RE: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP withreserved IPs on wlan0?

[Michael Grant]

I have used openwrt, but not recent version of it.  I have been using Ubiquiti 
EdgeRouters running the stock EdgeOS.  Very solid routers.  I even have one 
sitting up in a tree in a Tupperware container in the snowy mountains!

I recently discovered that EdgeOS is based on Debian and you can install Debian 
packages on them.

Michael Grant

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Celejar]

On Mon, 8 Feb 2021 16:42:40 -0500
Dan Ritter  wrote:

> Celejar wrote: 
> > > If you are OK buying used equipment, Intel-based gigabit NICs, 4 ports
> > > to a PCIe slot, cost about $35 (or $70 new). If you've got a 5 year old
> > 
> > My understanding - please correct me if I'm wrong - is that with those
> > types of cards, the ports are distinct and aren't actually switched in
> > hardware, so switching occurrs at the OS / kernel level. I don't know
> > how much of a load this puts on the system in practice, but my
> > understanding is that it's certainly not an ideal way to design a
> > switch.
> 
> Modern processors -- even the ones 5 years old -- are really
> fast.
> 
> Linux bridging (switching) is very efficient.

Fair enough.

> Is it "ideal"? No. But given that you want one device which acts
> as a WAP, router, firewall and switch, it should perform quite 
> well. If you hate the idea of doing that, though, an 8-port
> gigabit switch is about the same price as a used 4-port gigabit
> NIC. Not as flexible, though.
> 
> > > desktop sitting around with 2GB or more RAM and 3 available PCIe slots,
> > > you can use it as a WAP and have nine switched/routed gigabit ports,
> > > counting one on the motherboard.  If you only need 5 ports, you only
> > > need 2 PCIe slots -- one for a WiFI NIC and one for the ethernet NIC.
> > 
> > My understanding, although I could not find solid documentation of this,
> > is that consumer wireless chipsets designed for client use don't make
> > particularly performant APs. They'll work, but purpose built APs will
> > perform much better, especially with their AP optimized antennas. I
> > don't really know if this is true, though, and to what extent it's an
> > issue, if it really is one.
> 
> Oh, no, this is a myth. The $20-150 consumer wifi routers use
> the same wifi interface chips as good PCIe cards, for the most
> part. OpenWRT is actually a great source of information on
> these.
> 
> Assuming you're comparing a 3 antenna MIMO on a PCIe card to a 3
> antenna MIMO on a consumer router, you should get equivalent
> range and performance.

Thanks. I'd love to see actual tests comparing performance of wireless
APs (consumer, enterprise, and DIY ones like we're discussing), but
they seem very hard to come by.

> > And the power usage on a five year old desktop (which I don't actually
> > have) will be much higher than a purpose-built AIO AP / switch / router.
> 
> That can be true. But then, the desktop can also be your server
> for a bunch of other things that, perhaps, you were going to
> run.

Fair enough. I'm currently using an old R210 ii as my server, so I'm
not one to talk ;) I suppose it might be fun to see if I can fit a
modern AX200 based PCIe (perhaps a low profile one) into it and see how
it performs as an AP / router ...

> > But again, I don't really disagree. If I had the hardware lying around,
> > and I determined that the power consumption wasn't a factor, it would
> > certainly be tempting to consider this route.
> 
> Everything is a tradeoff.

Yes.

Celejar

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Dan Ritter]

Celejar wrote: 
> > If you are OK buying used equipment, Intel-based gigabit NICs, 4 ports
> > to a PCIe slot, cost about $35 (or $70 new). If you've got a 5 year old
> 
> My understanding - please correct me if I'm wrong - is that with those
> types of cards, the ports are distinct and aren't actually switched in
> hardware, so switching occurrs at the OS / kernel level. I don't know
> how much of a load this puts on the system in practice, but my
> understanding is that it's certainly not an ideal way to design a
> switch.

Modern processors -- even the ones 5 years old -- are really
fast.

Linux bridging (switching) is very efficient.

Is it "ideal"? No. But given that you want one device which acts
as a WAP, router, firewall and switch, it should perform quite 
well. If you hate the idea of doing that, though, an 8-port
gigabit switch is about the same price as a used 4-port gigabit
NIC. Not as flexible, though.

> > desktop sitting around with 2GB or more RAM and 3 available PCIe slots,
> > you can use it as a WAP and have nine switched/routed gigabit ports,
> > counting one on the motherboard.  If you only need 5 ports, you only
> > need 2 PCIe slots -- one for a WiFI NIC and one for the ethernet NIC.
> 
> My understanding, although I could not find solid documentation of this,
> is that consumer wireless chipsets designed for client use don't make
> particularly performant APs. They'll work, but purpose built APs will
> perform much better, especially with their AP optimized antennas. I
> don't really know if this is true, though, and to what extent it's an
> issue, if it really is one.

Oh, no, this is a myth. The $20-150 consumer wifi routers use
the same wifi interface chips as good PCIe cards, for the most
part. OpenWRT is actually a great source of information on
these.

Assuming you're comparing a 3 antenna MIMO on a PCIe card to a 3
antenna MIMO on a consumer router, you should get equivalent
range and performance.

> And the power usage on a five year old desktop (which I don't actually
> have) will be much higher than a purpose-built AIO AP / switch / router.

That can be true. But then, the desktop can also be your server
for a bunch of other things that, perhaps, you were going to
run.

> But again, I don't really disagree. If I had the hardware lying around,
> and I determined that the power consumption wasn't a factor, it would
> certainly be tempting to consider this route.

Everything is a tradeoff.

-dsr-

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Celejar]

On Mon, 8 Feb 2021 11:03:35 -0500
Dan Ritter  wrote:

> Celejar wrote: 
> > > I can be glad that OpenWRT has improved their security practices
> > > and simultaneously not be interested in using it.
> > 
> > I think we are really in basic agreement. The reason I use OpenWRT is
> > that I use a residential all-in-one WAP / switch / router, which Debian
> > is unsuitable for. If I ever go the separate WAP / switch / router
> > route, I'll probably use Debian on the router for the reasons you
> > give: good support, a system I'm familiar with, etc.
> 
> Debian works well in this situation. You just need to arrange
> for enough NIC ports to meet your needs.
> 
> If you are OK buying used equipment, Intel-based gigabit NICs, 4 ports
> to a PCIe slot, cost about $35 (or $70 new). If you've got a 5 year old

My understanding - please correct me if I'm wrong - is that with those
types of cards, the ports are distinct and aren't actually switched in
hardware, so switching occurrs at the OS / kernel level. I don't know
how much of a load this puts on the system in practice, but my
understanding is that it's certainly not an ideal way to design a
switch.

> desktop sitting around with 2GB or more RAM and 3 available PCIe slots,
> you can use it as a WAP and have nine switched/routed gigabit ports,
> counting one on the motherboard.  If you only need 5 ports, you only
> need 2 PCIe slots -- one for a WiFI NIC and one for the ethernet NIC.

My understanding, although I could not find solid documentation of this,
is that consumer wireless chipsets designed for client use don't make
particularly performant APs. They'll work, but purpose built APs will
perform much better, especially with their AP optimized antennas. I
don't really know if this is true, though, and to what extent it's an
issue, if it really is one.

And the power usage on a five year old desktop (which I don't actually
have) will be much higher than a purpose-built AIO AP / switch / router.

> Debian has hostapd and dnsmasq packages.

But again, I don't really disagree. If I had the hardware lying around,
and I determined that the power consumption wasn't a factor, it would
certainly be tempting to consider this route.

Celejar

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Stefan Monnier]

> I think we are really in basic agreement. The reason I use OpenWRT is
> that I use a residential all-in-one WAP / switch / router, which Debian
> is unsuitable for. If I ever go the separate WAP / switch / router
> route, I'll probably use Debian on the router for the reasons you
> give: good support, a system I'm familiar with, etc.

Here's a related datapoint:

For a couple years, I have used a Pi box as router+WAP, running
Debian (after having used "home routers" running OpenWRT for many years
before that).

I was quite happy with it software side (a bit less convenient to
configure than OpenWRT for the WAP part, but largely makes up for it for
the ease with which I could add auxiliary services and the convenience
of using the same OS as I use on all my other machines), but I was
unable to make it provide a good enough wireless signal to cover
my apartment.

So I switched to a box dedicated to WAP+router (BT HomeHub, in my case
https://openwrt.org/toh/bt/homehub_v5a), whose hardware is too limited
to run Debian.  IOW the problem for me was to find hardware which is
low-power enough to have it "always on" yet whose wifi interface is good
enough to cover my apartment: these thingies seem to be much more often
able to run OpenWRT than to run Debian :-(

W.r.t security, an important advantage of Debian is that upgrades are
much easier and smoother (so much so that they can be fully automatic)
than in OpenWRT.  But I'm a very happy user of OpenWRT (and have been
for many many years).


Stefan


PS: Another reason I went with the BT HomeHub is that it includes the
modem (and that this modem is supported by OpenWRT, tho with
a proprietary firmware), so it saves me having to have yet another box
in that corner (I still have the Pi there since the HomeHub is not
well suited to provide some of those services, which require a largish
storage which I'd rather not connect via USB).

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Dan Ritter]

Celejar wrote: 
> > I can be glad that OpenWRT has improved their security practices
> > and simultaneously not be interested in using it.
> 
> I think we are really in basic agreement. The reason I use OpenWRT is
> that I use a residential all-in-one WAP / switch / router, which Debian
> is unsuitable for. If I ever go the separate WAP / switch / router
> route, I'll probably use Debian on the router for the reasons you
> give: good support, a system I'm familiar with, etc.

Debian works well in this situation. You just need to arrange
for enough NIC ports to meet your needs.

If you are OK buying used equipment, Intel-based gigabit NICs, 4 ports
to a PCIe slot, cost about $35 (or $70 new). If you've got a 5 year old
desktop sitting around with 2GB or more RAM and 3 available PCIe slots,
you can use it as a WAP and have nine switched/routed gigabit ports,
counting one on the motherboard.  If you only need 5 ports, you only
need 2 PCIe slots -- one for a WiFI NIC and one for the ethernet NIC.

Debian has hostapd and dnsmasq packages.

-dsr-

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Celejar]

On Mon, 8 Feb 2021 09:57:13 -0500
Dan Ritter  wrote:

> Celejar wrote: 
> > On Mon, 8 Feb 2021 08:36:34 -0500
> > Dan Ritter  wrote:
> > 
> > > OpenWRT's security process doesn't look as terrible as it used
> > > to be, but it doesn't really look good right now, just trying to
> > > be better.
> > 
> > Again, let's look at specific examples of vulnerabilities present in
> > both OpenWRT and Debian, and compare the projects' responses. I gave
> > you one timely example: OpenWRT's SA for the dnsmasq vulnerabilities
> > was issued about two weeks before Debian's.
> > 
> > You feel that OpenWRT's security process "doesn't look good." Based on
> > what? Can you provide a vulnerability that affects their software that
> > they dropped the ball on?
> 
> No, thanks. I don't need to poke at OpenWRT any further.
> 
> I already have a Debian firewall that has had good security
> support from Debian since 2014; I see no reason not to continue
> using it until the hardware fails. At that point, I will buy
> another relatively small fully supported Debian box, and carry
> on. Among other benefits, it means that all the machines at home
> have the same procedures and can be used as testbeds for each
> other. E.g. the music-playing machine in the living room is now
> testing out Bullseye.
> 
> I can be glad that OpenWRT has improved their security practices
> and simultaneously not be interested in using it.

I think we are really in basic agreement. The reason I use OpenWRT is
that I use a residential all-in-one WAP / switch / router, which Debian
is unsuitable for. If I ever go the separate WAP / switch / router
route, I'll probably use Debian on the router for the reasons you
give: good support, a system I'm familiar with, etc.

