since you know which is wich but just trying to keep up here. I will make the assumption for now and move on. There are several different ways. And each of them have subtle things that if not configured correctly will cause things not to work as desired. OK. It's a learning exercise for now. There are two main directions that I would suggest, and one of those main directions has two sub-directions. (grin) One way is to have dalton configured for *both* addresses and then tunnel the ports over to carnot through ssh. That has the advantage of being simple and easy to put together in parts. But the use of ssh isn't the most efficient and some people find ssh confusing. Another way would be to use the Linux netfilter interface to port forward the desired ports. My favorite netfilter tool is Shorewall. Using the Linux netfilter with Shorewall seems the most attractive. But it can be the most confusing to debug and get working correctly so isn't the easiest either. But I think you probably want a Proxy ARP configuration. Look at this documentation for one way of how to set this up. http://www.shorewall.net/shorewall_setup_guide.htm http://www.shorewall.net/ProxyARP.htm Good luck! I would be interested to know how this turns out. Bob signature.asc Description: Digital signature
Re: ideas for Linux router?
On Fri, May 15, 2009 at 12:16:15PM +, Ólafur Jens Sigurðsson wrote: On Fri, May 08, 2009 at 02:18:24PM +0800, Bob wrote: Alex Samad wrote: On Wed, May 06, 2009 at 09:23:52PM -0400, Zachary Uram wrote: Hello, I got an awesome deal today on a Linksys wired Etherfast Cable/DSL router and 4 port switch - $5 USD at our local Goodwill Computer Store. They get donations and then sell them (they are a non-profit corp. that helps the disabled). The model number is: BEFSR41 version 3. have a look at openwrt.org In the lates issue of linuxformat there is mention of a worm called psybOt that affects openwrt and routers based on mipsel (a debian derived distribution), so keep your eyes open. yes it targets linux boxes that have week root passwords. openwrt by default doesn't allow password ssh only certificate - this is more about this on the openwrt.org web page alex Oli -- I thought YOU silenced the guard! signature.asc Description: Digital signature
Re: ideas for Linux router?
On Fri, May 08, 2009 at 02:18:24PM +0800, Bob wrote: Alex Samad wrote: On Wed, May 06, 2009 at 09:23:52PM -0400, Zachary Uram wrote: Hello, I got an awesome deal today on a Linksys wired Etherfast Cable/DSL router and 4 port switch - $5 USD at our local Goodwill Computer Store. They get donations and then sell them (they are a non-profit corp. that helps the disabled). The model number is: BEFSR41 version 3. have a look at openwrt.org In the lates issue of linuxformat there is mention of a worm called psybOt that affects openwrt and routers based on mipsel (a debian derived distribution), so keep your eyes open. Oli -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: ideas for Linux router?
Alex Samad wrote: On Wed, May 06, 2009 at 09:23:52PM -0400, Zachary Uram wrote: Hello, I got an awesome deal today on a Linksys wired Etherfast Cable/DSL router and 4 port switch - $5 USD at our local Goodwill Computer Store. They get donations and then sell them (they are a non-profit corp. that helps the disabled). The model number is: BEFSR41 version 3. have a look at openwrt.org No point the BEFSR41 does not run Linux and there is no 3rd party firmware for it, I have one and no longer use it as my firewall / router as there is no way of assigning static IP addresses on it's internal DHCP server. If you wish to use it as a router and need static IPs you can either assign them manually or turn off the DHCP server and use another one Or turn off the DHCP server and use it as a 4 port switch Or what I do with mine is I've changed its IP to 192.168.1.2 and the DHCP range starts at 192.168.1.10 then when I wish to reset / reflash / tinker with my Openwrt box I can put it into Failsafe mode which sets it's IP address to 192.168.1.1 but disables the DHCP server turn on my BEFSR41 renew my IP and telnet into my openwrt box, this saves mucking about with static IPs (which I can't seem to get working) and and makes the whole thing easer. The BEFSR41 is pretty old now, doesn't have great throughput (12Mb/s??) and is lacking in quite a few features, one thing going for it is it has a really good h.323 helper if you use that VOIP protocol. What exactly can I do with this in Linux? I have 2 computers and would like to network them using this. It came with a 6 foot ethernet cable and a 12V power adapter. Any ideas and/or pointers on what to do to set this up in Linux would be great. Right now I have raw ethernet frames being sent to my laptop which is using static IP so I have nothing in the way: Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 66.93.172.0 0.0.0.0 255.255.255.0 U 0 00 eth0 0.0.0.0 66.93.172.1 0.0.0.0 UG0 00 eth0 My eventual goal is to setup a DMZ network and route my public network traffic behind that but for the present I just want to get my 2 computers sharing the DSL line using this router I got. Here is my planned DMZ setup: http://www.hyperyoda.org/my-DMZ-network-diagram.png PS: The Goodwill store has a 20 port Agilent switch (still wrapped in plastic in the box) for $20. Is that also a good deal? Zach -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
ideas for Linux router?
Hello, I got an awesome deal today on a Linksys wired Etherfast Cable/DSL router and 4 port switch - $5 USD at our local Goodwill Computer Store. They get donations and then sell them (they are a non-profit corp. that helps the disabled). The model number is: BEFSR41 version 3. What exactly can I do with this in Linux? I have 2 computers and would like to network them using this. It came with a 6 foot ethernet cable and a 12V power adapter. Any ideas and/or pointers on what to do to set this up in Linux would be great. Right now I have raw ethernet frames being sent to my laptop which is using static IP so I have nothing in the way: Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 66.93.172.0 0.0.0.0 255.255.255.0 U 0 00 eth0 0.0.0.0 66.93.172.1 0.0.0.0 UG0 00 eth0 My eventual goal is to setup a DMZ network and route my public network traffic behind that but for the present I just want to get my 2 computers sharing the DSL line using this router I got. Here is my planned DMZ setup: http://www.hyperyoda.org/my-DMZ-network-diagram.png PS: The Goodwill store has a 20 port Agilent switch (still wrapped in plastic in the box) for $20. Is that also a good deal? Zach -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: ideas for Linux router?
On Wed, May 06, 2009 at 09:23:52PM -0400, Zachary Uram wrote: Hello, I got an awesome deal today on a Linksys wired Etherfast Cable/DSL router and 4 port switch - $5 USD at our local Goodwill Computer Store. They get donations and then sell them (they are a non-profit corp. that helps the disabled). The model number is: BEFSR41 version 3. have a look at openwrt.org What exactly can I do with this in Linux? I have 2 computers and would like to network them using this. It came with a 6 foot ethernet cable and a 12V power adapter. Any ideas and/or pointers on what to do to set this up in Linux would be great. Right now I have raw ethernet frames being sent to my laptop which is using static IP so I have nothing in the way: Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 66.93.172.0 0.0.0.0 255.255.255.0 U 0 00 eth0 0.0.0.0 66.93.172.1 0.0.0.0 UG0 00 eth0 My eventual goal is to setup a DMZ network and route my public network traffic behind that but for the present I just want to get my 2 computers sharing the DSL line using this router I got. Here is my planned DMZ setup: http://www.hyperyoda.org/my-DMZ-network-diagram.png PS: The Goodwill store has a 20 port Agilent switch (still wrapped in plastic in the box) for $20. Is that also a good deal? Zach -- My pan plays down an unprecedented amount of our national debt. - George W. Bush 02/27/2001 in his budget address to Congress signature.asc Description: Digital signature
Re: configuration of a linux router
Andrew others, At Date: Mon, 16 Jun 2008 16:42:41 -0700 A.S-W. wrote, that does not mean that a rule for POP3 is not needed. I don't remember if shorewall is case sensitive, but I bet it is in the context of defining a rule. maybe post the actual config line to produces the error? My /etc/shorewall/rules, with the offending rules for POP3 commented out, is now visible. http://carnot.pathology.ubc.ca/rules The report from shorewall. http://carnot.pathology.ubc.ca/ShorewallReport Equally peculiar: while the rule for SMTP is commented out, a message can be sent from loc _via_ SMTP. Thanks for any help, ... Peter E. -- http://carnot.yi.org/ = http://carnot.pathology.ubc.ca/ Desktops.OpenDoc http://members.shaw.ca/peasthope/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: configuration of a linux router
Folk, At Sun, 23 Mar 2008 20:27:40 -0400 Douglas A. Tutty wrote, ... if you want to really understand it use shorewall after reading shorewall-doc. ipmasq works but I want to use shorewall. I wonder why rules are needed for FTP but not for POP3. In fact, a rule for POP3 produces a complaint about ... unknown protocol 'pop3' Any ideas? Thanks, ... Peter E. -- http://carnot.yi.org/ = http://carnot.pathology.ubc.ca/ Desktops.OpenDoc http://members.shaw.ca/peasthope/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: configuration of a linux router
Folk, At Sun, 23 Mar 2008 20:27:40 -0400 Douglas A. Tutty wrote, ... if you want to really understand it use shorewall after reading shorewall-doc. ipmasq works but I want to use shorewall. I wonder why rules are needed for FTP but not for POP3. In fact, a rule for POP3 produces a complaint about ... unknown protocol 'pop3' Any ideas? Thanks, ... Peter E. -- http://carnot.yi.org/ = http://carnot.pathology.ubc.ca/ Desktops.OpenDoc http://members.shaw.ca/peasthope/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: configuration of a linux router