Celejar

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Dan Ritter]

Celejar wrote: 
> On Mon, 8 Feb 2021 08:36:34 -0500
> Dan Ritter  wrote:
> 
> > OpenWRT's security process doesn't look as terrible as it used
> > to be, but it doesn't really look good right now, just trying to
> > be better.
> 
> Again, let's look at specific examples of vulnerabilities present in
> both OpenWRT and Debian, and compare the projects' responses. I gave
> you one timely example: OpenWRT's SA for the dnsmasq vulnerabilities
> was issued about two weeks before Debian's.
> 
> You feel that OpenWRT's security process "doesn't look good." Based on
> what? Can you provide a vulnerability that affects their software that
> they dropped the ball on?

No, thanks. I don't need to poke at OpenWRT any further.

I already have a Debian firewall that has had good security
support from Debian since 2014; I see no reason not to continue
using it until the hardware fails. At that point, I will buy
another relatively small fully supported Debian box, and carry
on. Among other benefits, it means that all the machines at home
have the same procedures and can be used as testbeds for each
other. E.g. the music-playing machine in the living room is now
testing out Bullseye.

I can be glad that OpenWRT has improved their security practices
and simultaneously not be interested in using it.

-dsr-

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Celejar]

On Mon, 8 Feb 2021 08:36:34 -0500
Dan Ritter  wrote:

> Celejar wrote: 
> > On Mon, 8 Feb 2021 06:41:23 -0500
> > Dan Ritter  wrote:
> > 
> > > Gregory Seidman wrote: 
> > > > If you want a Linux router/AP, I recommend OpenWRT over Debian. It runs 
> > > > on
> > 
> > ...
> > 
> > > Debian gets security updates in a timely manner (for stable).
> > > 
> > > How's OpenWRT's security team?
> > 
> > I'm not sure if this is a genuine question or a rhetorical one (sorry -
> > tone doesn't always come across well in email), but OpenWRT does have a
> > security process, with advisories, bug fixes, etc.:
> 
> Semi-rhetorical: my experience with OpenWRT and ddWRT is that
> once a device is installed, it never gets an upgrade. I'd be
> happy to learn otherwise.

Rejoice, then! If you choose never to upgrade, that's your choice, but
the project releases point releases every couple of months or so, and
new major versions every year or two:

https://downloads.openwrt.org/releases/

> > https://openwrt.org/docs/guide-developer/security
> > 
> > I suspect the process may not be as good as Debian's, but they do fix
> > at least some serious bugs fairly quickly. E.g., if I'm reading the
> > following pages correctly, the Debian DSAs for the recent serious set of
> > dnsmasq vulnerabilities went out on Feb. 4, whereas OpenWRT issued its
> > Security Advisory on Jan. 19:
> 
> That page lists 15 advisories over the last 3 years -- let's say
> 2 years, since this year is just beginning. Four of those
> advisories are for OpenWRT-only problems.
> 
> In the 2 months of 2021, so far, Debian's security team has issued 28 notices.
> Let's discount the desktop software -- that's 8 of them, by my
> count -- because nobody runs desktop software on a router.

I think this is a misleading comparison. It's not just a question
of desktop software - Debian includes vastly more software in general,
for which the security team is responsible, than OpenWRT does. Debian
proudly announces that it comes with "more than 59000 packages":

https://www.debian.org/intro/about

OpenWRT includes merely "several thousand packages" (I can't find an
exact number):

https://openwrt.org/packages/start

So of course Debian is going to have more SAs.

> OpenWRT's security process doesn't look as terrible as it used
> to be, but it doesn't really look good right now, just trying to
> be better.

Again, let's look at specific examples of vulnerabilities present in
both OpenWRT and Debian, and compare the projects' responses. I gave
you one timely example: OpenWRT's SA for the dnsmasq vulnerabilities
was issued about two weeks before Debian's.

You feel that OpenWRT's security process "doesn't look good." Based on
what? Can you provide a vulnerability that affects their software that
they dropped the ball on?

> This probably doesn't matter much if you just want a WAP inside
> your house, but I feel confirmed that Debian is still a much
> better choice for an Internet-facing router/firewall.

Celejar

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Dan Ritter]

Celejar wrote: 
> On Mon, 8 Feb 2021 06:41:23 -0500
> Dan Ritter  wrote:
> 
> > Gregory Seidman wrote: 
> > > If you want a Linux router/AP, I recommend OpenWRT over Debian. It runs on
> 
> ...
> 
> > Debian gets security updates in a timely manner (for stable).
> > 
> > How's OpenWRT's security team?
> 
> I'm not sure if this is a genuine question or a rhetorical one (sorry -
> tone doesn't always come across well in email), but OpenWRT does have a
> security process, with advisories, bug fixes, etc.:

Semi-rhetorical: my experience with OpenWRT and ddWRT is that
once a device is installed, it never gets an upgrade. I'd be
happy to learn otherwise.

> https://openwrt.org/docs/guide-developer/security
> 
> I suspect the process may not be as good as Debian's, but they do fix
> at least some serious bugs fairly quickly. E.g., if I'm reading the
> following pages correctly, the Debian DSAs for the recent serious set of
> dnsmasq vulnerabilities went out on Feb. 4, whereas OpenWRT issued its
> Security Advisory on Jan. 19:

That page lists 15 advisories over the last 3 years -- let's say
2 years, since this year is just beginning. Four of those
advisories are for OpenWRT-only problems.

In the 2 months of 2021, so far, Debian's security team has issued 28 notices.
Let's discount the desktop software -- that's 8 of them, by my
count -- because nobody runs desktop software on a router.

OpenWRT's security process doesn't look as terrible as it used
to be, but it doesn't really look good right now, just trying to
be better.

This probably doesn't matter much if you just want a WAP inside
your house, but I feel confirmed that Debian is still a much
better choice for an Internet-facing router/firewall.

-dsr-

Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Celejar]

On Mon, 8 Feb 2021 06:41:23 -0500
Dan Ritter  wrote:

> Gregory Seidman wrote: 
> > If you want a Linux router/AP, I recommend OpenWRT over Debian. It runs on

...

> Debian gets security updates in a timely manner (for stable).
> 
> How's OpenWRT's security team?

I'm not sure if this is a genuine question or a rhetorical one (sorry -
tone doesn't always come across well in email), but OpenWRT does have a
security process, with advisories, bug fixes, etc.:

https://openwrt.org/docs/guide-developer/security

I suspect the process may not be as good as Debian's, but they do fix
at least some serious bugs fairly quickly. E.g., if I'm reading the
following pages correctly, the Debian DSAs for the recent serious set of
dnsmasq vulnerabilities went out on Feb. 4, whereas OpenWRT issued its
Security Advisory on Jan. 19:

https://www.debian.org/security/2021/dsa-4844
https://lists.debian.org/debian-security-announce/2021/msg00026.html

https://openwrt.org/advisory/2021-01-19-1

Celejar

Re: Linux router AP with reserved IPs on wlan0?

[Dan Ritter]

Gregory Seidman wrote: 
> If you want a Linux router/AP, I recommend OpenWRT over Debian. It runs on
> a variety of router hardware, but also PCs: 
> https://openwrt.org/docs/guide-user/installation/openwrt_x86
> 
> Importantly, it uses UCI
> <https://openwrt.org/docs/guide-user/base-system/uci> for configuration of
> switches, networks, 802.11 (wifi) radios, SSIDs, firewalls, etc. which
> substantially simplifies handling the issues you are encountering. Its web
> interface (luci) works directly with the UCI config files, so it's easy to
> switch between editing a file and working in the web UI.

Debian gets security updates in a timely manner (for stable).

How's OpenWRT's security team?

-dsr-

Re: Linux router AP with reserved IPs on wlan0?

[Gregory Seidman]

If you want a Linux router/AP, I recommend OpenWRT over Debian. It runs on
a variety of router hardware, but also PCs: 
https://openwrt.org/docs/guide-user/installation/openwrt_x86

Importantly, it uses UCI
<https://openwrt.org/docs/guide-user/base-system/uci> for configuration of
switches, networks, 802.11 (wifi) radios, SSIDs, firewalls, etc. which
substantially simplifies handling the issues you are encountering. Its web
interface (luci) works directly with the UCI config files, so it's easy to
switch between editing a file and working in the web UI.

--Gregory

On Sat, Feb 06, 2021 at 02:29:08AM -0800, John Conover wrote:
> 
> A wireless router made with hostapd/dnsmasq/dhcpcd is fairly easy, and
> works well with iptables, with one shortcoming.
> 
> After antagonizing the Google for hours, I can not find any way to add
> reserved IPs based on the the MAC address of devices connected on
> wlan0, (presumably in dhcpcd.conf.) Seems kind of a simple oversight
> for a wireless AP.
> 
> Am I correct in my assumption?
> 
> Thanks,
> 
> John
> 
> -- 
> 
> John Conover, cono...@rahul.net, http://www.johncon.com/
> 
> 

Re: Linux router AP with reserved IPs on wlan0?

[John Conover]

Tixy writes:
> On Sat, 2021-02-06 at 11:00 -0800, John Conover wrote:
> > Stefan Monnier writes:
> > > > A wireless router made with hostapd/dnsmasq/dhcpcd is fairly easy, and
> > > > works well with iptables, with one shortcoming.
> > > > 
> > > > After antagonizing the Google for hours, I can not find any way to add
> > > > reserved IPs based on the the MAC address of devices connected on
> > > > wlan0, (presumably in dhcpcd.conf.) Seems kind of a simple oversight
> > > > for a wireless AP.
> > > 
> > > I'm not familiar with dhcpd, but dnsmasq's built-in DHCP server has been
> > > perfectly sufficient so far and it lets you specify fixed IPs based on
> > > MACs by simply putting those in the `/etc/ethers` file.
> > > 
> > 
> > Thank you, Stefan.
> > 
> > Works like a charm. The syntax of /etc/ethers is ':' delimited MAC
> > address, followed by a space delimiter, followed by the IPv4 IP
> > address, per IP reservation. That IP address must also be in
> > /etc/hosts.
> 
> I didn't know about /etc/ethers, on my system I allocate fixed IP
> addresses and hostnames by adding a lines to dnsmasq.conf like
> 
> dhcp-host=MAC-Address,IP-Address,Hostname,Lease-Time
> 
> I guess there's more than one way to skin this cat.
>

Hi Tixy.

For the archives, the documentation to configuration of dnsmasq(1) is
in /etc/dnsmasq.conf, the dnsmasq configuration file. It is verbose,
and there are many options. Read thoroughly.

It is a very impressive accomplishment, and works well, and is fairly
easy to get working, (once familiar with the configuration file.)

As a closing note, the DHCP/DNS services, (for wlan0,) are configured
in the /etc/dnsmasq.conf file, *_NOT_* /etc/dhcpcd.conf, which is the
usual alternative.

(This is where I went astray-I mean the name is dnsmasq, probably
meaning it is something to do with dns, duh.)

Thanks to all,

John

-- 

John Conover, cono...@rahul.net, http://www.johncon.com/

Re: Linux router AP with reserved IPs on wlan0?

[Tixy]

On Sat, 2021-02-06 at 11:00 -0800, John Conover wrote:
> Stefan Monnier writes:
> > > A wireless router made with hostapd/dnsmasq/dhcpcd is fairly easy, and
> > > works well with iptables, with one shortcoming.
> > > 
> > > After antagonizing the Google for hours, I can not find any way to add
> > > reserved IPs based on the the MAC address of devices connected on
> > > wlan0, (presumably in dhcpcd.conf.) Seems kind of a simple oversight
> > > for a wireless AP.
> > 
> > I'm not familiar with dhcpd, but dnsmasq's built-in DHCP server has been
> > perfectly sufficient so far and it lets you specify fixed IPs based on
> > MACs by simply putting those in the `/etc/ethers` file.
> > 
> 
> Thank you, Stefan.
> 
> Works like a charm. The syntax of /etc/ethers is ':' delimited MAC
> address, followed by a space delimiter, followed by the IPv4 IP
> address, per IP reservation. That IP address must also be in
> /etc/hosts.

I didn't know about /etc/ethers, on my system I allocate fixed IP
addresses and hostnames by adding a lines to dnsmasq.conf like

dhcp-host=MAC-Address,IP-Address,Hostname,Lease-Time

I guess there's more than one way to skin this cat.

-- 
Tixy

Re: Linux router AP with reserved IPs on wlan0?