On Mon, 2008-06-16 at 16:01 -0700, [EMAIL PROTECTED] wrote: Folk, At Sun, 23 Mar 2008 20:27:40 -0400 Douglas A. Tutty wrote, ... if you want to really understand it use shorewall after reading shorewall-doc. ipmasq works but I want to use shorewall. I wonder why rules are needed for FTP but not for POP3. In fact, a rule for POP3 produces a complaint about ... unknown protocol 'pop3' In an unusual move, the FTP server connects to the client: Two connections are maintained instead of just one. You can force FTP to just use the client to server connection by using passive mode, but given that doing so makes some operations problematic, it's kind of a last-resort mode. -- Paul Johnson [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part
Re: configuration of a linux router
Folk, At Sun, 23 Mar 2008 20:27:40 -0400 Douglas A. Tutty wrote, ... if you want to really understand it use shorewall after reading shorewall-doc. ipmasq works but I want to use shorewall. I wonder why rules are needed for FTP but a rule for POP3 produces a complaint about ... unknown protocol 'pop3' I need POP3 and SMTP to move mail. Any ideas? Thanks, ... Peter E. -- http://carnot.yi.org/ = http://carnot.pathology.ubc.ca/ Desktops.OpenDoc http://members.shaw.ca/peasthope/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: configuration of a linux router
On Mon, Jun 16, 2008 at 04:01:39PM -0700, [EMAIL PROTECTED] wrote: Folk, At Sun, 23 Mar 2008 20:27:40 -0400 Douglas A. Tutty wrote, ... if you want to really understand it use shorewall after reading shorewall-doc. ipmasq works but I want to use shorewall. I wonder why rules are needed for FTP but not for POP3. In fact, a rule for POP3 produces a complaint about ... unknown protocol 'pop3' that does not mean that a rule for POP3 is not needed. I don't remember if shorewall is case sensitive, but I bet it is in the context of defining a rule. maybe post the actual config line to produces the error? A signature.asc Description: Digital signature
Re: configuration of a linux router
Paul others, At Mon, 16 Jun 2008 16:33:50 -0700 Paul Johnson wrote, ... the FTP server connects to the client: Two connections are maintained ... As I am aware, ssh uses only one connection but it also gets ACCEPT rules. So I still don't understand why some protocols, dns, ftp and ssh, need rules in /etc/shorewall/rules while other protocols, pop, smtp and http, do not. Does shorewall accept the latter protocols by default? Seems contrary to reason. Thanks, ... Peter E. -- http://carnot.yi.org/ = http://carnot.pathology.ubc.ca/ Desktops.OpenDoc http://members.shaw.ca/peasthope/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: configuration of a linux router
Douglas, dt Now you're using shaw.ca for your home domain. Do you own that? Would you like to e.g. relay mail for all of shaw.ca? Not really. OK, I've invented the domain name petershouse; the current hosts file follows. Please let me know of any remaining errors. Isn't there a place to specify the domain, analogous to /etc/hostname? Unfortunate that these matters aren't mentioned in the hosts man page. Also, I wonder that /etc/hostname, /etc/hosts, /etc/network/interfaces and perhaps a few other files haven't been amalgated into one. Excessive fragmentation increases the likelihood of confusion and error. Thanks, ... Peter E. # /etc/hosts file 127.0.0.1 localhost.localdomain localhost # Private LANs at home 172.23.4.1 joule.petershouse joule 172.23.4.2 curie.petershouse curie 172.23.5.1 joule.petershouse joule 172.23.5.2 heaviside.petershouse heaviside # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts Desktops.OpenDoc http://carnot.yi.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: configuration of a linux router
On Sun, Mar 23, 2008 at 09:07:32AM -0700, [EMAIL PROTECTED] wrote: Douglas, dt Now you're using shaw.ca for your home domain. Do you own that? Would you like to e.g. relay mail for all of shaw.ca? Not really. OK, I've invented the domain name petershouse; the current hosts file follows. Please let me know of any remaining errors. Isn't there a place to specify the domain, analogous to /etc/hostname? Unfortunate that these matters aren't mentioned in the hosts man page. Also, I wonder that /etc/hostname, /etc/hosts, /etc/network/interfaces and perhaps a few other files haven't been amalgated into one. Excessive fragmentation increases the likelihood of confusion and error. Hhmm, not really. /etc/network/interfaces is for configuring your *interfaces* and is Debian specific. /etc/hostname and /etc/hosts are traditional *nix and serve a different purpose (yes I know they are all related to the network, but still ...). Regards, Andrei -- If you can't explain it simply, you don't understand it well enough. (Albert Einstein) signature.asc Description: Digital signature
Re: configuration of a linux router
On Sun, Mar 23, 2008 at 09:07:32AM -0700, [EMAIL PROTECTED] wrote: dt Now you're using shaw.ca for your home domain. Do you own that? Would you like to e.g. relay mail for all of shaw.ca? Not really. Didn't think so :) OK, I've invented the domain name petershouse; the current hosts file follows. Please let me know of any remaining errors. It looks fine. Does it work? Do you have any firewall doing network address translation? If you want fire-and-forget just use ipmasq, if you want to really understand it use shorewall after reading shorewall-doc. What about supplying DNS services to your network? The easiest is to install dnsmasq. Isn't there a place to specify the domain, analogous to /etc/hostname? Unfortunate that these matters aren't mentioned in the hosts man page. Also, I wonder that /etc/hostname, /etc/hosts, /etc/network/interfaces and perhaps a few other files haven't been amalgated into one. Excessive fragmentation increases the likelihood of confusion and error. No. Each *NIX has its own way, however /etc/hosts is standard. Unix networking was developed with BSD and was then imported by the other *nix in various ways. Then different *nix made automated scripts to do the networking setup and each puts its configs somewhere different. On debian, its /etc/hostname and /etc/network/interfaces. Its all well documented and hasn't changed in a long time. Read the debian-reference. # /etc/hosts file 127.0.0.1 localhost.localdomain localhost # Private LANs at home 172.23.4.1joule.petershouse joule 172.23.4.2curie.petershouse curie 172.23.5.1joule.petershouse joule 172.23.5.2heaviside.petershouse heaviside # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts Desktops.OpenDoc http://carnot.yi.org/ I don't know what this line is for. Doug. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: configuration of a linux router
On Mon, Mar 17, 2008 at 11:20:24AM -0700, [EMAIL PROTECTED] wrote: dt if you don't own peasthope.yi.org, then I wouldn't use it even locally. But I do own the machine and the name. OK I, personally, for the 127.0.0.1 would only use localhost and localhost.localdomain yi.org is a dynamic dns service. Not already being allocated is a precondition to assigning peasthope.yi.org to my computer. If this means that there is some possibility at any given time that you will not own that domain, then I would not use it locally. I'd use something else entirely. I suppose there would be no problem with using peasthope' without the .yi.org as a local domain sice without it, it will never be routable on the internet. dt It is a valid name. So ... I miss your drift here. I've seen people use a made-up name on their local network then have trouble, if they don't get their DNS setup just right, with packets getting routed to the real example.com whatever. I thought that you had just made up the name. If you owned the name outright, then there would be no problem using it locally. dt e.g. dt 172.23.4.1[thisbox].[yourlocaldoamin] [thisbox] Is [yourlocaldoamin] a domain name used only on my private LAN? Yes. One that cannot be routed to the internet, unless you own the domain. I understand why computers have names. ftp curie is better than ftp 172.23.4.2. But what is the benefit of a domain name for my LAN? Well, any time you need to lump your network together in, e.g. hosts.allow or in an MTA setup (e.g. host for which you will relay mail), its a lot easier to say *.hooton than to individually list all the hosts. Especially if you later add a host, you don't have to go around adding its name everywhere. I also is fundamental if you use anything other than files for resolving. The revised /etc/hosts is appended. With any luck it is closer to what you suggested. === .joule:~# cat /etc/hosts # /etc/hosts file 127.0.0.1 localhost.localdomain localhost # Private LANs at home 172.23.4.1joule.shaw.ca joule 172.23.4.2curie.shaw.ca curie 172.23.5.1joule.shaw.ca joule 172.23.5.2heaviside.shaw.ca heaviside Now you're using shaw.ca for your home domain. Do you own that? Would you like to e.g. relay mail for all of shaw.ca? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: configuration of a linux router
On Sun, Mar 16, 2008 at 08:12:44PM -0400, Douglas A. Tutty wrote: On Sun, Mar 16, 2008 at 04:38:36PM -0700, [EMAIL PROTECTED] wrote: # /etc/hosts file 127.0.0.1 peasthope.yi.orgjoule localhost ^^ this should be: localhost.localdomain localhost the archive of the debian mailing lists contain a long discussion about localhost versus localhost.localdomain From what I remember, the RFCs for the DNS say that localhost *is* a FQDN (the only one without a dot, to the best of my knowledge), and they do not speak about localhost.localdomain So a line 127.0.0.1 localhost or 127.0.0.1 localhost first-alias second-alias should be correct. -- Chi usa software non libero avvelena anche te. Digli di smettere. Informatica=arsenico: minime dosi in rari casi patologici, altrimenti letale. Informatica=bomba: intelligente solo per gli stupidi che ci credono. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: configuration of a linux router
Douglas, dt if you don't own peasthope.yi.org, then I wouldn't use it even locally. But I do own the machine and the name. yi.org is a dynamic dns service. Not already being allocated is a precondition to assigning peasthope.yi.org to my computer. dt It is a valid name. So ... I miss your drift here. dt e.g. dt 172.23.4.1 [thisbox].[yourlocaldoamin] [thisbox] Is [yourlocaldoamin] a domain name used only on my private LAN? I understand why computers have names. ftp curie is better than ftp 172.23.4.2. But what is the benefit of a domain name for my LAN? The revised /etc/hosts is appended. With any luck it is closer to what you suggested. Thanks, ... Peter E. === .joule:~# cat /etc/hosts # /etc/hosts file 127.0.0.1 localhost.localdomain localhost # Private LANs at home 172.23.4.1 joule.shaw.ca joule 172.23.4.2 curie.shaw.ca curie 172.23.5.1 joule.shaw.ca joule 172.23.5.2 heaviside.shaw.ca heaviside # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts === Desktops.OpenDoc http://carnot.yi.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