[John Conover]

Stefan Monnier writes:
> > A wireless router made with hostapd/dnsmasq/dhcpcd is fairly easy, and
> > works well with iptables, with one shortcoming.
> >
> > After antagonizing the Google for hours, I can not find any way to add
> > reserved IPs based on the the MAC address of devices connected on
> > wlan0, (presumably in dhcpcd.conf.) Seems kind of a simple oversight
> > for a wireless AP.
> 
> I'm not familiar with dhcpd, but dnsmasq's built-in DHCP server has been
> perfectly sufficient so far and it lets you specify fixed IPs based on
> MACs by simply putting those in the `/etc/ethers` file.
>

Thank you, Stefan.

Works like a charm. The syntax of /etc/ethers is ':' delimited MAC
address, followed by a space delimiter, followed by the IPv4 IP
address, per IP reservation. That IP address must also be in
/etc/hosts.

John

-- 

John Conover, cono...@rahul.net, http://www.johncon.com/

Re: Linux router AP with reserved IPs on wlan0?

[Stefan Monnier]

> A wireless router made with hostapd/dnsmasq/dhcpcd is fairly easy, and
> works well with iptables, with one shortcoming.
>
> After antagonizing the Google for hours, I can not find any way to add
> reserved IPs based on the the MAC address of devices connected on
> wlan0, (presumably in dhcpcd.conf.) Seems kind of a simple oversight
> for a wireless AP.

I'm not familiar with dhcpd, but dnsmasq's built-in DHCP server has been
perfectly sufficient so far and it lets you specify fixed IPs based on
MACs by simply putting those in the `/etc/ethers` file.


Stefan

Re: Linux router AP with reserved IPs on wlan0?

[Dan Ritter]

John Conover wrote: 
> 
> A wireless router made with hostapd/dnsmasq/dhcpcd is fairly easy, and
> works well with iptables, with one shortcoming.
> 
> After antagonizing the Google for hours, I can not find any way to add
> reserved IPs based on the the MAC address of devices connected on
> wlan0, (presumably in dhcpcd.conf.) Seems kind of a simple oversight
> for a wireless AP.


host conoverlaptop {
 hardware ethernet 00:14:d3:11:22:32;
 fixed-address 192.168.0.20;
}

Re: Linux router AP with reserved IPs on wlan0?

[tomas]

On Sat, Feb 06, 2021 at 02:29:08AM -0800, John Conover wrote:
> 
> A wireless router made with hostapd/dnsmasq/dhcpcd is fairly easy, and
> works well with iptables, with one shortcoming.
> 
> After antagonizing the Google for hours, I can not find any way to add
> reserved IPs based on the the MAC address of devices connected on
> wlan0, (presumably in dhcpcd.conf.) Seems kind of a simple oversight
> for a wireless AP.
> 
> Am I correct in my assumption?

I think the jargon is "DHCP reservation" or thereabouts. Do these ([1],
[2]) fit your quest?

And oh, BTW. Don't antagonize Google. They don't love you (besides, they
don't make for good neighbours, but I disgress). My search provider just
gave me those results in exchange for a moderate amount of effort (~15
min).

Cheers :)

[1] 
https://servercomputing.blogspot.com/2012/02/reserve-ip-address-in-dhcp-server-linux.html
[2] 
https://askubuntu.com/questions/392599/how-to-reserve-ip-address-in-dhcp-server

 - t


signature.asc
Description: Digital signature

Linux router AP with reserved IPs on wlan0?

[John Conover]

A wireless router made with hostapd/dnsmasq/dhcpcd is fairly easy, and
works well with iptables, with one shortcoming.

After antagonizing the Google for hours, I can not find any way to add
reserved IPs based on the the MAC address of devices connected on
wlan0, (presumably in dhcpcd.conf.) Seems kind of a simple oversight
for a wireless AP.

Am I correct in my assumption?

Thanks,

John

-- 

John Conover, cono...@rahul.net, http://www.johncon.com/

Re: Linux router para ISP con posibles problemas

[Camaleón]

El Fri, 09 Aug 2013 15:28:00 -0300, Mauro Antivero escribió:

 El 09/08/13 10:32, Camaleón escribió:

(...)

 Aquí tienes una configuración muy completa para un equipo con Debian
 que hace de router de alto rendimiento (para un ISP):

 http://itservice-bg.net/?p=1122
 Perdón, no me funciona el enlace. Puede ser que esté mal o es una simple
 casualidad?

Yo lo cargo bien. 

Prueba a acceder al sitio desde otra conexión (p. ej., módem UMTS) o a 
través de un proxy:

http://www.hidemyass.com/

Si sigues con problemas me dices y te mando el contenido de la página web 
por mensaje privado.

Saludos,

-- 
Camaleón


-- 
To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/pan.2013.08.10.09.21...@gmail.com

Re: Linux router para ISP con posibles problemas

[Alberto]

El 09/08/13 04:36, Mauro Antivero escribió:
 Estimados:
 
 En mi lugar de trabajo tenemos un router Linux (Debian Squeeze corriendo
 en un Dell PowerEdge R210-II) por el cual cursa todo el tráfico de la
 red de usuarios del ISP.
 
 El problema que estamos teniendo es que pareciera ser que cuando el
 tráfico total que atraviesa al servidor llega a los 550 Mbps se
 estanca, es decir no suele crecer mucho más que ese valor. Esto nos
 parece extraño puesto que según estimamos el tráfico debería estar
 llegando a los 650 Mbps aprox.
 
 En su momento se modificó lo que es el valor de:
 
 /proc/sys/net/ipv4/netfilter/ip_conntrack_max
 
 Puesto que cuando el tráfico llegaba a 200 Mbps aprox. el mismo en lugar
 de subir comenzaba a bajar y con dmesg obteníamos el siguiente mensaje:
 
 nf_conntrack: table full, dropping packet

si, quizas haya algun valor mas a nivel de /proc que se podria mirar,
aunque ahora a bote pronto no sabria decirte, pero el de ip_conntrack
era el que yo tambien mire en su dia.

 Posteriormente a esto, en un servidor mucho menos potente que el actual
 hubo que jugar con los parámentros de la placa de red (Intel Gigabit,
 no recuerdo bien el modelo ahora) para que pueda manejar las
 interrupciones y además hubo que hacer un bondig entre dos de estas
 placas de red para que pueda manejar todo el tráfico.
 
 En el servidor por el cual ahora les consulto no fue necesario hacer un
 bonding, pero si modificar el valor de ip_conntrack_max.

bueno, obviamente tienes que ver cual es el tráfico generado y hasta
donde da la tarjeta de red, en cualquier caso, teniendo un equipo como
router corporativo, si tienes alguna tarjeta adicional, yo pondria
bonding SI o SI, no solo por el balanceo sino como alta disponibilidad

 El tema es que ahora como les decía, a simple vista, no estamos teniendo
 ninguno de estos problemas, pero tenemos la sensación de que algo está
 pasando.
 
 Les quería consultar entonces qué parámetros tendría que ir mirando y
 controlando para ver si realmente estamos teniendo un problema en el
 servidor o no.
 
 Un detalle que creo muy importante es que a veces, sin razón aparente,
 la interfaz de red dropea paquetes. Pero como les decía esto, si bien no
 tiene que pasar, pasa poco. Acá van los datos de la interfaz por la cual
 ingresa el tráfico:
 
 ifconfig eth0
 
 eth0  Link encap:Ethernet  HWaddr d0:67:e5:e7:d7:45
   inet addr:172.30.0.1  Bcast:172.30.0.255 Mask:255.255.255.0
   inet6 addr: fe80::d267:e5ff:fee7:d745/64 Scope:Link
   UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
   RX packets:232816986602 errors:462 dropped:1606 overruns:0
 frame:462
   TX packets:337849634947 errors:0 dropped:0 overruns:0 carrier:0
   collisions:0 txqueuelen:1000
   RX bytes:67228041135161 (61.1 TiB)  TX bytes:317032238655465
 (288.3 TiB)
   Interrupt:16 Memory:c000-c0012800
 
 Les agradecería mucho sus comentarios y ayuda para así determinar si el
 problema está en el servidor o no.
 
 Espero no haber omitido cualquier dato que sea útil, cualquier cosa me
 avisan.

el ifconfig no dice nada del otro barrio, si hay paquetes dropped pero
no sabemos ni la velocidad, si esta a full duplex, el TSO... en fin.

la salida completa de ethtool, por ejemplo

hay muchos valores que podrian influir, fijate lo que he sacado del mio...
/proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout
600
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_sent
120
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_sent2
120
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_recv
60
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
432000
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_fin_wait
120
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close_wait
60
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_last_ack
30
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait
120
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close
10
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_max_retrans
300
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose
1
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
0
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_max_retrans
3
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout
30
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout_stream
180
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_icmp_timeout
30
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_max
65536
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_count
269
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_buckets
16384
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_checksum
1
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
0
-

Como puedes ver hay muchas variables, y desde luego no te aconsejo que
toques sin saber exactamente que.

Una prueba sencilla que puedes 

Re: Linux router para ISP con posibles problemas

[jors]

On 2013-08-09 09:34, Alberto wrote:

El 09/08/13 04:36, Mauro Antivero escribió:

(...)
Posteriormente a esto, en un servidor mucho menos potente que el 
actual
hubo que jugar con los parámentros de la placa de red (Intel 
Gigabit,

no recuerdo bien el modelo ahora) para que pueda manejar las
interrupciones y además hubo que hacer un bondig entre dos de estas
placas de red para que pueda manejar todo el tráfico.

En el servidor por el cual ahora les consulto no fue necesario hacer 
un

bonding, pero si modificar el valor de ip_conntrack_max.


bueno, obviamente tienes que ver cual es el tráfico generado y hasta
donde da la tarjeta de red, en cualquier caso, teniendo un equipo 
como

router corporativo, si tienes alguna tarjeta adicional, yo pondria
bonding SI o SI, no solo por el balanceo sino como alta 
disponibilidad


+1 a mirar el rendimiento que da la tarjeta de red. Puedes usar iperf 
para eso, pero claro, para obtener valores fiables debería ser fuera de 
producción.


El tema es que ahora como les decía, a simple vista, no estamos 
teniendo
ninguno de estos problemas, pero tenemos la sensación de que algo 
está

pasando.

Les quería consultar entonces qué parámetros tendría que ir mirando 
y

controlando para ver si realmente estamos teniendo un problema en el
servidor o no.

Un detalle que creo muy importante es que a veces, sin razón 
aparente,
la interfaz de red dropea paquetes. Pero como les decía esto, si 
bien no
tiene que pasar, pasa poco. Acá van los datos de la interfaz por la 
cual

ingresa el tráfico:

ifconfig eth0

eth0  Link encap:Ethernet  HWaddr d0:67:e5:e7:d7:45
  inet addr:172.30.0.1  Bcast:172.30.0.255 
Mask:255.255.255.0

  inet6 addr: fe80::d267:e5ff:fee7:d745/64 Scope:Link
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:232816986602 errors:462 dropped:1606 overruns:0
frame:462
  TX packets:337849634947 errors:0 dropped:0 overruns:0 
carrier:0

  collisions:0 txqueuelen:1000
  RX bytes:67228041135161 (61.1 TiB)  TX 
bytes:317032238655465

(288.3 TiB)
  Interrupt:16 Memory:c000-c0012800

Les agradecería mucho sus comentarios y ayuda para así determinar si 
el

problema está en el servidor o no.

Espero no haber omitido cualquier dato que sea útil, cualquier cosa 
me

avisan.


el ifconfig no dice nada del otro barrio, si hay paquetes dropped 
pero

no sabemos ni la velocidad, si esta a full duplex, el TSO... en fin.


Además de lo que comenta Alberto, los paquetes dropped pueden indicar 
saturación del interfaz de red [1]. Por eso si todos las configuraciones 
del interfaz de red son correctas (ethtool, proc...), interesa hacer 
pruebas de carga para descartar que no sea éste el motivo.