configuration of a linux router
Douglas others, dt Now you will have three networks. ... ... You shouldn't have to add routes like this ... Right oh. dt change this to 172.23.5.1, and change heaviside's to 172.23.5.2 The revised configuration follows. Everything appears OK now. There is no hub consuming power and two cables rather than three. Thanks for the help, ... Peter E. joule:~# cat /etc/hosts # /etc/hosts file 127.0.0.1 peasthope.yi.orgjoule localhost # Private LANs at home 172.23.4.2 curie 172.23.5.2 heaviside # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts joule:~# cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). auto lo eth0 eth1 eth2 # The loopback network interface iface lo inet loopback # The primary network interface iface eth0 inet dhcp # The interface to curie iface eth1 inet static address 172.23.4.1 netmask 255.255.255.0 # The interface to heaviside iface eth2 inet static address 172.23.5.1 netmask 255.255.255.0 joule:~# netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 172.23.5.0 * 255.255.255.0 U 0 0 0 eth2 172.23.4.0 * 255.255.255.0 U 0 0 0 eth1 24.108.32.0 * 255.255.252.0 U 0 0 0 eth0 default 24.108.32.1 0.0.0.0 UG0 0 0 eth0 Desktops.OpenDoc http://carnot.yi.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: configuration of a linux router
On Sun, Mar 16, 2008 at 04:38:36PM -0700, [EMAIL PROTECTED] wrote: Douglas others, dt Now you will have three networks. ... ... You shouldn't have to add routes like this ... Right oh. dt change this to 172.23.5.1, and change heaviside's to 172.23.5.2 The revised configuration follows. Everything appears OK now. There is no hub consuming power and two cables rather than three. Thanks for the help, ... Peter E. joule:~# cat /etc/hosts # /etc/hosts file 127.0.0.1 peasthope.yi.orgjoule localhost ^^ this should be: localhost.localdomain localhost if you don't own peasthope.yi.org, then I wouldn't use it even locally. It is a valid name. Then you should have entries for this box on your local network domain e.g. 172.23.4.1 [thisbox].[yourlocaldoamin] [thisbox] 172.23.5.1 ditto Then ensure either that these entries are duplicated on currie and heaviside or run dnsmasq on this box. # Private LANs at home 172.23.4.2 curie try 172.23.4.2curie.[yourlocaldomain] curie 172.23.5.2 heaviside ditto In short, its always helpful to have a local domain name, especially for handling email. The rest looks fine, I'm glad it works. Doug. # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts joule:~# cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). auto lo eth0 eth1 eth2 # The loopback network interface iface lo inet loopback # The primary network interface iface eth0 inet dhcp # The interface to curie iface eth1 inet static address 172.23.4.1 netmask 255.255.255.0 # The interface to heaviside iface eth2 inet static address 172.23.5.1 netmask 255.255.255.0 joule:~# netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 172.23.5.0 * 255.255.255.0 U 0 0 0 eth2 172.23.4.0 * 255.255.255.0 U 0 0 0 eth1 24.108.32.0 * 255.255.252.0 U 0 0 0 eth0 default 24.108.32.1 0.0.0.0 UG0 0 0 eth0 Desktops.OpenDoc http://carnot.yi.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: configuration of a linux router
On Sun, Mar 02, 2008 at 02:40:22PM -0700, [EMAIL PROTECTED] wrote: Folk, My LAN has a Debian router, joule, and two subordinate machines, curie and heaviside. The three connect to an old Linksys 10Base-T hub. joule connects to a cable modem through a second NIC and runs ipmasq. Currently I want to add a third NIC to joule, remove the hub and connect each of curie and heaviside to a NIC in joule using a crossover cable. All appears OK except that curie and heaviside fail to communicate with each other. To my unexperienced ear it sounds like you want bridging. Shorewall should be able to do it. Regards, Andrei -- If you can't explain it simply, you don't understand it well enough. (Albert Einstein) signature.asc Description: Digital signature
configuration of a linux router
Folk, My LAN has a Debian router, joule, and two subordinate machines, curie and heaviside. The three connect to an old Linksys 10Base-T hub. joule connects to a cable modem through a second NIC and runs ipmasq. Currently I want to add a third NIC to joule, remove the hub and connect each of curie and heaviside to a NIC in joule using a crossover cable. All appears OK except that curie and heaviside fail to communicate with each other. The output of cat /etc/network/interfaces and netstat -r follow. Thanks for any ideas, ... Peter E. joule:~# cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). auto lo eth0 eth1 eth2 # The loopback network interface iface lo inet loopback # The primary network interface iface eth0 inet dhcp #iface eth0 inet static # address 137.82.26.91 # netmask 255.255.255.0 # gateway 137.82.26.254 # The interface to curie iface eth1 inet static address 172.23.4.1 netmask 255.255.255.0 up route add -host 172.23.4.4 dev $IFACE downroute del -host 172.23.4.4 dev $IFACE # The interface to heaviside iface eth2 inet static address 172.23.4.1 netmask 255.255.255.0 up route add -host 172.23.4.3 dev $IFACE downroute del -host 172.23.4.3 dev $IFACE joule:~# netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface heaviside * 255.255.255.255 UH0 0 0 eth2 curie * 255.255.255.255 UH0 0 0 eth1 172.23.4.0 * 255.255.255.0 U 0 0 0 eth1 172.23.4.0 * 255.255.255.0 U 0 0 0 eth2 24.108.32.0 * 255.255.252.0 U 0 0 0 eth0 default 24.108.32.1 0.0.0.0 UG0 0 0 eth0 Desktops.OpenDoc http://carnot.yi.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: configuration of a linux router
On Sun, Mar 02, 2008 at 02:40:22PM -0700, [EMAIL PROTECTED] wrote: My LAN has a Debian router, joule, and two subordinate machines, curie and heaviside. The three connect to an old Linksys 10Base-T hub. joule connects to a cable modem through a second NIC and runs ipmasq. Currently I want to add a third NIC to joule, remove the hub and connect each of curie and heaviside to a NIC in joule using a crossover cable. All appears OK except that curie and heaviside fail to communicate with each other. Now you will have three networks. The first, from joule to the cable modem, a second from joule to curie, and a third from joule to heaviside. The output of cat /etc/network/interfaces and netstat -r follow. Thanks for any ideas, ... Peter E. joule:~# cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). auto lo eth0 eth1 eth2 # The loopback network interface iface lo inet loopback # The primary network interface iface eth0 inet dhcp #iface eth0 inet static # The interface to curie iface eth1 inet static address 172.23.4.1, is curie 172.23.4.2? netmask 255.255.255.0 up route add -host 172.23.4.4 dev $IFACE downroute del -host 172.23.4.4 dev $IFACE You shouldn't have to add routes like this. # The interface to heaviside iface eth2 inet static address 172.23.4.1 change this to 172.23.5.1, and change heaviside's to 172.23.5.2 netmask 255.255.255.0 up route add -host 172.23.4.3 dev $IFACE down route del -host 172.23.4.3 dev $IFACE You shouldn't have to add routes like this joule:~# netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface heaviside * 255.255.255.255 UH0 0 0 eth2 curie * 255.255.255.255 UH0 0 0 eth1 172.23.4.0 * 255.255.255.0 U 0 0 0 eth1 172.23.4.0 * 255.255.255.0 U 0 0 0 eth2 24.108.32.0 * 255.255.252.0 U 0 0 0 eth0 default 24.108.32.1 0.0.0.0 UG0 0 0 eth0 The problem is that you have two separate network segments but haven't made that clear to the system. Joule is triple-homed and so needs three IPs. /etc/hosts will have to reflect this too appropriatly on all three boxes. Doug. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: forwarding _versus_ domain name service on a Linux router
On Sat, Dec 08, 2007 at 08:52:54PM -0800, PETER EASTHOPE wrote: Folk, A system, connected to the 'net by a telephone modem, is configured to be a router providing a network connection to one Windows system and also to be a workstation. Which is the lesser of evils: running a dns for one client or forwarding name requests over the slow connection? Maybe dnsmasq is what you need. Regards, Andrei -- If you can't explain it simply, you don't understand it well enough. (Albert Einstein) signature.asc Description: Digital signature
forwarding _versus_ domain name service on a Linux router
Folk, A system, connected to the 'net by a telephone modem, is configured to be a router providing a network connection to one Windows system and also to be a workstation. Which is the lesser of evils: running a dns for one client or forwarding name requests over the slow connection? Thanks, ... Peter E. http://carnot.yi.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Linux Router
Hallo Mathias, Mathias Kruemmel, 25.06.2006 (d.m.y): der Router sowie die clients könne ihre eigene IP anpingen. abgesehen das der eine Rechner als Router arbeiten soll muss es doch möglich sein das sich die rechner (192.168.20.1 und 192.168.20.2) im gleichen Netz anpingen können. Ich habe keine firewall aktiv. Wenn ich nur 2 Netzwerkkarten statt der jetzigen drei einbaue dann geht es. Kann es sein das sich evtl. in meinem Router die Karten beißen? Sowohl der Router als auch die Clients muessen aber wissen, ueber welche Route bzw. welches Interface sie die anderen IP-Subnetze erreichen koennen. Da solltest Du IMO mal ansetzen. Gruss, Christian Schmidt -- Wer A sagt, wird auch Au sagen. -- Zarko Petan signature.asc Description: Digital signature
Linux Router
Hallo Leute, ich möchte mir einen Router bauen der die Netze 192.168.20.0, 192.168.21.0 und 192.168.22.0 verbindet. Dazu habe ich in meinem Linux Rechner drei Netzwerkkarten eingebaut und die interfaces in der /etc/network/interfaces mit ip-adressen und allen anderen werten bestückt. Ich habe den drei Karten die jeweils erste ip aus den jeweiligen netzen gegeben (also 192.168.20.1, 21.1 und 22.1) Danach habe ich mit echo 1 /proc/sys/net/ipv4/ip_forward das routing eingeschaltet. ein ifconfig zeigte mir alle devices mit den entsprechenden IP-Adressen an. Folgendes Problem was ich jetzt habe ist das die adresse 192.168.20.1 (Router) den Client 192.168.20.2 nicht anpingen kann. Als ich das ganze Szenario nur mit 2 Netzen sprich 2 Netzwerkkarten probierte, funktioniete das anpingen und das routing zwischen diesen beiden Netzen (192.168.20.0 und 192.168.21.0) Ist dieses Szenario mit den drei Netzwerkkarten bzw. den verbinden der drei verschiedenen Netze über den Router überhaupt möglich? Danke für eure Antworten -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: Linux Router