[1] 
http://stackoverflow.com/questions/8987926/how-to-find-which-packets-got-dropped


Salut,
jors


--
To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/fb3d3637e7adb5a78aee7f7cbc50a...@enchufado.com

Re: Linux router para ISP con posibles problemas

[Camaleón]

El Thu, 08 Aug 2013 23:36:18 -0300, Mauro Antivero escribió:

 En mi lugar de trabajo tenemos un router Linux (Debian Squeeze
 corriendo en un Dell PowerEdge R210-II) por el cual cursa todo el
 tráfico de la red de usuarios del ISP.
 
 El problema que estamos teniendo es que pareciera ser que cuando el 
 tráfico total que atraviesa al servidor llega a los 550 Mbps se 
 estanca, es decir no suele crecer mucho más que ese valor. Esto nos 
 parece extraño puesto que según estimamos el tráfico debería estar 
 llegando a los 650 Mbps aprox.

(...)

Aquí tienes una configuración muy completa para un equipo con Debian que 
hace de router de alto rendimiento (para un ISP):

http://itservice-bg.net/?p=1122

Lo interesante creo que viene al final, donde dice:

NOTE: settings in /proc/sys/net are essential to enable the Linux kernel 
to pass big traffic.

Echa un ojo a los parámetros que tunea para ver si alguno te pudiera 
resultar útil en tu caso.

Saludos,

-- 
Camaleón


-- 
To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/pan.2013.08.09.13.33...@gmail.com

Re: Linux router para ISP con posibles problemas

[Mauro Antivero]

El 09/08/13 10:32, Camaleón escribió:

El Thu, 08 Aug 2013 23:36:18 -0300, Mauro Antivero escribió:


En mi lugar de trabajo tenemos un router Linux (Debian Squeeze
corriendo en un Dell PowerEdge R210-II) por el cual cursa todo el
tráfico de la red de usuarios del ISP.

El problema que estamos teniendo es que pareciera ser que cuando el
tráfico total que atraviesa al servidor llega a los 550 Mbps se
estanca, es decir no suele crecer mucho más que ese valor. Esto nos
parece extraño puesto que según estimamos el tráfico debería estar
llegando a los 650 Mbps aprox.

(...)

Aquí tienes una configuración muy completa para un equipo con Debian que
hace de router de alto rendimiento (para un ISP):

http://itservice-bg.net/?p=1122

Lo interesante creo que viene al final, donde dice:

NOTE: settings in /proc/sys/net are essential to enable the Linux kernel
to pass big traffic.

Echa un ojo a los parámetros que tunea para ver si alguno te pudiera
resultar útil en tu caso.

Saludos,

Muchas gracias a todos por sus respuestas. Voy a leer un poco y 
verificar mejor la configuración del server. Cuando tenga algo más 
concreto comento como me fue.


Saludos, Mauro.


--
To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/520533ee.5050...@gmail.com

Re: Linux router para ISP con posibles problemas

[Mauro Antivero]

El 09/08/13 10:32, Camaleón escribió:

El Thu, 08 Aug 2013 23:36:18 -0300, Mauro Antivero escribió:


En mi lugar de trabajo tenemos un router Linux (Debian Squeeze
corriendo en un Dell PowerEdge R210-II) por el cual cursa todo el
tráfico de la red de usuarios del ISP.

El problema que estamos teniendo es que pareciera ser que cuando el
tráfico total que atraviesa al servidor llega a los 550 Mbps se
estanca, es decir no suele crecer mucho más que ese valor. Esto nos
parece extraño puesto que según estimamos el tráfico debería estar
llegando a los 650 Mbps aprox.

(...)

Aquí tienes una configuración muy completa para un equipo con Debian que
hace de router de alto rendimiento (para un ISP):

http://itservice-bg.net/?p=1122
Perdón, no me funciona el enlace. Puede ser que esté mal o es una simple 
casualidad?


Saludos y gracias, Mauro.


Lo interesante creo que viene al final, donde dice:

NOTE: settings in /proc/sys/net are essential to enable the Linux kernel
to pass big traffic.

Echa un ojo a los parámetros que tunea para ver si alguno te pudiera
resultar útil en tu caso.

Saludos,




--
To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/520534b0.4050...@gmail.com

Linux router para ISP con posibles problemas

[Mauro Antivero]

Estimados:

En mi lugar de trabajo tenemos un router Linux (Debian Squeeze corriendo 
en un Dell PowerEdge R210-II) por el cual cursa todo el tráfico de la 
red de usuarios del ISP.


El problema que estamos teniendo es que pareciera ser que cuando el 
tráfico total que atraviesa al servidor llega a los 550 Mbps se 
estanca, es decir no suele crecer mucho más que ese valor. Esto nos 
parece extraño puesto que según estimamos el tráfico debería estar 
llegando a los 650 Mbps aprox.


En su momento se modificó lo que es el valor de:

/proc/sys/net/ipv4/netfilter/ip_conntrack_max

Puesto que cuando el tráfico llegaba a 200 Mbps aprox. el mismo en lugar 
de subir comenzaba a bajar y con dmesg obteníamos el siguiente mensaje:


nf_conntrack: table full, dropping packet

Posteriormente a esto, en un servidor mucho menos potente que el actual 
hubo que jugar con los parámentros de la placa de red (Intel Gigabit, 
no recuerdo bien el modelo ahora) para que pueda manejar las 
interrupciones y además hubo que hacer un bondig entre dos de estas 
placas de red para que pueda manejar todo el tráfico.


En el servidor por el cual ahora les consulto no fue necesario hacer un 
bonding, pero si modificar el valor de ip_conntrack_max.


El tema es que ahora como les decía, a simple vista, no estamos teniendo 
ninguno de estos problemas, pero tenemos la sensación de que algo está 
pasando.


Les quería consultar entonces qué parámetros tendría que ir mirando y 
controlando para ver si realmente estamos teniendo un problema en el 
servidor o no.


Un detalle que creo muy importante es que a veces, sin razón aparente, 
la interfaz de red dropea paquetes. Pero como les decía esto, si bien no 
tiene que pasar, pasa poco. Acá van los datos de la interfaz por la cual 
ingresa el tráfico:


ifconfig eth0

eth0  Link encap:Ethernet  HWaddr d0:67:e5:e7:d7:45
  inet addr:172.30.0.1  Bcast:172.30.0.255 Mask:255.255.255.0
  inet6 addr: fe80::d267:e5ff:fee7:d745/64 Scope:Link
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:232816986602 errors:462 dropped:1606 overruns:0 
frame:462

  TX packets:337849634947 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:67228041135161 (61.1 TiB)  TX bytes:317032238655465 
(288.3 TiB)

  Interrupt:16 Memory:c000-c0012800

Les agradecería mucho sus comentarios y ayuda para así determinar si el 
problema está en el servidor o no.


Espero no haber omitido cualquier dato que sea útil, cualquier cosa me 
avisan.


Saludos y muchas gracias.

Mauro.


--
To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/520455a2.1000...@gmail.com

Re (5): Configuration for a Linux router with a client having a public address

[peasthope]

*   From: Bob Proulx b...@proulx.com
*   Date: Fri, 3 Sep 2010 23:45:50 -0600
 Since those are old diagrams they don't show where carnot fits into
 things. 

*   From: Jes#xFA;s M. Navarro jesus.nava...@undominio.net
*   Date: Sun, 5 Sep 2010 23:47:48 +0200
 There's neither carnot nor Allied Telesis 3612TR in your provided diagram 

Open http://142.103.107.138/NetworksPage.html and you will see 
links Extant Network and Proposed Network.

I tried the Proposed Network with a bridge as you explained.
Connectivity for Dalton and Carnot was as intended.  Oddly, 
Cantor remained connected to the LAN but lost connectivity to 
the Internet; as if masquerading had failed.  Further ideas and 
suggestions are welcome.  Also the Shorewall list might help.

I'll guess that routing can achieve a result similar to bridging 
in this case.  Bridging is more efficient?

Some of the details in the configurations listings are probably 
outdated.  I'll review and update as time is available.

Regards,   ... Peter E.



-- 
Telephone 1 360 450 2132.  7785886232 is gone.
Shop pages http://carnot.yi.org/ accessible as long as the old 
drives survive; installation of NetBSD on new drives pending.
Personal pages, http://members.shaw.ca/peasthope/ .


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/171056664.40404.37...@cantor.invalid

Re (5): Configuration for a Linux router with a client having a public address

[peasthope]

*   From: Bob Proulx b...@proulx.com
*   Date: Fri, 3 Sep 2010 23:45:50 -0600
 Since those are old diagrams they don't show where carnot fits into
 things. 

*   From: Jes#xFA;s M. Navarro jesus.nava...@undominio.net
*   Date: Sun, 5 Sep 2010 23:47:48 +0200
 There's neither carnot nor Allied Telesis 3612TR in your provided diagram 

Open http://142.103.107.138/NetworksPage.html and you will see 
links Extant Network and Proposed Network.

I tried the Proposed Network with a bridge as you explained.
Connectivity for Dalton and Carnot was as intended.  Oddly, 
Cantor remained connected to the LAN but lost connectivity to 
the Internet; as if masquerading had failed.  Further ideas and 
suggestions are welcome.  Also the Shorewall list might help.

I'll guess that routing can achieve a result similar to bridging 
in this case.  Bridging is more efficient?

Some of the details in the configurations listings are probably 
outdated.  I'll review and update as time is available.

Regards,   ... Peter E.



-- 
Telephone 1 360 450 2132.  7785886232 is gone.
Shop pages http://carnot.yi.org/ accessible as long as the old 
drives survive; installation of NetBSD on new drives pending.
Personal pages, http://members.shaw.ca/peasthope/ .


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/171056664.50088.37...@cantor.invalid

Re (4): Configuration for a Linux router with a client having a public address

[peasthope]

*   From: Bob Proulx b...@proulx.com
*   Date: Fri, 3 Sep 2010 23:45:50 -0600
 Since those are old diagrams they don't show where carnot fits into
 things. 

*   From: Jes#xFA;s M. Navarro jesus.nava...@undominio.net
*   Date: Sun, 5 Sep 2010 23:47:48 +0200
 There's neither carnot nor Allied Telesis 3612TR in your provided diagram 

The original diagram turned up late Friday.  I'll update and 
add the hypothetical configuration, scan and post on the server 
as soon as possible.

Thanks for the help, Peter E.

-- 
Telephone 1 360 450 2132.  7785886232 is gone.
Shop pages http://carnot.yi.org/ accessible as long as the old 
drives survive; installation of NetBSD on new drives pending.
Personal pages, http://members.shaw.ca/peasthope/ .


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/171056644.38722.338...@heaviside.invalid

Re (3): Configuration for a Linux router with a client having a public address

[peasthope]

From:   Bob Proulx b...@proulx.com
Date:   Fri, 03 Sep 2010 23:45:50 -0600
 ... carnot is already on the public internet
 with 142.103.107.138?  

OK, we've discussed two distinct configurations and 
that wasn't clear.  Friday I reinstated the old configuration 
and checked just now that carnot is still running.  
  Click here == http://142.103.107.138/ .
If you don't get the home page, the most likely explanation 
is disk drive failure.

 I thought that you had it on a private network
 and were trying to tunnel it onto the public internet. 

That was the recent investigative configuration.

In the old configuration, http://142.103.107.138/ connected 
through the AT 3612TR was accessible to the public from 2002 
until a few months ago.  I shut it down a few months back 
because the disk drives were failing.  Powered it up again 
Friday, but a drive might fail any time.  

For years I've had a private network with Dalton routing 
connectivity to Cantor.  My objective in the past week 
was to consider whether the AT 3612TR can be eliminated with 
routing through Dalton.  The private subnet to Carnot is 
incidental to my study of how the objective might be reached.

 And of course carnot isn't on the diagram so I feel I am just missing
 the mark here.

Carnot and the AT 3612TR being absent from the diagram is 
a bad deficiency.  I'll add them on Tuesday or Wednesday 
when back at work.  The AT 3612TR is between dalton and the 
Internet.  Carnot is connected to the AT 3612TR beside 
Dalton.

 What is carnot's first card's address and which wire is it hooked to?

It has only one interface.  In the old configuration the 
address is 142.103.107.138 and it is connected to the AT 3612TR.

 If carnot is already on 142.103.107.138 then why does it need a
 private address ...

The primary objective is find whether the AT 3612TR can be 
eliminated by routing through dalton.  The private subnet 
to Carnot was part of my study of whether and how this 
objective might be reached.  Typically, a Linux router 
has private subnets.

 ... and what looks like an openvpn point to point link
 between it [carnot] and dalton?

As you said a little earlier, carnot is not on the diagram.  
The tunnel is between dalton and joule and has no relevance 
to my present objective.  The scanned image from a penciled 
sketch isn't good but zooming bigger will help.  In iceweasel 
left click.

 No wire?  Then why have it [second Ethernet adapter]?

In the previous message I asked whether and how carnot could 
have two addresses.  A second interface seems an obvious 
possibility.

 Simply add the other address. 
 ...
   up ip addr add 192.168.1.100/24 brd 192.168.1.255 dev eth0 label eth0:0
 ...

That's easy but not obvious; thanks!  I'd guess it's documented 
or described somewhere but not in interfaces.man.

 ... It enables two different subnets to co-exist on the same wire. ...

That idea helps.  I thought of another question, probably 
more directly relevant to my objective.  Will post it 
with subject Linux hub.

Thanks, ... Peter E.

-- 
VoIP 7785886232 is gone.  Please use 13604502132.
Shop pages http://carnot.yi.org/ accessible as long as the old 
drives survive; installation of netbsd on new drives pending.
Personal pages, http://members.shaw.ca/peasthope/ .


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/171056612.87856.784...@heaviside.invalid

Re (2): Configuration for a Linux router with a client having a public address

[peasthope]

From:   Bob Proulx b...@proulx.com
Date:   Thu, 02 Sep 2010 20:55:04 -0600
 Excellent diagram!  Thank you very much for sharing it.

Welcome.  Until I have a definite plan, the old configuration with carnot on 
the 
AT 3612TR is restored.  All of these should work as long as the old disk drives 
hold up.
  http://142.103.107.138/
  http://carnot.yi.org/
  http://carnot.pathology.ubc.ca/
My network is documented in 
  http://carnot.yi.org/NetworksPage.html 
with a link under Miscellaneous Links in the home page.

 The .137 is in the diagram as attached to dalton.  I know you said
 that was an old diagram.  But is that perhaps reversed with .138? 

The configuration in the diagram is current.
dalton = 142.103.107.137
carnot = 142.103.107.138

 There are two main directions that I would suggest, and one of those
 main directions has two sub-directions. One way is to have
 dalton configured for *both* addresses ...
 Another way would be to use the Linux netfilter interface to port
 forward the desired ports. 

If carnot had extra space on a bus, I'd think of adding a second Ethernet 
card with address 142.103.107.138.  The existing Ethernet on carnot would 
be 172.24.2.2 connected to dalton's 172.24.2.1.  The second Ethernet 
on carnot would have no cable attached of course.  Assuming dalton receives 
142.103.107.138 packets, as well as its own, it would simply route 
the 142.103.107.138 packets out through 172.24.2.1.  No translation of 
address or port would be required.  In this respect dalton would work 
as the AT hub does.

There is no simple means of adding a second Ethernet adapter to carnot.
Can two addresses be assigned to one interface?
Is there anything which might be called a phantom interface?  Similar to 
localhost.  If such a thing exists it should serve for 142.103.107.138.

Thanks,... Peter E.

-- 
VoIP 7785886232 is gone.  Please use 13604502132.
Shop pages http://carnot.yi.org/ accessible as long as the 
old drives work; installation of netbsd on new drives pending.
Personal pages, http://members.shaw.ca/peasthope/ .


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/171056611.78577.536...@cantor.invalid

Re: Re (2): Configuration for a Linux router with a client having a public address

[Bob Proulx]

peasth...@shaw.ca wrote:
 http://142.103.107.138/

So now I am really confused.  carnot is already on the public internet
with 142.103.107.138?  I thought that you had it on a private network
and were trying to tunnel it onto the public internet.  I am really
confused now.  Sorry.

 My network is documented in 
   http://carnot.yi.org/NetworksPage.html 
 with a link under Miscellaneous Links in the home page.

Since those are old diagrams they don't show where carnot fits into
things.  On which wire will carnot be placed?  That part I am not
clear about.  Thanks.

 The configuration in the diagram is current.
 dalton = 142.103.107.137
 carnot = 142.103.107.138

And of course carnot isn't on the diagram so I feel I am just missing
the mark here.

 If carnot had extra space on a bus, I'd think of adding a second Ethernet 
 card with address 142.103.107.138.

What is carnot's first card's address and which wire is it hooked to?

 The existing Ethernet on carnot would be 172.24.2.2 connected to
 dalton's 172.24.2.1.

If carnot is already on 142.103.107.138 then why does it need a
private address and what looks like an openvpn point to point link
between it and dalton?

 The second Ethernet on carnot would have no cable attached of
 course.

No wire?  Then why have it?  I am much confused!

 Can two addresses be assigned to one interface?

Yes.  Easily.  Simply add the other address.  I prefer to use the 'ip'
tool for these kinds of things.  Make sure you have the 'iproute'
package installed.  Then you can say

  # ip addr add 192.168.1.100/24 brd 192.168.1.255 dev eth0 label eth0:0
  # ip addr del 192.168.1.115/24 dev eth0 label eth0:0

and you can put those in up and down directives in your
/etc/network/interfaces file.

  allow-hotplug eth0
  iface eth0 inet static
address 172.16.1.200
netmask 255.255.255.0
network 172.16.1.0
broadcast 172.16.1.255
gateway 172.16.1.1
up ip addr add 192.168.1.100/24 brd 192.168.1.255 dev eth0 label eth0:0
down ip addr del 192.168.1.100/24 dev eth0 label eth0:0

That adds an address with a label when the interface comes up and
removes it when the interface is brought down.  It enables two
different subnets to co-exist on the same wire.  This machine knows
about both subnets and can talk to either.  A machine with an IP on
only one of those subnets would only know about that one and not the
other.  It isn't a security arrangement since if an interface were in
promiscuous mode it would observe all packets on both networks.  It is
useful in some situations such as IP renaming transitions and other
cases.

Bob


signature.asc
Description: Digital signature

Configuration for a Linux router with a client having a public address

[peasthope]

Given linux router dalton, eth 3, connected to a local machine 
carnot, eth0, with a cross-over cable, I need some help to set 
the configurations properly.

#dalton:/etc/network/interfaces
   ...
iface eth3 inet static
address 172.24.2.1
up   route add -host 142.103.107.138
down route del -host 142.103.107.138

#carnot:/etc/network/interfaces
   ...
iface eth0 inet static
address 142.103.107.138
gateway 172.24.2.1

Obviously these specifications are deficient; but there 
is no point in fretting details until I understand the 
concepts.  The link must be in a network.  How can 
172.24.2.1 and 142.103.107.138 be in one network?  Does 
carnot need a local address along with its public address?

Incidental points.

http://www.linuxrouter.org/ appears to be defunct although 
many links to it exist.  At least one in tldp.org.

r...@dalton:~# /etc/init.d/networking restart
Running /etc/init.d/networking restart is deprecated because it may not enable a
gain some interfaces ... (warning).

So networking restart deprecated.  What is the new way?

Thanks,  ... Peter E.



-- 
VoIP 7785886232 is gone.  Please use 13604502132.
Sparcstation 2 netboots netbsd; installation pending.
Personal site works;  http://members.shaw.ca/peasthope/ .


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/171056610.45123.417...@cantor.invalid

Re: Configuration for a Linux router with a client having a public address

[Bob Proulx]

peasth...@shaw.ca wrote:
 Given linux router dalton, eth 3, connected to a local machine 
 carnot, eth0, with a cross-over cable, I need some help to set 
 the configurations properly.
 
 #dalton:/etc/network/interfaces
...
 iface eth3 inet static
   address 172.24.2.1
   up   route add -host 142.103.107.138
   down route del -host 142.103.107.138

So dalton has address 172.24.2.1 in the RFC1918 private address space.
And additionally you are adding a host route to ip address
142.103.107.138 which will be locally connected.  This seems like
trouble since you do not have a local address on that network.

 #carnot:/etc/network/interfaces
...
 iface eth0 inet static
   address 142.103.107.138
   gateway 172.24.2.1

So carnot has address 142.103.107.138, missing a netmask and network
configuration, but has a gateway that is not on the local subnet?
That is trouble.  Strictly speaking it would need a gateway to reach
the defined gateway.  That isn't good.

 Obviously these specifications are deficient; but there 
 is no point in fretting details until I understand the 
 concepts.

If you want a point to point network between two machines on a
crossover cable then both hosts should be on the same subnet.

 The link must be in a network.  How can 172.24.2.1 and
 142.103.107.138 be in one network?

You have asked the question but it is your configuration!  Why did you
configure it that way if you already realize that it won't work?
Practically they can't.  Hypothetically you could join them together
but you don't really want to do that.  Instead define a subnet for
both hosts and put each host on that subnet.

 Does carnot need a local address along with its public address?

You have given carnot the 142.103.107.138 address.  That is in the
public address space.  But it looks like it is on a private network
behind another router.

Are you trying to put a host up on the public Internet and trying to
place it behind a firewall/router?

Is dalton a router on the public Internet?  (It would help to know if
it is a WRT54G type of router or if it is a full functionality Debian
host.)  Is carnot a machine on your private network that you want to
actually host the public Internet service (HTTP, SMTP, SSH)?  Are you
trying to port forward public Internet services through dalton to
carnot?  I am guessing it is something like that.

In that case it is your public Internet router dalton that should get
the public IP address.  (Or at least an arp proxy, but I think that is
more complicated.)  Then have it port forward to carnot for the
services that you want to host on carnot.  At least this is one way to
do it.  There are several different ways.  And each of them have
subtle things that if not configured correctly will cause things not
to work as desired.

 r...@dalton:~# /etc/init.d/networking restart
 Running /etc/init.d/networking restart is deprecated because it may not 
 enable a
 gain some interfaces ... (warning).
 
 So networking restart deprecated.  What is the new way?

The new way is with ifup and ifdown.

  sudo ifdown eth0
  sudo ifup eth0

In the old days interfaces were quite static on systems.  But with the
coming of removable and hotplug devices such as PCMCIA or USB network
interface cards there was a need to move to a more dynamic system.
Before networking needed to come online at boot time and go offline at
shutdown time.  But that isn't sufficient now.  Now devices come
online when they are plugged in and go offline when they are
disconnected.  Everything has been rewritten to be event driven.

For those of us who were used to the old static boot time system it is
a little bit of a change in mind set but a worthwhile one because of
the new capabilities that it provides.  Basically this means that you
rarely if ever should have the need to run /etc/init.d/networking stop
but would bring an individual interface offline with ifdown eth0
instead.

Bob


signature.asc
Description: Digital signature

Re: Configuration for a Linux router with a client having a public address

[peasthope]

From:   Bob Proulx b...@proulx.com
Date:   Thu, 02 Sep 2010 14:00:20 -0600
 So dalton has address 172.24.2.1 in the RFC1918 private address space.

Dalton has external address 142.103.107.137 and several internal addresses 
including 172.24.2.1.

Here is an old sketch.  Dalton is on the left.  We're not concerned with Joule.
http://members.shaw.ca:80/peasthope/Network.jpg
Until my current tinkering, Carnot and Dalton were both connected to the 
network through an old Allied Telesis CentreCOM 3612TR not in the sketch.  
The current objective is to eliminate the 3612TR and route to Carnot through 
Dalton.  Two benefits: less machinery running; faster communication to 
Dalton.  The 3612TR is 10BASE-T.

 If you want a point to point network between two machines on a
 crossover cable then both hosts should be on the same subnet.

Both ends of a cable must be on one subnet. is an axiom of networking?  
That's crucial.

 Instead define a subnet for both hosts and put each host on that subnet.

For example, Carnot gets address 172.24.2.2 connecting to Dalton at 172.24.2.1. 
 
Still, the outside world expects to find Carnot at 142.103.107.138.  
Continued below.