Also sprach Mathias Kruemmel [EMAIL PROTECTED] (Sat, 24 Jun 2006 23:35:17 +0200): Hallo Leute, 'abend ich möchte mir einen Router bauen der die Netze 192.168.20.0, 192.168.21.0 und 192.168.22.0 verbindet. Dazu habe ich in meinem Linux Rechner drei Netzwerkkarten eingebaut und die interfaces in der /etc/network/interfaces mit ip-adressen und allen anderen werten bestückt. Ich habe den drei Karten die jeweils erste ip aus den jeweiligen netzen gegeben (also 192.168.20.1, 21.1 und 22.1) Danach habe ich mit echo 1 /proc/sys/net/ipv4/ip_forward cat /proc/sys/net/ipv4/ip_forward ergibt hoffentlich 1. :-) das routing eingeschaltet. Was sagt # route -n bzw. # ip route show ? ein ifconfig zeigte mir alle devices mit den entsprechenden IP-Adressen an. Ok. Irgendwelche errors, kollisionen? Folgendes Problem was ich jetzt habe ist das die adresse 192.168.20.1 Firewall aktiv? Kannst du dein eigenes Interface anpingen? (Router) den Client 192.168.20.2 nicht anpingen kann. Hat der Klient eventuell den ICMP ECHO Reply ausgeschalten. Wer/Was ist der Klient? Netzwerkverwehr mit tcpdump/(t)ethereal mitschneiden und sehen, wohin die Pakete flitzen... Als ich das ganze Szenario nur mit 2 Netzen sprich 2 Netzwerkkarten probierte, funktioniete das anpingen und das routing zwischen diesen beiden Netzen (192.168.20.0 und 192.168.21.0) Ist dieses Szenario mit den drei Netzwerkkarten bzw. den verbinden der drei verschiedenen Netze über den Router überhaupt möglich? Selbstvernatuerlich. sl ritch
Re: Linux Router
Moin, * Mathias Kruemmel wrote (2006-06-24 23:35): ich möchte mir einen Router bauen der die Netze 192.168.20.0, 192.168.21.0 und 192.168.22.0 verbindet. Ich gehe mal von /24 aus. ein ifconfig zeigte mir alle devices mit den entsprechenden IP-Adressen an. Wie sieht die Routingtabelle aus? Folgendes Problem was ich jetzt habe ist das die adresse 192.168.20.1 (Router) den Client 192.168.20.2 nicht anpingen kann. Klappt ein Ping in die anderen Netze? Klappt ein Ping von einem anderen Host in 192.168.20.0? Ist dieses Szenario mit den drei Netzwerkkarten bzw. den verbinden der drei verschiedenen Netze über den Router überhaupt möglich? Klar. Thorsten -- It is exactly because markets are amoral that we cannot leave the allocation of resources entirely to them. - George Soros pgpc5OQ45do6j.pgp Description: PGP signature
Re: Linux Router
Richard Mittendorfer schrieb: Also sprach Mathias Kruemmel [EMAIL PROTECTED] (Sat, 24 Jun 2006 23:35:17 +0200): Hallo Leute, 'abend ich möchte mir einen Router bauen der die Netze 192.168.20.0, 192.168.21.0 und 192.168.22.0 verbindet. Dazu habe ich in meinem Linux Rechner drei Netzwerkkarten eingebaut und die interfaces in der /etc/network/interfaces mit ip-adressen und allen anderen werten bestückt. Ich habe den drei Karten die jeweils erste ip aus den jeweiligen netzen gegeben (also 192.168.20.1, 21.1 und 22.1) Danach habe ich mit echo 1 /proc/sys/net/ipv4/ip_forward cat /proc/sys/net/ipv4/ip_forward ergibt hoffentlich 1. :-) das routing eingeschaltet. Was sagt # route -n bzw. # ip route show ? ein ifconfig zeigte mir alle devices mit den entsprechenden IP-Adressen an. Ok. Irgendwelche errors, kollisionen? Folgendes Problem was ich jetzt habe ist das die adresse 192.168.20.1 Firewall aktiv? Kannst du dein eigenes Interface anpingen? (Router) den Client 192.168.20.2 nicht anpingen kann. Hat der Klient eventuell den ICMP ECHO Reply ausgeschalten. Wer/Was ist der Klient? Netzwerkverwehr mit tcpdump/(t)ethereal mitschneiden und sehen, wohin die Pakete flitzen... Als ich das ganze Szenario nur mit 2 Netzen sprich 2 Netzwerkkarten probierte, funktioniete das anpingen und das routing zwischen diesen beiden Netzen (192.168.20.0 und 192.168.21.0) Ist dieses Szenario mit den drei Netzwerkkarten bzw. den verbinden der drei verschiedenen Netze über den Router überhaupt möglich? Selbstvernatuerlich. sl ritch der Router sowie die clients könne ihre eigene IP anpingen. abgesehen das der eine Rechner als Router arbeiten soll muss es doch möglich sein das sich die rechner (192.168.20.1 und 192.168.20.2) im gleichen Netz anpingen können. Ich habe keine firewall aktiv. Wenn ich nur 2 Netzwerkkarten statt der jetzigen drei einbaue dann geht es. Kann es sein das sich evtl. in meinem Router die Karten beißen? -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: Linux Router
Moin, * Mathias Kruemmel wrote (2006-06-25 00:04): der Router sowie die clients könne ihre eigene IP anpingen. Ok. Was ist mit den anderen Fragen? abgesehen das der eine Rechner als Router arbeiten soll muss es doch möglich sein das sich die rechner (192.168.20.1 und 192.168.20.2) im gleichen Netz anpingen können. Ich habe keine firewall aktiv. Wenn ich nur 2 Netzwerkkarten statt der jetzigen drei einbaue dann geht es. Wissen wir schon. Kann es sein das sich evtl. in meinem Router die Karten beißen? Ja. Thorsten -- Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves. - William Pitt pgp9V5Mo5lD8B.pgp Description: PGP signature
Re: Linux Router
Mathias Kruemmel schrieb: Richard Mittendorfer schrieb: Also sprach Mathias Kruemmel [EMAIL PROTECTED] (Sat, 24 Jun 2006 23:35:17 +0200): Hallo Leute, 'abend ich möchte mir einen Router bauen der die Netze 192.168.20.0, 192.168.21.0 und 192.168.22.0 verbindet. Dazu habe ich in meinem Linux Rechner drei Netzwerkkarten eingebaut und die interfaces in der /etc/network/interfaces mit ip-adressen und allen anderen werten bestückt. Ich habe den drei Karten die jeweils erste ip aus den jeweiligen netzen gegeben (also 192.168.20.1, 21.1 und 22.1) Danach habe ich mit echo 1 /proc/sys/net/ipv4/ip_forward cat /proc/sys/net/ipv4/ip_forward ergibt hoffentlich 1. :-) das routing eingeschaltet. Was sagt # route -n bzw. # ip route show ? ein ifconfig zeigte mir alle devices mit den entsprechenden IP-Adressen an. Ok. Irgendwelche errors, kollisionen? Folgendes Problem was ich jetzt habe ist das die adresse 192.168.20.1 Firewall aktiv? Kannst du dein eigenes Interface anpingen? (Router) den Client 192.168.20.2 nicht anpingen kann. Hat der Klient eventuell den ICMP ECHO Reply ausgeschalten. Wer/Was ist der Klient? Netzwerkverwehr mit tcpdump/(t)ethereal mitschneiden und sehen, wohin die Pakete flitzen... Als ich das ganze Szenario nur mit 2 Netzen sprich 2 Netzwerkkarten probierte, funktioniete das anpingen und das routing zwischen diesen beiden Netzen (192.168.20.0 und 192.168.21.0) Ist dieses Szenario mit den drei Netzwerkkarten bzw. den verbinden der drei verschiedenen Netze über den Router überhaupt möglich? Selbstvernatuerlich. sl ritch der Router sowie die clients könne ihre eigene IP anpingen. abgesehen das der eine Rechner als Router arbeiten soll muss es doch möglich sein das sich die rechner (192.168.20.1 und 192.168.20.2) im gleichen Netz anpingen können. Ich habe keine firewall aktiv. Wenn ich nur 2 Netzwerkkarten statt der jetzigen drei einbaue dann geht es. Kann es sein das sich evtl. in meinem Router die Karten beißen? Entwarnung! ich habe das ganze auf einer VMware Plattform ausprobiert und dort die devices in den einstellungen verwechselt. Sorry und nochmal danke für eure Anstrengungen -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: Elsterformular und Linux-Router
Hallo Thomas Antepoth, [...] Elster benötigt in der augenblicklichen Version einen direkten Connect zum Elsterserver und daher läuft SQUID als Proxy nicht mit ELSTER zusammen. Stimmt, hatte in der Arbeit das selbe Problem. [...] Hat jemand schon mal so was zum Laufen bekommen? Nein. Du solltest Dich aber mit einem Anruf bei der Elster-Hotline[1] noch einmal vergewissern. 12 Wochen ist eine lange Zeit und zwischenzeitlich mag sich da durchaus etwas getan haben. Ja. Es hat sich was getan. Wie schon ein Vorposter geschrieben hat, gibt es ein Stück Java Software welches einen HTTP-Tunnel erzeugt bzw. als Proxy eingesetzt wird. Näheres ist auf der Homepage von elster.de zu finden. Gruß Thomas -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: Elsterformular und Linux-Router
Werner Opriel wrote: Ich versuche die Elsterdatenuebertragung ebenfalls ueber Linux Router aus einem internen Netz herzustellen. Das LAN ist dabei durch eine DMZ vom Internet getrennt. Der DMZ-Proxy ist aus den oben beschriebenen Gruenden hier nicht im Spiel, die Elster Server werden also direkt angesprochen. Hinweis: Seit kurzer Zeit gibt es einen HTTP_Tunnel (benoetigt Java Webstart) unter: https://www.elster.de/elfo_tunnel.php?tunnelversion=1.0.0 mit dem angeblich auch Squid funktionieren soll. Folgende Regeln sollen den direkten Kontakt eines Client aus dem internen Netz zu einem der Elsterserver ermoeglichen: # Router LAN -- DMZ # --- ELSTER_PORT=8000 ELSTER_SERV=62.157.211.58 62.157.211.59 62.157.211.60 \ 193.109.238.26 193.109.238.27 213.182.157.66 # Anfragen an externe Elster Server und Elster-Port gewaehren for EP in $ELSTER_SERV do $IPTABLES -A FORWARD -p TCP --sport $UNPRIVPORTS -d $EP \ --dport $ELSTER_PORT -m state --state NEW,ESTABLISHED,RELATED \ -o $DMZ_IF -i $LAN_IF -j ACCEPT done # eingehende Pakete von Elster Servern zu bestehenden Verbindungen # zulassen (Rueckkanal) for EP in $ELSTER_SERV do $IPTABLES -A FORWARD -i $DMZ_IF -o $LAN_IF -s $EP \ -m state --state ESTABLISHED,RELATED -j ACCEPT done # Router DMZ -- Internet # --- # die Elsterformular-Upload-Server und der zugehoerige Port ELSTER_SERVER=(62.157.211.58 \ 62.157.211.59 \ 62.157.211.60 \ 193.109.238.26 \ 193.109.238.27 \ 213.182.157.66) ELSTER_PORT=8000 # Source NAT -- (SNAT/Masquerading) $IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE # Enable IP Forwarding echo 1 /proc/sys/net/ipv4/ip_forward # Anfragen (TCP) mit Zielport 8000 # fuer den Zugriff auf die Elsterserver zulassen for ES in ${ELSTER_SERVER[*]} do $IPTABLES -A FORWARD -p TCP --sport $UNPRIVPORTS \ --dport $ELSTER_PORT -o $EXT_IF -i $DMZ_IF -d $ES \ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT done # Antworten (Rueckkanal) von Elster Servern explizit zulassen for ES in ${ELSTER_SERVER[*]} do $IPTABLES -A FORWARD -i $EXT_IF -o $DMZ_IF -s $ES \ -m state --state ESTABLISHED,RELATED -j ACCEPT done #- Die Verbindung kommt auch zustande, bricht allerdings nach kurzer Zeit mit einem Timeout ab.. Ein tcpdump zeigt folgendes: ... 