 Is dalton a router on the public Internet?  (It would help to know if
 it is a WRT54G type of router or if it is a full functionality Debian
 host.) 

Dalton is a Linux router running Debian Squeeze with public address 
142.103.107.137.  The firewall will prevent a response by ping.
ssh 142.103.107.137 should indicate it exists.

 Is carnot a machine on your private network that you want to
 actually host the public Internet service (HTTP, SMTP, SSH)?

Correct.  HTTP  SSH are sufficient.

 ... dalton that should get the public IP address.  ... have it port forward 
to carnot for the services that you want to host on carnot.  

Dalton gets 142.103.107.138 while carnot has only a local address;  
neither machine uses 142.103.107.137.

 There are several different ways.  And each of them have
 subtle things that if not configured correctly will cause things not
 to work as desired.

OK.  It's a learning exercise for now.

 The new way is with ifup and ifdown.
 
   sudo ifdown eth0
   sudo ifup eth0
  ... bring an individual interface offline with ifdown eth0
instead.

Right oh.  Will try these ideas tomorrow morning or next week.

Thanks,... Peter E.


-- 
VoIP 7785886232 is gone.  Please use 13604502132.
Sparcstation 2 netboots netbsd; installation pending.
Personal site works;  http://members.shaw.ca/peasthope/ .


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/171056610.63433.417...@cantor.invalid

Re: Configuration for a Linux router with a client having a public address

[Bob Proulx]

peasth...@shaw.ca wrote:
 Bob Proulx wrote:
  So dalton has address 172.24.2.1 in the RFC1918 private address space.
 
 Dalton has external address 142.103.107.137 and several internal addresses 
 including 172.24.2.1.
 
 Here is an old sketch.  Dalton is on the left.  We're not concerned with 
 Joule.
 http://members.shaw.ca:80/peasthope/Network.jpg

Excellent diagram!  Thank you very much for sharing it.

 Until my current tinkering, Carnot and Dalton were both connected to the 
 network through an old Allied Telesis CentreCOM 3612TR not in the sketch.  
 The current objective is to eliminate the 3612TR and route to Carnot through 
 Dalton.  Two benefits: less machinery running; faster communication to 
 Dalton.  The 3612TR is 10BASE-T.

And it is a hub instead of a switch too.  Good box in its day though.

  If you want a point to point network between two machines on a
  crossover cable then both hosts should be on the same subnet.
 
 Both ends of a cable must be on one subnet. is an axiom of networking?  
 That's crucial.

Yes.  Keep both ends of the cable on the same subnet.

  Instead define a subnet for both hosts and put each host on that subnet.
 
 For example, Carnot gets address 172.24.2.2 connecting to Dalton at
 172.24.2.1.

Yes.  Exactly.

 Still, the outside world expects to find Carnot at
 142.103.107.138.  Continued below.

I see and note that that address is one over from dalton's public IP
address.

  Is dalton a router on the public Internet?  (It would help to know if
  it is a WRT54G type of router or if it is a full functionality Debian
  host.) 
 
 Dalton is a Linux router running Debian Squeeze with public address 
 142.103.107.137.

Good to know.  It opens up additional possibilities.

 The firewall will prevent a response by ping.  ssh 142.103.107.137
 should indicate it exists.

Yes.  Note that you can get one level lower and connect to the ssh
port 22 directly.  I like to use 'connect' but others will use 'nc' or
'socat' or other favorite tools.  But everyone has telnet.

  $ telnet example.com 22
  Escape character is '^]'.
  SSH-2.0-OpenSSH_5.1p1 Debian-5

However to exit telnet you have to be able to read the message Escape
character is '^]'. and then type that in and then q or quit to get
out.  You would be surprised at how many times I have had people have
trouble there.  So I like 'connect' which is 8-bit clean and can be
interrupted.

  apt-get install connect-proxy

  $ connect example.com 22
  SSH-2.0-OpenSSH_5.1p1 Debian-5

  Is carnot a machine on your private network that you want to
  actually host the public Internet service (HTTP, SMTP, SSH)?
 
 Correct.  HTTP  SSH are sufficient.

Oh good.

  ... dalton that should get the public IP address.  ... have it
  port forward to carnot for the services that you want to host on
  carnot.
 
 Dalton gets 142.103.107.138 while carnot has only a local address;  
 neither machine uses 142.103.107.137.

The .137 is in the diagram as attached to dalton.  I know you said
that was an old diagram.  But is that perhaps reversed with .138?  It
doesn't really matter since you know which is wich but just trying to
keep up here.  I will make the assumption for now and move on.

  There are several different ways.  And each of them have
  subtle things that if not configured correctly will cause things not
  to work as desired.
 
 OK.  It's a learning exercise for now.

There are two main directions that I would suggest, and one of those
main directions has two sub-directions. (grin)  One way is to have
dalton configured for *both* addresses and then tunnel the ports over
to carnot through ssh.  That has the advantage of being simple and
easy to put together in parts.  But the use of ssh isn't the most
efficient and some people find ssh confusing.

Another way would be to use the Linux netfilter interface to port
forward the desired ports.  My favorite netfilter tool is Shorewall.
Using the Linux netfilter with Shorewall seems the most attractive.
But it can be the most confusing to debug and get working correctly so
isn't the easiest either.  But I think you probably want a Proxy ARP
configuration.

Look at this documentation for one way of how to set this up.

  http://www.shorewall.net/shorewall_setup_guide.htm

  http://www.shorewall.net/ProxyARP.htm

Good luck!  I would be interested to know how this turns out.

Bob


signature.asc
Description: Digital signature

Re: ideas for Linux router?

[Alex Samad]

On Fri, May 15, 2009 at 12:16:15PM +, Ólafur Jens Sigurðsson wrote:
 On Fri, May 08, 2009 at 02:18:24PM +0800, Bob wrote:
  Alex Samad wrote:
  On Wed, May 06, 2009 at 09:23:52PM -0400, Zachary Uram wrote:

  Hello,
 
  I got an awesome deal today on a Linksys wired Etherfast Cable/DSL
  router and 4 port switch - $5 USD at our local Goodwill Computer Store.
  They get donations and then sell them (they are a non-profit corp. that 
  helps
  the disabled). The model number is: BEFSR41 version 3.
  
 
  have a look at openwrt.org
 
 In the lates issue of linuxformat there is mention of a worm called
 psybOt that affects openwrt and routers based on mipsel (a debian
 derived distribution), so keep your eyes open.

yes it targets linux boxes that have week root passwords. openwrt by
default doesn't allow password ssh only certificate - this is more about
this on the openwrt.org web page

alex

 
 Oli
 
 

-- 
I thought YOU silenced the guard!


signature.asc
Description: Digital signature

Re: ideas for Linux router?

[Ólafur Jens Sigurðsson]

On Fri, May 08, 2009 at 02:18:24PM +0800, Bob wrote:
 Alex Samad wrote:
 On Wed, May 06, 2009 at 09:23:52PM -0400, Zachary Uram wrote:
   
 Hello,

 I got an awesome deal today on a Linksys wired Etherfast Cable/DSL
 router and 4 port switch - $5 USD at our local Goodwill Computer Store.
 They get donations and then sell them (they are a non-profit corp. that 
 helps
 the disabled). The model number is: BEFSR41 version 3.
 

 have a look at openwrt.org

In the lates issue of linuxformat there is mention of a worm called
psybOt that affects openwrt and routers based on mipsel (a debian
derived distribution), so keep your eyes open.

Oli


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: ideas for Linux router?

[Bob]

Alex Samad wrote:

On Wed, May 06, 2009 at 09:23:52PM -0400, Zachary Uram wrote:
  

Hello,

I got an awesome deal today on a Linksys wired Etherfast Cable/DSL
router and 4 port switch - $5 USD at our local Goodwill Computer Store.
They get donations and then sell them (they are a non-profit corp. that helps
the disabled). The model number is: BEFSR41 version 3.



have a look at openwrt.org
  


No point the BEFSR41 does not run Linux and there is no 3rd party 
firmware for it, I have one and no longer use it as my firewall / router 
as there is no way of assigning static IP addresses on it's internal 
DHCP server.


If you wish to use it as a router and need static IPs you can either 
assign them manually or turn off the DHCP server and use another one


Or turn off the DHCP server and use it as a 4 port switch

Or what I do with mine is I've changed its IP to 192.168.1.2 and the 
DHCP range starts at 192.168.1.10 then when I wish to reset / reflash / 
tinker with my Openwrt box I can put it into Failsafe mode which sets 
it's IP address to 192.168.1.1 but disables the DHCP server turn on my 
BEFSR41 renew my IP and telnet into my openwrt box, this saves mucking 
about with static IPs (which I can't seem to get working) and and makes 
the whole thing easer.


The BEFSR41 is pretty old now, doesn't have great throughput (12Mb/s??) 
and is lacking in quite a few features, one thing going for it is it has 
a really good h.323 helper if you use that VOIP protocol.



What exactly can I do with this in Linux? I have 2 computers and would
like to network them using this.

It came with a 6 foot ethernet cable and a 12V power adapter. Any ideas
and/or pointers on what to do to set this up in Linux would be great.
Right now I have raw ethernet frames being sent to my laptop which is
using static IP so I have nothing in the way:

Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface
66.93.172.0 0.0.0.0 255.255.255.0   U 0  00 eth0
0.0.0.0 66.93.172.1 0.0.0.0 UG0  00 eth0

My eventual goal is to setup a DMZ network and route my public network
traffic behind that but for the present I just want to get my 2
computers sharing the DSL line using this router I got.

Here is my planned DMZ setup:
http://www.hyperyoda.org/my-DMZ-network-diagram.png

PS: The Goodwill store has a 20 port Agilent switch (still wrapped in
plastic in the box) for $20.
Is that also a good deal?

Zach





--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

ideas for Linux router?

[Zachary Uram]

Hello,

I got an awesome deal today on a Linksys wired Etherfast Cable/DSL
router and 4 port switch - $5 USD at our local Goodwill Computer Store.
They get donations and then sell them (they are a non-profit corp. that helps
the disabled). The model number is: BEFSR41 version 3.

What exactly can I do with this in Linux? I have 2 computers and would
like to network them using this.

It came with a 6 foot ethernet cable and a 12V power adapter. Any ideas
and/or pointers on what to do to set this up in Linux would be great.
Right now I have raw ethernet frames being sent to my laptop which is
using static IP so I have nothing in the way:

Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface
66.93.172.0 0.0.0.0 255.255.255.0   U 0  00 eth0
0.0.0.0 66.93.172.1 0.0.0.0 UG0  00 eth0

My eventual goal is to setup a DMZ network and route my public network
traffic behind that but for the present I just want to get my 2
computers sharing the DSL line using this router I got.

Here is my planned DMZ setup:
http://www.hyperyoda.org/my-DMZ-network-diagram.png

PS: The Goodwill store has a 20 port Agilent switch (still wrapped in
plastic in the box) for $20.
Is that also a good deal?

Zach


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: ideas for Linux router?

[Alex Samad]

On Wed, May 06, 2009 at 09:23:52PM -0400, Zachary Uram wrote:
 Hello,
 
 I got an awesome deal today on a Linksys wired Etherfast Cable/DSL
 router and 4 port switch - $5 USD at our local Goodwill Computer Store.
 They get donations and then sell them (they are a non-profit corp. that helps
 the disabled). The model number is: BEFSR41 version 3.

have a look at openwrt.org

 
 What exactly can I do with this in Linux? I have 2 computers and would
 like to network them using this.
 
 It came with a 6 foot ethernet cable and a 12V power adapter. Any ideas
 and/or pointers on what to do to set this up in Linux would be great.
 Right now I have raw ethernet frames being sent to my laptop which is
 using static IP so I have nothing in the way:
 
 Kernel IP routing table
 Destination Gateway Genmask Flags Metric RefUse Iface
 66.93.172.0 0.0.0.0 255.255.255.0   U 0  00 eth0
 0.0.0.0 66.93.172.1 0.0.0.0 UG0  00 eth0
 
 My eventual goal is to setup a DMZ network and route my public network
 traffic behind that but for the present I just want to get my 2
 computers sharing the DSL line using this router I got.
 
 Here is my planned DMZ setup:
 http://www.hyperyoda.org/my-DMZ-network-diagram.png
 
 PS: The Goodwill store has a 20 port Agilent switch (still wrapped in
 plastic in the box) for $20.
 Is that also a good deal?
 
 Zach
 
 

-- 
My pan plays down an unprecedented amount of our national debt.

- George W. Bush
02/27/2001
in his budget address to Congress


signature.asc
Description: Digital signature

Re: configuration of a linux router

[peasthope]

Andrew  others,

At Date: Mon, 16 Jun 2008 16:42:41 -0700 A.S-W. wrote,
that does not mean that a rule for POP3 is not needed. I don't
remember if shorewall is case sensitive, but I bet it is in the
context of defining a rule. maybe post the actual config line to
produces the error?

My /etc/shorewall/rules, with the offending rules for POP3 
commented out, is now visible.
http://carnot.pathology.ubc.ca/rules

The report from shorewall.
http://carnot.pathology.ubc.ca/ShorewallReport

Equally peculiar: while the rule for SMTP is commented 
out, a message can be sent from loc _via_ SMTP.

Thanks for any help, ... Peter E.


-- 
http://carnot.yi.org/ 
  = http://carnot.pathology.ubc.ca/
Desktops.OpenDoc  http://members.shaw.ca/peasthope/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: configuration of a linux router

[peasthope]

Folk,

At Sun, 23 Mar 2008 20:27:40 -0400 Douglas A. Tutty wrote,
... if you want to really understand it use
shorewall after reading shorewall-doc.

ipmasq works but I want to use shorewall.

I wonder why rules are needed for FTP but not 
for POP3.  In fact, a rule for POP3 produces a 
complaint about ... unknown protocol 'pop3' 

Any ideas?

Thanks, ... Peter E.

-- 
http://carnot.yi.org/ = http://carnot.pathology.ubc.ca/
Desktops.OpenDoc  http://members.shaw.ca/peasthope/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: configuration of a linux router

[peasthope]

Folk,

At Sun, 23 Mar 2008 20:27:40 -0400 Douglas A. Tutty wrote,
... if you want to really understand it use
shorewall after reading shorewall-doc.

ipmasq works but I want to use shorewall.

I wonder why rules are needed for FTP but not 
for POP3.  In fact, a rule for POP3 produces a 
complaint about ... unknown protocol 'pop3' 

Any ideas?

Thanks, ... Peter E.

-- 
http://carnot.yi.org/ = http://carnot.pathology.ubc.ca/
Desktops.OpenDoc  http://members.shaw.ca/peasthope/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: configuration of a linux router

[Paul Johnson]

On Mon, 2008-06-16 at 16:01 -0700, [EMAIL PROTECTED] wrote:
 Folk,
 
 At Sun, 23 Mar 2008 20:27:40 -0400 Douglas A. Tutty wrote,
 ... if you want to really understand it use
 shorewall after reading shorewall-doc.
 
 ipmasq works but I want to use shorewall.
 
 I wonder why rules are needed for FTP but not 
 for POP3.  In fact, a rule for POP3 produces a 
 complaint about ... unknown protocol 'pop3' 

In an unusual move, the FTP server connects to the client:  Two
connections are maintained instead of just one.  You can force FTP to
just use the client to server connection by using passive mode, but
given that doing so makes some operations problematic, it's kind of a
last-resort mode.

-- 
Paul Johnson
[EMAIL PROTECTED]


signature.asc
Description: This is a digitally signed message part

Re: configuration of a linux router

[peasthope]

Folk,

At Sun, 23 Mar 2008 20:27:40 -0400 Douglas A. Tutty wrote,
... if you want to really understand it use
shorewall after reading shorewall-doc.

ipmasq works but I want to use shorewall.

I wonder why rules are needed for FTP but  
a rule for POP3 produces a complaint about 
... unknown protocol 'pop3' 

I need POP3 and SMTP to move mail.
Any ideas?

Thanks, ... Peter E.

-- 
http://carnot.yi.org/ = http://carnot.pathology.ubc.ca/
Desktops.OpenDoc  http://members.shaw.ca/peasthope/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: configuration of a linux router

[Andrew Sackville-West]

On Mon, Jun 16, 2008 at 04:01:39PM -0700, [EMAIL PROTECTED] wrote:
 Folk,
 
 At Sun, 23 Mar 2008 20:27:40 -0400 Douglas A. Tutty wrote,
 ... if you want to really understand it use
 shorewall after reading shorewall-doc.
 
 ipmasq works but I want to use shorewall.
 
 I wonder why rules are needed for FTP but not 
 for POP3.  In fact, a rule for POP3 produces a 
 complaint about ... unknown protocol 'pop3' 

that does not mean that a rule for POP3 is not needed. I don't
remember if shorewall is case sensitive, but I bet it is in the
context of defining a rule. maybe post the actual config line to
produces the error? 

A


signature.asc
Description: Digital signature

Re: configuration of a linux router

[peasthope]

Paul  others,

At Mon, 16 Jun 2008 16:33:50 -0700 Paul Johnson wrote,
... the FTP server connects to the client:  Two
connections are maintained ...

As I am aware, ssh uses only one connection but it 
also gets ACCEPT rules.  So I still don't understand why 
some protocols, dns, ftp and ssh, need rules in 
/etc/shorewall/rules while other protocols, pop, 
smtp and http, do not.  Does shorewall accept  
the latter protocols by default?  Seems contrary 
to reason.

Thanks,  ... Peter E.


-- 
http://carnot.yi.org/ = http://carnot.pathology.ubc.ca/
Desktops.OpenDoc  http://members.shaw.ca/peasthope/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: configuration of a linux router

[peasthope]

Douglas,

dt Now you're using shaw.ca for your home domain.  Do you own that?  Would
you like to e.g. relay mail for all of shaw.ca?

Not really.  

OK, I've invented the domain name petershouse; 
the current hosts file follows.  Please let me know of any 
remaining errors.

Isn't there a place to specify the domain, analogous to /etc/hostname?  
Unfortunate that these matters aren't mentioned in the hosts 
man page.  Also, I wonder that /etc/hostname, /etc/hosts, 
/etc/network/interfaces and perhaps a few other files haven't 
been amalgated into one.  Excessive fragmentation increases 
the likelihood of confusion and error.

Thanks,  ... Peter E.

# /etc/hosts file
127.0.0.1   localhost.localdomain localhost

# Private LANs at home 
172.23.4.1  joule.petershouse   joule
172.23.4.2  curie.petershouse   curie

172.23.5.1  joule.petershouse   joule
172.23.5.2  heaviside.petershouse   heaviside

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
  


Desktops.OpenDoc  http://carnot.yi.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: configuration of a linux router

[Andrei Popescu]

On Sun, Mar 23, 2008 at 09:07:32AM -0700, [EMAIL PROTECTED] wrote:
 Douglas,
 
 dt Now you're using shaw.ca for your home domain.  Do you own that?  Would
 you like to e.g. relay mail for all of shaw.ca?
 
 Not really.  
 
 OK, I've invented the domain name petershouse; 
 the current hosts file follows.  Please let me know of any 
 remaining errors.
 
 Isn't there a place to specify the domain, analogous to /etc/hostname?  
 Unfortunate that these matters aren't mentioned in the hosts 
 man page.  Also, I wonder that /etc/hostname, /etc/hosts, 
 /etc/network/interfaces and perhaps a few other files haven't 
 been amalgated into one.  Excessive fragmentation increases 
 the likelihood of confusion and error.

Hhmm, not really. /etc/network/interfaces is for configuring your 
*interfaces* and is Debian specific.

/etc/hostname and /etc/hosts are traditional *nix and serve a different 
purpose (yes I know they are all related to the network, but still ...).

Regards,
Andrei
-- 
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)


signature.asc
Description: Digital signature

Re: configuration of a linux router

[Douglas A. Tutty]

On Sun, Mar 23, 2008 at 09:07:32AM -0700, [EMAIL PROTECTED] wrote:
 dt Now you're using shaw.ca for your home domain.  Do you own that?  Would
 you like to e.g. relay mail for all of shaw.ca?
 
 Not really.  

Didn't think so :)

 
 OK, I've invented the domain name petershouse; 
 the current hosts file follows.  Please let me know of any 
 remaining errors.

It looks fine.

Does it work?

Do you have any firewall doing network address translation?  If you want
fire-and-forget just use ipmasq, if you want to really understand it use
shorewall after reading shorewall-doc.

What about supplying DNS services to your network?  The easiest is to
install dnsmasq.

 
 Isn't there a place to specify the domain, analogous to /etc/hostname?  
 Unfortunate that these matters aren't mentioned in the hosts 
 man page.  Also, I wonder that /etc/hostname, /etc/hosts, 
 /etc/network/interfaces and perhaps a few other files haven't 
 been amalgated into one.  Excessive fragmentation increases 
 the likelihood of confusion and error.

No.  Each *NIX has its own way, however /etc/hosts is standard.  Unix
networking was developed with BSD and was then imported by the other
*nix in various ways.  Then different *nix made automated scripts to do
the networking setup and each puts its configs somewhere different.  On
debian, its /etc/hostname and /etc/network/interfaces.

Its all well documented and hasn't changed in a long time.  Read the
debian-reference.

 
 # /etc/hosts file
 127.0.0.1 localhost.localdomain localhost
 
 # Private LANs at home 
 172.23.4.1joule.petershouse   joule
 172.23.4.2curie.petershouse   curie
 
 172.23.5.1joule.petershouse   joule
 172.23.5.2heaviside.petershouse   heaviside
 
 # The following lines are desirable for IPv6 capable hosts
 ::1 ip6-localhost ip6-loopback
 fe00::0 ip6-localnet
 ff00::0 ip6-mcastprefix
 ff02::1 ip6-allnodes
 ff02::2 ip6-allrouters
 ff02::3 ip6-allhosts
   
 
 
 Desktops.OpenDoc  http://carnot.yi.org/

I don't know what this line is for.

Doug.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: configuration of a linux router

[Douglas A. Tutty]

On Mon, Mar 17, 2008 at 11:20:24AM -0700, [EMAIL PROTECTED] wrote:
 dt if you don't own peasthope.yi.org, then I wouldn't use it even locally.
 
 But I do own the machine and the name.
OK
I, personally, for the 127.0.0.1 would only use localhost and
localhost.localdomain

 yi.org is a dynamic dns service.  Not 
 already being allocated is a precondition 
 to assigning peasthope.yi.org to my computer.

If this means that there is some possibility at any given time that you
will not own that domain, then I would not use it locally.  I'd use
something else entirely.  I suppose there would be no problem with using
peasthope' without the .yi.org as a local domain sice without it, it
will never be routable on the internet.

 dt It is a valid name.
 
 So ... I miss your drift here.

I've seen people use a made-up name on their local network then have
trouble, if they don't get their DNS setup just right, with packets
getting routed to the real example.com whatever.  I thought that you
had just made up the name.

If you owned the name outright, then there would be no problem using it
locally.  

 dt e.g.
 dt 172.23.4.1[thisbox].[yourlocaldoamin] [thisbox]
 
 Is [yourlocaldoamin] a domain name used 
 only on my private LAN?  

Yes.  One that cannot be routed to the internet, unless you own the
domain.

 I understand why computers have names.
 ftp curie is better than ftp 172.23.4.2.
 But what is the benefit of a domain name 
 for my LAN?

Well, any time you need to lump your network together in, e.g.
hosts.allow or in an MTA setup (e.g. host for which you will relay mail),
its a lot easier to say  *.hooton than to individually list all the
hosts.  Especially if you later add a host, you don't have to go around
adding its name everywhere.  I also is fundamental if you use anything
other than files for resolving.  
 
 The revised /etc/hosts is appended.  With 
 any luck it is closer to what you suggested.
 