4.828341 192.168.10.1 - 193.109.238.27 TCP 1057 8000 [PSH, ACK] Seq=8302 Ack=2855 Win=7667 Len=271 4.886292 193.109.238.27 - 192.168.10.1 TCP 8000 1057 [ACK] Seq=2855 Ack=3265 Win=13050 Len=0 4.887251 192.168.10.1 - 193.109.238.27 TCP 1057 8000 [PSH, ACK] Seq=8573 Ack=2855 Win=7667 Len=596 4.892174 193.109.238.27 - 192.168.10.1 TCP [TCP Dup ACK 37#1] 8000 1057 [ACK] Seq=2855 Ack=3265 Win=13050 Len=0 4.892614 193.109.238.27 - 192.168.10.1 TCP [TCP Dup ACK 37#2] 8000 1057 [ACK] Seq=2855 Ack=3265 Win=13050 Len=0 4.893559 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission] 1057 8000 [PSH, ACK] Seq=3265 Ack=2855 Win=7667 Len=610 4.952832 193.109.238.27 - 192.168.10.1 TCP [TCP Dup ACK 37#3] 8000 1057 [ACK] Seq=2855 Ack=3265 Win=13050 Len=0 4.966322 193.109.238.27 - 192.168.10.1 TCP 8000 1057 [ACK] Seq=2855 Ack=3875 Win=14790 Len=0 5.773056 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission] 1057 8000 [PSH, ACK] Seq=3875 Ack=2855 Win=7667 Len=1460 7.578914 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission] 1057 8000 [PSH, ACK] Seq=3875 Ack=2855 Win=7667 Len=1460 11.190700 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission] 1057 8000 [PSH, ACK] Seq=3875 Ack=2855 Win=7667 Len=1460 18.414291 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission] 1057 8000 [PSH, ACK] Seq=3875 Ack=2855 Win=7667 Len=1460 32.861325 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission] 1057 8000 [PSH, ACK] Seq=3875 Ack=2855 Win=7667 Len=1460 Irgendeine Idee wo es hier zwickt? Problem geloest ! Ich hatte ein Path MTU Discovery Problem. Die dargestellten Regeln sind soweit ok. Wie man sehen kann wird die Verbindung zwar aufgebaut und erste Datenpakete getauscht, aber ab einem best. Punkt bricht die Verbindung ab. Hier fuehrte eine zu strenge ICMP Regel (nicht abgebildet) dazu, das die Kommunikation ueber Paketgroesse bzw. fragmentation-needed nicht zustande kam. :-( Die Folge war ein Timeout auf der Clientseite. -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: Elsterformular und Linux-Router
Ich versuche die Elsterdatenuebertragung ebenfalls ueber Linux Router aus einem internen Netz herzustellen. Das LAN ist dabei durch eine DMZ vom Internet getrennt. Der DMZ-Proxy ist aus den oben beschriebenen Gruenden hier nicht im Spiel, die Elster Server werden also direkt angesprochen. Hinweis: Seit kurzer Zeit gibt es einen HTTP_Tunnel (benoetigt Java Webstart) unter: https://www.elster.de/elfo_tunnel.php?tunnelversion=1.0.0 mit dem angeblich auch Squid funktionieren soll. Folgende Regeln sollen den direkten Kontakt eines Client aus dem internen Netz zu einem der Elsterserver ermoeglichen: # Router LAN -- DMZ # --- ELSTER_PORT=8000 ELSTER_SERV=62.157.211.58 62.157.211.59 62.157.211.60 \ 193.109.238.26 193.109.238.27 213.182.157.66 # Anfragen an externe Elster Server und Elster-Port gewaehren for EP in $ELSTER_SERV do $IPTABLES -A FORWARD -p TCP --sport $UNPRIVPORTS -d $EP \ --dport $ELSTER_PORT -m state --state NEW,ESTABLISHED,RELATED \ -o $DMZ_IF -i $LAN_IF -j ACCEPT done # eingehende Pakete von Elster Servern zu bestehenden Verbindungen # zulassen (Rueckkanal) for EP in $ELSTER_SERV do $IPTABLES -A FORWARD -i $DMZ_IF -o $LAN_IF -s $EP \ -m state --state ESTABLISHED,RELATED -j ACCEPT done # Router DMZ -- Internet # --- # die Elsterformular-Upload-Server und der zugehoerige Port ELSTER_SERVER=(62.157.211.58 \ 62.157.211.59 \ 62.157.211.60 \ 193.109.238.26 \ 193.109.238.27 \ 213.182.157.66) ELSTER_PORT=8000 # Source NAT -- (SNAT/Masquerading) $IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE # Enable IP Forwarding echo 1 /proc/sys/net/ipv4/ip_forward # Anfragen (TCP) mit Zielport 8000 # fuer den Zugriff auf die Elsterserver zulassen for ES in ${ELSTER_SERVER[*]} do $IPTABLES -A FORWARD -p TCP --sport $UNPRIVPORTS \ --dport $ELSTER_PORT -o $EXT_IF -i $DMZ_IF -d $ES \ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT done # Antworten (Rueckkanal) von Elster Servern explizit zulassen for ES in ${ELSTER_SERVER[*]} do $IPTABLES -A FORWARD -i $EXT_IF -o $DMZ_IF -s $ES \ -m state --state ESTABLISHED,RELATED -j ACCEPT done #- Die Verbindung kommt auch zustande, bricht allerdings nach kurzer Zeit mit einem Timeout ab.. Ein tcpdump zeigt folgendes: ... 4.828341 192.168.10.1 - 193.109.238.27 TCP 1057 8000 [PSH, ACK] Seq=8302 Ack=2855 Win=7667 Len=271 4.886292 193.109.238.27 - 192.168.10.1 TCP 8000 1057 [ACK] Seq=2855 Ack=3265 Win=13050 Len=0 4.887251 192.168.10.1 - 193.109.238.27 TCP 1057 8000 [PSH, ACK] Seq=8573 Ack=2855 Win=7667 Len=596 4.892174 193.109.238.27 - 192.168.10.1 TCP [TCP Dup ACK 37#1] 8000 1057 [ACK] Seq=2855 Ack=3265 Win=13050 Len=0 4.892614 193.109.238.27 - 192.168.10.1 TCP [TCP Dup ACK 37#2] 8000 1057 [ACK] Seq=2855 Ack=3265 Win=13050 Len=0 4.893559 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission] 1057 8000 [PSH, ACK] Seq=3265 Ack=2855 Win=7667 Len=610 4.952832 193.109.238.27 - 192.168.10.1 TCP [TCP Dup ACK 37#3] 8000 1057 [ACK] Seq=2855 Ack=3265 Win=13050 Len=0 4.966322 193.109.238.27 - 192.168.10.1 TCP 8000 1057 [ACK] Seq=2855 Ack=3875 Win=14790 Len=0 5.773056 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission] 1057 8000 [PSH, ACK] Seq=3875 Ack=2855 Win=7667 Len=1460 7.578914 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission] 1057 8000 [PSH, ACK] Seq=3875 Ack=2855 Win=7667 Len=1460 11.190700 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission] 1057 8000 [PSH, ACK] Seq=3875 Ack=2855 Win=7667 Len=1460 18.414291 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission] 1057 8000 [PSH, ACK] Seq=3875 Ack=2855 Win=7667 Len=1460 32.861325 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission] 1057 8000 [PSH, ACK] Seq=3875 Ack=2855 Win=7667 Len=1460 Irgendeine Idee wo es hier zwickt? -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: Elsterformular und Linux-Router
Am Dienstag, 12. April 2005 09:14 schrieb Werner Opriel: Ich versuche die Elsterdatenuebertragung ebenfalls ueber Linux Router aus einem internen Netz herzustellen. Das LAN ist dabei durch eine DMZ vom Internet getrennt. Der DMZ-Proxy ist aus den oben beschriebenen Gruenden hier nicht im Spiel, die Elster Server werden also direkt angesprochen. Hinweis: Seit kurzer Zeit gibt es einen HTTP_Tunnel (benoetigt Java Webstart) unter: https://www.elster.de/elfo_tunnel.php?tunnelversion=1.0.0 mit dem angeblich auch Squid funktionieren soll. Wenn HTTP(S), dann geht auch Squid. Welche Daten letztlich über das Protokoll übertragen werden, spielt keine Rolle mehr. Folgende Regeln sollen den direkten Kontakt eines Client aus dem internen Netz zu einem der Elsterserver ermoeglichen: # Router LAN -- DMZ # --- ELSTER_PORT=8000 ELSTER_SERV=62.157.211.58 62.157.211.59 62.157.211.60 \ 193.109.238.26 193.109.238.27 213.182.157.66 # Anfragen an externe Elster Server und Elster-Port gewaehren for EP in $ELSTER_SERV do $IPTABLES -A FORWARD -p TCP --sport $UNPRIVPORTS -d $EP \ --dport $ELSTER_PORT -m state --state NEW,ESTABLISHED,RELATED \ -o $DMZ_IF -i $LAN_IF -j ACCEPT done Mit dem Hinweis, das die Variablen $UNPRIVPORTS, $DMZ_IF und $LAN_IF bei dir entsprechend belegt sind. # eingehende Pakete von Elster Servern zu bestehenden Verbindungen # zulassen (Rueckkanal) for EP in $ELSTER_SERV do $IPTABLES -A FORWARD -i $DMZ_IF -o $LAN_IF -s $EP \ -m state --state ESTABLISHED,RELATED -j ACCEPT done Warum nicht beides in einer Schleife? # Router DMZ -- Internet # --- OK, das dürfte für den OP das interessante sein: # die Elsterformular-Upload-Server und der zugehoerige Port ELSTER_SERVER=(62.157.211.58 \ 62.157.211.59 \ 62.157.211.60 \ 193.109.238.26 \ 193.109.238.27 \ 213.182.157.66) ELSTER_PORT=8000 # Source NAT -- (SNAT/Masquerading) $IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE Mit $EXT_IF = Internet-IF. # Enable IP Forwarding echo 1 /proc/sys/net/ipv4/ip_forward # Anfragen (TCP) mit Zielport 8000 # fuer den Zugriff auf die Elsterserver zulassen for ES in ${ELSTER_SERVER[*]} do $IPTABLES -A FORWARD -p TCP --sport $UNPRIVPORTS \ --dport $ELSTER_PORT -o $EXT_IF -i $DMZ_IF -d $ES \ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT done # Antworten (Rueckkanal) von Elster Servern explizit zulassen for ES in ${ELSTER_SERVER[*]} do $IPTABLES -A FORWARD -i $EXT_IF -o $DMZ_IF -s $ES \ -m state --state ESTABLISHED,RELATED -j ACCEPT done # Anmerkungen: Siehe oben. Die Verbindung kommt auch zustande, bricht allerdings nach kurzer Zeit mit einem Timeout ab.. Ein tcpdump zeigt folgendes: ... 4.828341 192.168.10.1 - 193.109.238.27 TCP 1057 8000 [PSH, ACK] Seq=8302 Ack=2855 Win=7667 Len=271 4.886292 193.109.238.27 - 192.168.10.1 TCP 8000 1057 [ACK] Seq=2855 Ack=3265 Win=13050 Len=0 4.887251 192.168.10.1 - 193.109.238.27 TCP 1057 8000 [PSH, ACK] Seq=8573 Ack=2855 Win=7667 Len=596 4.892174 193.109.238.27 - 192.168.10.1 TCP [TCP Dup ACK 37#1] 8000 1057 [ACK] Seq=2855 Ack=3265 Win=13050 Len=0 4.892614 193.109.238.27 - 192.168.10.1 TCP [TCP Dup ACK 37#2] 8000 1057 [ACK] Seq=2855 Ack=3265 Win=13050 Len=0 4.893559 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission] 1057 8000 [PSH, ACK] Seq=3265 Ack=2855 Win=7667 Len=610 4.952832 193.109.238.27 - 192.168.10.1 TCP [TCP Dup ACK 37#3] 8000 1057 [ACK] Seq=2855 Ack=3265 Win=13050 Len=0 4.966322 193.109.238.27 - 192.168.10.1 TCP 8000 1057 [ACK] Seq=2855 Ack=3875 Win=14790 Len=0 5.773056 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission] 1057 8000 [PSH, ACK] Seq=3875 Ack=2855 Win=7667 Len=1460 7.578914 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission] 1057 8000 [PSH, ACK] Seq=3875 Ack=2855 Win=7667 Len=1460 11.190700 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission] 1057 8000 [PSH, ACK] Seq=3875 Ack=2855 Win=7667 Len=1460 18.414291 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission] 1057 8000 [PSH, ACK] Seq=3875 Ack=2855 Win=7667 Len=1460 32.861325 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission] 1057 8000 [PSH, ACK] Seq=3875 Ack=2855 Win=7667 Len=1460 Es kommt gar keine TCP-Verbindung erst zustande. Sniffer mal auf beiden Gateways, wo was rein- und rausgeht. -- Gruß MaxX Bitte beachten: Diese Mailadresse nimmt nur Listenmails entgegen. Für PM bitte den Empfänger gegen den Namen in der Sig tauschen.
Elsterformular und Linux-Router
hi, ich bin fast am verzweifeln... Ich habe einen Win-ME-Client an einem Debian Server (Kernel 2.4) hängen. Netzwerk funktioniert, Ins Internet komme ich auch damit. Nun will (muß) ich von dem Win-PC meine Steuererklärung ans Finanzamt senden. Da steht denn in der Hilfe zu dem Elster-Programm ich soll ein Gateway einrichten, das den Port 4000 auf den Port 8000 bei der IP 62.157.211.58 (und noch 5 weitere) legt. Ich habe hier squid am laufen, finde aber nicht wo und wie ich das in der squid.conf einstellen muß. habe schon 1000 Sachen probiert, aber nichts klappt. Auch Google ist nicht sehr ergiebig. Hat jemand schon mal so was zum Laufen bekommen? Bin für jeden Hinweis dankbar. Gruß Kersten Tams -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: Elsterformular und Linux-Router
Kersten Tams [EMAIL PROTECTED] schrieb: Ich habe hier squid am laufen, finde aber nicht wo und wie ich das in der squid.conf einstellen muß. habe schon 1000 Sachen probiert, aber nichts klappt. Auch Google ist nicht sehr ergiebig. Hat jemand schon mal so was zum Laufen bekommen? Ich, auf Arbeit. Mit Squid wird das IMHO nix, Du brauchst iptables, um IP_Masquerade zu machen. Ich hoffe, das reicht Dir. Ansonsten frag noch mal nach. Andreas -- Diese Message wurde erstellt mit freundlicher Unterstützung eines freilau- fenden Pinguins aus artgerechter Freilandhaltung. Er ist garantiert frei von Micro$oft'schen Viren. (#97922 http://counter.li.org) GPG 7F4584DA Was, Sie wissen nicht, wo Kaufbach ist? Hier: N 51.05082°, E 13.56889° ;-) -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: Elsterformular und Linux-Router
On Mon, 11 Apr 2005, Kersten Tams wrote: Ich habe einen Win-ME-Client an einem Debian Server (Kernel 2.4) hängen. Netzwerk funktioniert, Ins Internet komme ich auch damit. Nun will (muß) ich von dem Win-PC meine Steuererklärung ans Finanzamt senden. Da steht denn in der Hilfe zu dem Elster-Programm ich soll ein Gateway einrichten, das den Port 4000 auf den Port 8000 bei der IP 62.157.211.58 (und noch 5 weitere) legt. Elster benötigt in der augenblicklichen Version einen direkten Connect zum Elsterserver und daher läuft SQUID als Proxy nicht mit ELSTER zusammen. Dies war vor ca. 12 Wochen die Aussage der Elster-Hotline. Gleichzeitig sagte die Helpdesk-Mitarbeiterin, daß doch recht viele Anfragen zu Proxy und Elster eingingen und daß daher die Chancen recht gut stünden, in einer der kommenden Versionen mit Proxy-Unterstützung zu funktionieren. Hat jemand schon mal so was zum Laufen bekommen? Nein. Du solltest Dich aber mit einem Anruf bei der Elster-Hotline[1] noch einmal vergewissern. 12 Wochen ist eine lange Zeit und zwischenzeitlich mag sich da durchaus etwas getan haben. t++ [1] https://www.elster.de/hotline.php
Re: Elsterformular und Linux-Router
Am Montag, 11. April 2005 17:47 schrieb Kersten Tams: hi, ich bin fast am verzweifeln... Ich habe einen Win-ME-Client an einem Debian Server (Kernel 2.4) hängen. Netzwerk funktioniert, Ins Internet komme ich auch damit. Nun will (muß) ich von dem Win-PC meine Steuererklärung ans Finanzamt senden. Da steht denn in der Hilfe zu dem Elster-Programm ich soll ein Gateway einrichten, das den Port 4000 auf den Port 8000 bei der IP 62.157.211.58 (und noch 5 weitere) legt. Ich habe hier squid am laufen, finde aber nicht wo und wie ich das in der squid.conf einstellen muß. Das wird so auch nicht funktionieren. Squid ist ein HTTP- und (eingeschränkt) FTP-Proxy (=Stellvertreter). Das bedeutet vereinfacht, dass es für den angefragten HTTP-Server den anfragenden Client vertritt und so die Seiten zugeschickt bekommt und auf der anderen Seite dem anfragenden Client den angefragten HTTP-Server vortäuscht. Das Elster-Programm läuft aber offensichtlich nicht über HTTP. Also kann Squid hier auch nichts machen. Du brauchst also entweder einen HTTP-Tunnel durch den Squid (auf deiner Seite könntest du da sicher etwas entsprechendes installieren, aber dir wird der andere Tunnelausgang im Internet fehlen) oder du musst auf dem Linux das IP-Forwarding sowie Masquerading einschalten. Dann sind natürlich entsprechende Firewall-Regeln, die nur die entsprechenden Ports für die betreffenden IP-Adressen freigeben, sinnvoll -- iptables. -- Gruß MaxX Bitte beachten: Diese Mailadresse nimmt nur Listenmails entgegen. Für PM bitte den Empfänger gegen den Namen in der Sig tauschen.
Re: Elsterformular und Linux-Router
Andreas Kretschmer wrote: [...] Hat jemand schon mal so was zum Laufen bekommen? Ich, auf Arbeit. Mit Squid wird das IMHO nix, Du brauchst iptables, um IP_Masquerade zu machen. Ich hoffe, das reicht Dir. Ansonsten frag noch mal nach. hi, mache ich hiermit ;-) ich habe gerade versucht mal mit webmin etwas einzustellen. Ehrlich gesagt habe ich das nicht ganz verstanden. Was ist prerouting und postrouting und wo muß ich nun die Ports und IPs einstellen? Ich habe da zwar eine entfernte Ahnung, aber ich will mir auch nichts total verbauen. Kannst Du mir ein paar Tips geben, was ich wo einstellen muß? Es gibt da so viele zusätzliche Parameter, daß ich überhaupt nicht mehr durchblicke. Normalerweise würde ich mir das ja in aller Ruhe reinziehen und so lange probieren, bis es läuft (habe ich bislang so gemacht), Momentan wartet das Finanzamt aber auf meine Erklärung und die sind nicht zimperlich mit Mahngeldern, so daß ich keine Zeit für diesen harten Weg habe. Ich hoffe auf ein wenig Verständnis, wenn ich um ein kleines Beispiel bitte :-) Gruß Kersten -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: Elsterformular und Linux-Router
Kersten Tams [EMAIL PROTECTED] schrieb: Andreas Kretschmer wrote: [...] Hat jemand schon mal so was zum Laufen bekommen? Ich, auf Arbeit. Mit Squid wird das IMHO nix, Du brauchst iptables, um IP_Masquerade zu machen. Ich hoffe, das reicht Dir. Ansonsten frag noch mal nach. hi, mache ich hiermit ;-) ich habe gerade versucht mal mit webmin etwas einzustellen. Ehrlich gesagt habe ich das nicht ganz verstanden. http://netfilter.org Was ist prerouting und postrouting und wo muß ich nun die Ports und IPs einstellen? Ich habe da zwar eine entfernte Ahnung, aber ich will mir auch nichts total verbauen. iptables -t nat -A POSTROUTING -s client -j MASQUERADE Damit macht Dein Gateway IP-Masquerade für den Client. Dazu muß aber auch der Linux-Kernel als Router arbeiten: echo 1 /proc/sys/net/ipv4/ip_forward Wenn Du _keine_ weiteren iptables-Regeln hast, reicht das schon. Bedenke aber, daß damit der Client vollen Zugang auf das Internet hat - was man normalerweise als Admin nicht will. Das kann man einschränken: iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p TCP -s client --dport 8000 -j ACCEPT iptables -A FORWARD -p TCP -s client -j REJECT --reject-with tcp-reset iptables -A FORWARD -p TCP -s client -j REJECT --reject-with icmp-port-unreachable Man könnte in der 2. Regel noch die erlaubten IP-Adressen der 6 Server angeben. Auf dem Client mußt Du noch eine Default-Route (oder Host-Routen zu den 6 Servern) setzen Kannst Du mir ein paar Tips geben, was ich wo einstellen muß? Es gibt da so Lies die Doku zu iptables. Falls Eigenwerbung erlaubt ist: http://www.linuxinfotag.de/7/detail/7 viele zusätzliche Parameter, daß ich überhaupt nicht mehr durchblicke. Das ist auf dem ersten Blick schlimmer als auf dem zweiten ;-) -- Diese Message wurde erstellt mit freundlicher Unterstützung eines freilau- fenden Pinguins aus artgerechter Freilandhaltung. Er ist garantiert frei von Micro$oft'schen Viren. (#97922 http://counter.li.org) GPG 7F4584DA Was, Sie wissen nicht, wo Kaufbach ist? Hier: N 51.05082°, E 13.56889° ;-) -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: Linux Router
Captain's Log, stardate Tue, 14 Dec 2004 12:23:08 -0600, from the fingers of Michael Madden came the words: The main point is that there are so many things to do in Linux in order to configure it for masquerading (Recompiling Kernel etc). There also so many different commands that do exactly the same thing but in different ways. If a person is starting off in firewalling it's not good to overwhelm them with information. With OpenBSD, you simply edit stuff that's already there, for example. These are the steps i would take to setup a gateway on a brand newly setup OpenBSD machine: Uncomment the following in /etc/sysctl.conf net.inet.ip.forwarding=1 net.inet6.ip6.forwarding=1 (if using IPv6) Uncomment and edit this line in /etc/pf.conf (stuff in needs to be edited, stuff in [] is optional) nat [pass] on interface [af] from src_addr [port src_port] to dst_addr [port dst_port] - ext_addr [pool_type] [static- port] You may then reboot the machine or just issue the following two commands: # sysctl net.inet.ip.forwarding=1 Or # sysctl net.inet6.ip6.forwarding=1 (if using IPv6) Then # pfctl -f /etc/pf.conf You now have a fully working NAT box. To perform IP forwarding uncomment the port redirect line in pf.conf and modify it to your taste then issue: # pfctl -f /etc/pf.conf The default configuration for the machine has zero known security holes. (have a look at www.openbsd.org for security info) Regards, Ken Forgive me if I'm new to the OpenBSD approach, but I've installed OpenBSD 3.6 on a laptop with 2 PCMCIA cards, and I cannot get any of my clients behind the firewall to see beyond the firewall. My two network cards are setup as: bsdrouter# ifconfig ep1 ep1: flags=8863UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:60:97:87:8b:4d media: Ethernet 10baseT inet 172.16.1.100 netmask 0x broadcast 172.16.255.255 inet6 fe80::260:97ff:fe87:8b4d%ep1 prefixlen 64 scopeid 0x5 bsdrouter# ifconfig ep2 ep2: flags=8863UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:10:4b:ec:64:80 media: Ethernet 10baseT inet 192.168.3.1 netmask 0xff00 broadcast 192.168.3.255 inet6 fe80::210:4bff:feec:6480%ep2 prefixlen 64 scopeid 0x6 I've got IP forwarding enabled: bsdrouter# cat /etc/sysctl.conf net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets Finally I've setup pf.conf: bsdrouter# cat /etc/pf.conf f=ep1 int_if=ep2 nat on $ext_if from !($ext_if) - ($ext_if:0) I rebooted the machine after the above network setup, and while I'm on the router I can see the 192.168.3.x network, the 172.16.x.x network, and the internet. But my Windows machines behind the firewall cannot reach beyond the firewall even though the OpenBSD router is set as the default gateway. On machines on the 172.16.x.x network, I can reach the router at 172.16.1.100 and the machines behind the router (if I add a route to the 172.16.x.x machines). Has anyone experienced this before? Thanks, Mike Hi Mike Have you set a rule to allow the NAT to pass through the box? Simply adding pass to your above command should do that for you. nat pass on $ext_if from !($ext_if) - ($ext_if:0) Also, The macro for your external interface I assume it's not set to f=ep1 Was that just a couple of missed characters while copying and pasting? (it should read ext_if=ep1 not f=ep1) Here is my pf.conf from one of my firewalls if it's any help to you. You might want to comment out the Block stuff and change the IP addresses for redirection etc. # macros int_if = fxp0 ext_if = rl0 tcp_services = { 22, 80, } icmp_types = echoreq priv_nets = { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } # options set block-policy return set loginterface $ext_if # scrub scrub in all # nat/rdr nat on $ext_if from $int_if:network to any - ($ext_if) #rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port 8021 #rdr pass on $ext_if proto tcp from any to $ext_if port smtp - 10.2.0.15 #rdr pass on $int_if proto tcp from any to $int_if port 350 - 10.2.2.202 # filter rules block all pass quick on lo0 all pass in on $ext_if inet proto tcp from any to 10.2.0.15 port smtp block drop in quick on $ext_if from $priv_nets to any block drop out quick on $ext_if from any to $priv_nets #pass in on $ext_if inet proto tcp from any to ($ext_if) \ # port $tcp_services flags S/SA keep state #pass in inet proto icmp all icmp-type $icmp_types keep state pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state Regards, Ken
Re: Linux Router
Captain's Log, stardate Tue, 14 Dec 2004 14:22:48 -0600, from the fingers of Michael Madden came the words: I figured out what was wrong with my OpenBSD 3.6 setup. I needed to setup pf=YES in /etc/rc.conf. I must have missed this when reading though the install documentation. Anyhow these are the steps that worked for me: 1.) Install OpenBSD 3.6 according to the directions at: http://www.openbsd.org/faq/faq4.html 2.) Add the following line to /etc/sysctl.conf: net.inet.ip.forwarding=1 3.) Add the following line to /etc/pf.conf: nat on ep1 from ep2:network to any - (ep1) 4.) Add the following to /etc/rc.conf: pf=YES Thanks again for all the help. Thanks, Mike Glad you got it going Mike! Sorry i didn't mention that last pf=YES comment... I was doing it from the top of my head. Good job figuring it out! Thanks and Regards, Ken Gilmour BOFH Script Monkey Irish Operations
Re: Linux Router
The main point is that there are so many things to do in Linux in order to configure it for masquerading (Recompiling Kernel etc). There also so many different commands that do exactly the same thing but in different ways. If a person is starting off in firewalling it's not good to overwhelm them with information. With OpenBSD, you simply edit stuff that's already there, for example. These are the steps i would take to setup a gateway on a brand newly setup OpenBSD machine: Uncomment the following in /etc/sysctl.conf net.inet.ip.forwarding=1 net.inet6.ip6.forwarding=1 (if using IPv6) Uncomment and edit this line in /etc/pf.conf (stuff in needs to be edited, stuff in [] is optional) nat [pass] on interface [af] from src_addr [port src_port] to dst_addr [port dst_port] - ext_addr [pool_type] [static-port] You may then reboot the machine or just issue the following two commands: # sysctl net.inet.ip.forwarding=1 Or # sysctl net.inet6.ip6.forwarding=1 (if using IPv6) Then # pfctl -f /etc/pf.conf You now have a fully working NAT box. To perform IP forwarding uncomment the port redirect line in pf.conf and modify it to your taste then issue: # pfctl -f /etc/pf.conf The default configuration for the machine has zero known security holes. (have a look at www.openbsd.org for security info) Regards, Ken Forgive me if I'm new to the OpenBSD approach, but I've installed OpenBSD 3.6 on a laptop with 2 PCMCIA cards, and I cannot get any of my clients behind the firewall to see beyond the firewall. My two network cards are setup as: bsdrouter# ifconfig ep1 ep1: flags=8863UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:60:97:87:8b:4d media: Ethernet 10baseT inet 172.16.1.100 netmask 0x broadcast 172.16.255.255 inet6 fe80::260:97ff:fe87:8b4d%ep1 prefixlen 64 scopeid 0x5 bsdrouter# ifconfig ep2 ep2: flags=8863UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:10:4b:ec:64:80 media: Ethernet 10baseT inet 192.168.3.1 netmask 0xff00 broadcast 192.168.3.255 inet6 fe80::210:4bff:feec:6480%ep2 prefixlen 64 scopeid 0x6 I've got IP forwarding enabled: bsdrouter# cat /etc/sysctl.conf net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of packets Finally I've setup pf.conf: bsdrouter# cat /etc/pf.conf f=ep1 int_if=ep2 nat on $ext_if from !($ext_if) - ($ext_if:0) I rebooted the machine after the above network setup, and while I'm on the router I can see the 192.168.3.x network, the 172.16.x.x network, and the internet. But my Windows machines behind the firewall cannot reach beyond the firewall even though the OpenBSD router is set as the default gateway. On machines on the 172.16.x.x network, I can reach the router at 172.16.1.100 and the machines behind the router (if I add a route to the 172.16.x.x machines). Has anyone experienced this before? Thanks, Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Linux Router
I figured out what was wrong with my OpenBSD 3.6 setup. I needed to setup pf=YES in /etc/rc.conf. I must have missed this when reading though the install documentation. Anyhow these are the steps that worked for me: 1.) Install OpenBSD 3.6 according to the directions at: http://www.openbsd.org/faq/faq4.html 2.) Add the following line to /etc/sysctl.conf: net.inet.ip.forwarding=1 3.) Add the following line to /etc/pf.conf: nat on ep1 from ep2:network to any - (ep1) 4.) Add the following to /etc/rc.conf: pf=YES Thanks again for all the help. Thanks, Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Linux Router
Captain's Log, stardate Mon, 13 Dec 2004 14:11:46 -0600, from the fingers of Michael Madden came the words: Does anyone know of a decent Linux based router project out there? In the past I've used LRP (http://www.linuxrouter.org), but it looks like the project isn't maintained anymore. My requirements are pretty simple. I want to route traffic from network A to network B and route traffice from network B to A. I don't need firewalling, but would like IP forwarding and NAT. Any recommendations? Linux is capable of routing by default almost. All you need are two interfaces and linux. You can use iptables (or ipchains if you're using an old distro) to do this. Personally i prefer OpenBSD to do this because it's very compact etc but I've also used Debian Woody to do the same task. The only problem i have with Linux's iptables as opposed to OpenBSD's PF is that iptables has an overwhelming amount of stuff it can do and you can easily break it. But it is, however, much more configurable. You can set them to just allow everything through and use NAT and IP Forwarding in the process. HTH Regards, Ken
RE: Linux Router
From: Michael Madden [mailto:[EMAIL PROTECTED] Sent: Monday, December 13, 2004 5:31 PM Thanks for all the advice. I guess something like LRP appealed to me more since it was floppy based and didn't require setting up a distro with many unneeded utilities. Does anyone know of an active floppy based firewall (Linux or *BSD)? (maybe this time i'll reply to the list ;-) I've never used it, but CoyoteLinux [1] appears to be active. It even has a Windows based Wizard, if you are so inclined. [1] http://www.coyotelinux.com/products.php?Product=coyote -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Linux Router
On Mon, 2004-12-13 at 17:31 -0600, Michael Madden wrote: Alex Barylo wrote: [snip] Thanks for all the advice. I guess something like LRP appealed to me more since it was floppy based and didn't require setting up a distro with many unneeded utilities. Does anyone know of an active floppy based firewall (Linux or *BSD)? floppyfw does the trick. -- - Ron Johnson, Jr. Jefferson, LA USA PGP Key ID 8834C06B I prefer encrypted mail. The United States is not a nation to which peace is a necessity. Grover Cleveland signature.asc Description: This is a digitally signed message part
Re: Linux Router
Croy, Nathan wrote: From: Michael Madden [mailto:[EMAIL PROTECTED] Sent: Monday, December 13, 2004 5:31 PM Thanks for all the advice. I guess something like LRP appealed to me more since it was floppy based and didn't require setting up a distro with many unneeded utilities. Does anyone know of an active floppy based firewall (Linux or *BSD)? I've never used it, but CoyoteLinux [1] appears to be active. It even has a Windows based Wizard, if you are so inclined. [1] http://www.coyotelinux.com/products.php?Product=coyote I've used Coyote for a long time. It was great. Easy to setup and it has a 2.4 kernel (so you can use iptables if you need to manually tweek something), a wizard that works OK from windows, and a shell menu-driven or web interface that allows you to setup most cenarios... anything more complicated than you find in the interfacem you can go to the shell and setup yourself Using floppy = read-only medium, easy system backup ;-), no noise, low heat... I was using it in a diskless/fanless P200 Classic with 16Mb Ram -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Linux Router
Captain's Log, stardate Mon, 13 Dec 2004 17:31:18 -0600, from the fingers of Michael Madden came the words: Thanks for all the advice. I guess something like LRP appealed to me more since it was floppy based and didn't require setting up a distro with many unneeded utilities. Does anyone know of an active floppy based firewall (Linux or *BSD)? OpenBSD is what i would most recommend. It can be installed from two floppies and fully customised. (www.openbsd.org) I _really_ love PF. Others may disagree. I've never had any problems with Linux firewalling / NATing / IP Forwarding for as long as i can remember, but i prefer OpenBSD simply because it only installs exactly what you tell it to from the time you put the floppy in (which some other people would have a problem with) and it's very low maintenance. The only time i ever needed to shut down an OpenBSD machine is when i was moving office. So far I've never needed to upgrade any hardware (probably because it doesn't do much work anyway). # du -h pf.conf 2.0Kpf.conf There's a Great man who once said Donuts - Is there anything they can't do? (Homer Simpson). Maybe when PF can be used as a contraceptive we can say that too!
Re: Linux Router
Michael Madden wrote: Alex Barylo wrote: I second that - I use my old AMD-K6 box with Sarge as a firewall. I use and _highly_ recommend FIAIF firewall (http://www.fiaif.net/) - I picked it up from securityfocus.com top tools. HTH, Alex. Thanks for all the advice. I guess something like LRP appealed to me more since it was floppy based and didn't require setting up a distro with many unneeded utilities. Does anyone know of an active floppy based firewall (Linux or *BSD)? Freesco is a pretty decent floppy based router. freesco.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Linux Router
On Mon, Dec 13, 2004 at 05:31:18PM -0600, Michael Madden wrote: unneeded utilities. Does anyone know of an active floppy based firewall (Linux or *BSD)? No. Use an old laptop with a hard drive, and two PCMCIA net cards. Take one floppy. Put the OpenBSD install image on it. Install OpenBSD via FTP and configure pf. The package management system is similar to apt-get -- you can install an app and all dependencies with one command. It is absolutely breathtaking as a router. Utterly secure and never needs looking at. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Linux Router
I second that - I use my old AMD-K6 box with Sarge as a firewall. I use and _highly_ recommend FIAIF firewall (http://www.fiaif.net/) - I picked it up from securityfocus.com top tools. HTH, Alex. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Linux Router
Ken Gilmour wrote: Captain's Log, stardate Mon, 13 Dec 2004 14:11:46 -0600, from the fingers of Michael Madden came the words: Does anyone know of a decent Linux based router project out there? In the past I've used LRP (http://www.linuxrouter.org), but it looks like the project isn't maintained anymore. My requirements are pretty simple. I want to route traffic from network A to network B and route traffice from network B to A. I don't need firewalling, but would like IP forwarding and NAT. Any recommendations? Linux is capable of routing by default almost. All you need are two interfaces and linux. You can use iptables (or ipchains if you're using an old distro) to do this. Personally i prefer OpenBSD to do this because it's very compact etc but I've also used Debian Woody to do the same task. The only problem i have with Linux's iptables as opposed to OpenBSD's PF is that iptables has an overwhelming amount of stuff it can do and you can easily break it. But it is, however, much more configurable. You can set them to just allow everything through and use NAT and IP Forwarding in the process. Ken, Can you explain this in further detail? I've used iptables on Woody for almost two years without any problems. Thanks. bp HTH Regards, Ken -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Linux Router
Alex Barylo wrote: I second that - I use my old AMD-K6 box with Sarge as a firewall. I use and _highly_ recommend FIAIF firewall (http://www.fiaif.net/) - I picked it up from securityfocus.com top tools. HTH, Alex. Thanks for all the advice. I guess something like LRP appealed to me more since it was floppy based and didn't require setting up a distro with many unneeded utilities. Does anyone know of an active floppy based firewall (Linux or *BSD)? Thanks, Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Linux Router
Captain's Log, stardate Mon, 13 Dec 2004 19:26:40 -0500, from the fingers of Bruce Park came the words: Ken Gilmour wrote: snip The only problem i have with Linux's iptables as opposed to OpenBSD's PF is that iptables has an overwhelming amount of stuff it can do and you can easily break it. But it is, however, much more configurable. You can set them to just allow everything through and use NAT and IP Forwarding in the process. Ken, Can you explain this in further detail? I've used iptables on Woody for almost two years without any problems. Thanks. The main point is that there are so many things to do in Linux in order to configure it for masquerading (Recompiling Kernel etc). There also so many different commands that do exactly the same thing but in different ways. If a person is starting off in firewalling it's not good to overwhelm them with information. With OpenBSD, you simply edit stuff that's already there, for example. These are the steps i would take to setup a gateway on a brand newly setup OpenBSD machine: Uncomment the following in /etc/sysctl.conf net.inet.ip.forwarding=1 net.inet6.ip6.forwarding=1 (if using IPv6) Uncomment and edit this line in /etc/pf.conf (stuff in needs to be edited, stuff in [] is optional) nat [pass] on interface [af] from src_addr [port src_port] to dst_addr [port dst_port] - ext_addr [pool_type] [static-port] You may then reboot the machine or just issue the following two commands: # sysctl net.inet.ip.forwarding=1 Or # sysctl net.inet6.ip6.forwarding=1 (if using IPv6) Then # pfctl -f /etc/pf.conf You now have a fully working NAT box. To perform IP forwarding uncomment the port redirect line in pf.conf and modify it to your taste then issue: # pfctl -f /etc/pf.conf The default configuration for the machine has zero known security holes. (have a look at www.openbsd.org for security info) Regards, Ken
Re: Linux Router
On Mon, Dec 13, 2004 at 05:31:18PM -0600, Michael Madden wrote: Thanks for all the advice. I guess something like LRP appealed to me more since it was floppy based and didn't require setting up a distro with many unneeded utilities. Does anyone know of an active floppy based firewall (Linux or *BSD)? If you have a cd drive, why not try the Live CD Router? Just boot off the cd and it runs. http://www.wifi.com.ar/english/cdrouter.html HTH, -- Sridhar M.A. GPG KeyID : F6A35935 Fingerprint: D172 22C4 7CDC D9CD 62B5 55C1 2A69 D5D8 F6A3 5935 Plus ,ca change, plus c'est la m^eme chose. [The more things change, the more they remain the same.] -- Alphonse Karr, Les Gu^epes signature.asc Description: Digital signature
Re: Linux Router
On Mon, 2004-12-13 at 15:46 -0800, Scarletdown wrote: Michael Madden wrote: Alex Barylo wrote: [snip] Freesco is a pretty decent floppy based router. freesco.org Note, though, that it uses kernel 2.0.39. -- - Ron Johnson, Jr. Jefferson, LA USA PGP Key ID 8834C06B I prefer encrypted mail. Don't be so open minded that your brains fall out. s. keeling signature.asc Description: This is a digitally signed message part
Re: Linux Router automisches wiedereinwählen
Im Gegensatz zur TLUG Mailingliste ist das hier ziemlich armselig. Da quält mann google und braucht ne Antwort auf die Frage nach nem 24/7 dsl mit 100%-igem Reconn und kriegt als Antwort ne Debatte über die Moral und Surfgewohnheiten des Plebus. Vielen Dank ihr X-perten... hat sehr geholfen mein Problem zu lösen. -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: Linux Router automisches wiedereinwählen
Hallo Steffen, * Steffen Ille schrieb [18-03-03 23:07]: Im Gegensatz zur TLUG Mailingliste ist das hier ziemlich armselig. Da quält mann google und braucht ne Antwort auf die Frage nach nem 24/7 dsl mit 100%-igem Reconn und kriegt als Antwort ne Debatte über die Moral und Surfgewohnheiten des Plebus. Vielen Dank ihr X-perten... hat sehr geholfen mein Problem zu lösen. Und genau an dieser Antwort können die anderen sehen, warum du keine Lösung bekommen hast. Wenn die TLUG besser ist, dann geh doch. Beschwerst dich darüber, daß dir keiner hilft, aber deinen Namen hab ich persönlich auch noch nicht gerade oft gelesen... *kopfschüttlend* Bezahl uns oder diejenigen, die dir helfen sollen, dann kannst du auch solche Sprüche ablassen. Überleg mal, wo du hier bist! Gruss Udo -- Wenn ich einem Schwein eine RedHat-CD um den Hals binde und es trete kann man sagen, dass KDE Co. auch ohne Ram schnell laufen. -- Robin S. Socha in de.comp.os.unix.linux.newusers-- pgp0.pgp Description: PGP signature
Re: Linux Router automisches_wiedereinwählen
--- Udo Mueller [EMAIL PROTECTED] schrieb: * Steffen Ille schrieb [18-03-03 23:07]: [Scheißendreck] Beschwerst dich darüber, daß dir keiner hilft, aber deinen Namen hab ich persönlich auch noch nicht gerade oft gelesen... Ich habe eben mal das Archiv ab Februar durchsucht (weil ich das Ursprungsposting finden wollte) - erfolglos. Gruß Rüdiger -- __ Gesendet von Yahoo! Mail - http://mail.yahoo.de Bis zu 100 MB Speicher bei http://premiummail.yahoo.de -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Linux router.
Salut, Je ne maitrise pas parfaitement iptables et j'ai essayé ceci pour faire marcher MSN talking sur 192.168.1.2 sachant que le router linux est 192.168.1.1: ### #MSN Talking pour l'@ IP 192.168.1.2: ### iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 2000 -j DNAT --to 192.168.1.2 IPTABLES=/sbin/iptables OUT_DEV=ppp0 IN_HOST=192.168.1.2 TCP_PORT_RANGE=36988:45202 UDP_PORT_RANGE=36988:45202 TCP_LISTENING_PORT=36988 $IPTABLES -t nat -A POSTROUTING -o $OUT_DEV -j MASQUERADE $IPTABLES -t nat -A PREROUTING -i $OUT_DEV -p tcp --dport $TCP_PORT_RANGE -j DNAT --to-dest $IN_HOST $IPTABLES -t nat -A PREROUTING -i $OUT_DEV -p udp --dport $UDP_PORT_RANGE -j DNAT --to-dest $IN_HOST $IPTABLES -A FORWARD -p tcp -i $OUT_DEV --dport $TCP_PORT_RANGE -d $IN_HOST -j ACCEPT $IPTABLES -A FORWARD -p udp -i $OUT_DEV --dport $UDP_PORT_RANGE -d $IN_HOST -j ACCEPT $IPTABLES -t nat -A PREROUTING -i $OUT_DEV -p tcp --dport $TCP_LISTENING_PORT -j DNAT --to-dest $IN_HOST $IPTABLES -A FORWARD -p tcp -i $OUT_DEV --dport $TCP_LISTENING_PORT -d $IN_HOST -j ACCEPT Mais bon ca ne marche pas :-( Existe-t-il un moyen de faire la chose sans partir dans une instal d'un serveur H323 ? Existe-t-il une appli pour générer ce genre de règles qui marche comme un serveur web, style webmin: http://www.webmin.com/ Merci.