 ===
 .joule:~# cat /etc/hosts
 # /etc/hosts file
 127.0.0.1 localhost.localdomain localhost
 
 # Private LANs at home 
 172.23.4.1joule.shaw.ca joule
 172.23.4.2curie.shaw.ca curie
 
 172.23.5.1joule.shaw.ca joule
 172.23.5.2heaviside.shaw.ca heaviside

Now you're using shaw.ca for your home domain.  Do you own that?  Would
you like to e.g. relay mail for all of shaw.ca?



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: configuration of a linux router

[NN_il_Confusionario]

On Sun, Mar 16, 2008 at 08:12:44PM -0400, Douglas A. Tutty wrote:
 On Sun, Mar 16, 2008 at 04:38:36PM -0700, [EMAIL PROTECTED] wrote:
  # /etc/hosts file
  127.0.0.1   peasthope.yi.orgjoule   localhost
   ^^
 this should be: localhost.localdomain localhost

the archive of the debian mailing lists contain a long discussion about
localhost versus localhost.localdomain

From what I remember, the RFCs for the DNS say that localhost *is* a
FQDN (the only one without a dot, to the best of my knowledge), and they
do not speak about localhost.localdomain

So a line

127.0.0.1   localhost

or

127.0.0.1   localhost   first-alias second-alias

should be correct.

-- 
Chi usa software non libero avvelena anche te. Digli di smettere.
Informatica=arsenico: minime dosi in rari casi patologici, altrimenti letale.
Informatica=bomba: intelligente solo per gli stupidi che ci credono.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: configuration of a linux router

[peasthope]

Douglas,

dt if you don't own peasthope.yi.org, then I wouldn't use it even locally.

But I do own the machine and the name.
  
yi.org is a dynamic dns service.  Not 
already being allocated is a precondition 
to assigning peasthope.yi.org to my computer.

dt It is a valid name.

So ... I miss your drift here.

dt e.g.
dt 172.23.4.1  [thisbox].[yourlocaldoamin] [thisbox]

Is [yourlocaldoamin] a domain name used 
only on my private LAN?  

I understand why computers have names.
ftp curie is better than ftp 172.23.4.2.
But what is the benefit of a domain name 
for my LAN?

The revised /etc/hosts is appended.  With 
any luck it is closer to what you suggested.

Thanks,   ... Peter E.

===
.joule:~# cat /etc/hosts
# /etc/hosts file
127.0.0.1   localhost.localdomain localhost

# Private LANs at home 
172.23.4.1  joule.shaw.ca joule
172.23.4.2  curie.shaw.ca curie

172.23.5.1  joule.shaw.ca joule
172.23.5.2  heaviside.shaw.ca heaviside

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
===

Desktops.OpenDoc  http://carnot.yi.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

configuration of a linux router

[peasthope]

Douglas  others,

dt Now you will have three networks. ...
 ... You shouldn't have to add routes like this ...

Right oh.

dt change this to 172.23.5.1, and change heaviside's to 172.23.5.2

The revised configuration follows.  Everything 
appears OK now.  There is no hub consuming 
power and two cables rather than three.  

Thanks for the help,   ... Peter E.


joule:~# cat /etc/hosts
# /etc/hosts file
127.0.0.1   peasthope.yi.orgjoule   localhost

# Private LANs at home
172.23.4.2  curie
172.23.5.2  heaviside

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

joule:~# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

auto lo eth0 eth1 eth2
# The loopback network interface
iface lo inet loopback

# The primary network interface
iface eth0 inet dhcp

# The interface to curie
iface eth1 inet static
address   172.23.4.1
netmask   255.255.255.0

# The interface to heaviside
iface eth2 inet static
address   172.23.5.1
netmask   255.255.255.0

joule:~# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags   MSS Window  irtt Iface
172.23.5.0  *   255.255.255.0   U 0 0  0 eth2
172.23.4.0  *   255.255.255.0   U 0 0  0 eth1
24.108.32.0 *   255.255.252.0   U 0 0  0 eth0
default 24.108.32.1 0.0.0.0 UG0 0  0 eth0



Desktops.OpenDoc  http://carnot.yi.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: configuration of a linux router

[Douglas A. Tutty]

On Sun, Mar 16, 2008 at 04:38:36PM -0700, [EMAIL PROTECTED] wrote:
 Douglas  others,
 
 dt Now you will have three networks. ...
  ... You shouldn't have to add routes like this ...
 
 Right oh.
 
 dt change this to 172.23.5.1, and change heaviside's to 172.23.5.2
 
 The revised configuration follows.  Everything 
 appears OK now.  There is no hub consuming 
 power and two cables rather than three.  
 
 Thanks for the help,   ... Peter E.
 
 
 joule:~# cat /etc/hosts
 # /etc/hosts file
 127.0.0.1   peasthope.yi.orgjoule   localhost
  ^^
this should be: localhost.localdomain   localhost

if you don't own peasthope.yi.org, then I wouldn't use it even locally.
It is a valid name.

Then you should have entries for this box on your local network domain
e.g.
172.23.4.1  [thisbox].[yourlocaldoamin] [thisbox]
172.23.5.1  ditto

Then ensure either that these entries are duplicated on currie and
heaviside or run dnsmasq on this box.

 # Private LANs at home
 172.23.4.2  curie
try 172.23.4.2curie.[yourlocaldomain]   curie
 172.23.5.2  heaviside
ditto

In short, its always helpful to have a local domain name, especially for
handling email.

The rest looks fine, I'm glad it works.

Doug.

 
 # The following lines are desirable for IPv6 capable hosts
 ::1 ip6-localhost ip6-loopback
 fe00::0 ip6-localnet
 ff00::0 ip6-mcastprefix
 ff02::1 ip6-allnodes
 ff02::2 ip6-allrouters
 ff02::3 ip6-allhosts
 
 joule:~# cat /etc/network/interfaces
 # This file describes the network interfaces available on your system
 # and how to activate them. For more information, see interfaces(5).
 
 auto lo eth0 eth1 eth2
 # The loopback network interface
 iface lo inet loopback
 
 # The primary network interface
 iface eth0 inet dhcp
 
 # The interface to curie
 iface eth1 inet static
   address   172.23.4.1
   netmask   255.255.255.0
 
 # The interface to heaviside
 iface eth2 inet static
   address   172.23.5.1
   netmask   255.255.255.0
 
 joule:~# netstat -r
 Kernel IP routing table
 Destination Gateway Genmask Flags   MSS Window  irtt Iface
 172.23.5.0  *   255.255.255.0   U 0 0  0 eth2
 172.23.4.0  *   255.255.255.0   U 0 0  0 eth1
 24.108.32.0 *   255.255.252.0   U 0 0  0 eth0
 default 24.108.32.1 0.0.0.0 UG0 0  0 eth0
 
 
 
 Desktops.OpenDoc  http://carnot.yi.org/
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
 with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
 
 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: configuration of a linux router

[Andrei Popescu]

On Sun, Mar 02, 2008 at 02:40:22PM -0700, [EMAIL PROTECTED] wrote:
 Folk,
 
 My LAN has a Debian router, joule, and two subordinate 
 machines, curie and heaviside.  The three connect to an 
 old Linksys 10Base-T hub.  joule connects to a 
 cable modem through a second NIC and runs 
 ipmasq.
 
 Currently I want to add a third NIC to joule, 
 remove the hub and connect each of curie and heaviside 
 to a NIC in joule using a crossover cable.
 All appears OK except that curie and heaviside fail to 
 communicate with each other.

To my unexperienced ear it sounds like you want bridging. Shorewall 
should be able to do it.

Regards,
Andrei
-- 
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)


signature.asc
Description: Digital signature

configuration of a linux router

[peasthope]

Folk,

My LAN has a Debian router, joule, and two subordinate 
machines, curie and heaviside.  The three connect to an 
old Linksys 10Base-T hub.  joule connects to a 
cable modem through a second NIC and runs 
ipmasq.

Currently I want to add a third NIC to joule, 
remove the hub and connect each of curie and heaviside 
to a NIC in joule using a crossover cable.
All appears OK except that curie and heaviside fail to 
communicate with each other.

The output of cat /etc/network/interfaces 
and netstat -r follow.  

Thanks for any ideas,   ... Peter E.

joule:~# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

auto lo eth0 eth1 eth2
# The loopback network interface
iface lo inet loopback

# The primary network interface
iface eth0 inet dhcp
#iface eth0 inet static
#   address   137.82.26.91
#   netmask   255.255.255.0
#   gateway   137.82.26.254

# The interface to curie
iface eth1 inet static
address   172.23.4.1
netmask   255.255.255.0
up  route add -host 172.23.4.4 dev $IFACE
downroute del -host 172.23.4.4 dev $IFACE

# The interface to heaviside
iface eth2 inet static
address   172.23.4.1
netmask   255.255.255.0
up  route add -host 172.23.4.3 dev $IFACE
downroute del -host 172.23.4.3 dev $IFACE

joule:~# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags   MSS Window  irtt Iface
heaviside   *   255.255.255.255 UH0 0  0 eth2
curie   *   255.255.255.255 UH0 0  0 eth1
172.23.4.0  *   255.255.255.0   U 0 0  0 eth1
172.23.4.0  *   255.255.255.0   U 0 0  0 eth2
24.108.32.0 *   255.255.252.0   U 0 0  0 eth0
default 24.108.32.1 0.0.0.0 UG0 0  0 eth0


Desktops.OpenDoc  http://carnot.yi.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: configuration of a linux router

[Douglas A. Tutty]

On Sun, Mar 02, 2008 at 02:40:22PM -0700, [EMAIL PROTECTED] wrote:
 My LAN has a Debian router, joule, and two subordinate 
 machines, curie and heaviside.  The three connect to an 
 old Linksys 10Base-T hub.  joule connects to a 
 cable modem through a second NIC and runs 
 ipmasq.
 
 Currently I want to add a third NIC to joule, 
 remove the hub and connect each of curie and heaviside 
 to a NIC in joule using a crossover cable.
 All appears OK except that curie and heaviside fail to 
 communicate with each other.

Now you will have three networks.  The first, from joule to the cable
modem, a second from joule to curie, and a third from joule to
heaviside.
 
 The output of cat /etc/network/interfaces 
 and netstat -r follow.  
 
 Thanks for any ideas,   ... Peter E.
 
 joule:~# cat /etc/network/interfaces
 # This file describes the network interfaces available on your system
 # and how to activate them. For more information, see interfaces(5).
 
 auto lo eth0 eth1 eth2
 # The loopback network interface
 iface lo inet loopback
 
 # The primary network interface
 iface eth0 inet dhcp
 #iface eth0 inet static
 
 # The interface to curie
 iface eth1 inet static
   address   172.23.4.1, is curie 172.23.4.2?
   netmask   255.255.255.0
   up  route add -host 172.23.4.4 dev $IFACE
   downroute del -host 172.23.4.4 dev $IFACE
You shouldn't have to add routes like this.
 
 # The interface to heaviside
 iface eth2 inet static
   address   172.23.4.1
change this to 172.23.5.1, and change heaviside's to 172.23.5.2
   netmask   255.255.255.0
   up  route add -host 172.23.4.3 dev $IFACE
 down  route del -host 172.23.4.3 dev $IFACE
You shouldn't have to add routes like this
 
 joule:~# netstat -r
 Kernel IP routing table
 Destination Gateway Genmask Flags   MSS Window  irtt Iface
 heaviside   *   255.255.255.255 UH0 0  0 eth2
 curie   *   255.255.255.255 UH0 0  0 eth1
 172.23.4.0  *   255.255.255.0   U 0 0  0 eth1
 172.23.4.0  *   255.255.255.0   U 0 0  0 eth2
 24.108.32.0 *   255.255.252.0   U 0 0  0 eth0
 default 24.108.32.1 0.0.0.0 UG0 0  0 eth0
 
 

The problem is that you have two separate network segments but haven't
made that clear to the system.  Joule is triple-homed and so needs three
IPs.  /etc/hosts will have to reflect this too appropriatly on all three
boxes.

Doug.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: forwarding _versus_ domain name service on a Linux router

[Andrei Popescu]

On Sat, Dec 08, 2007 at 08:52:54PM -0800, PETER EASTHOPE wrote:
 Folk,
 
 A system, connected to the 'net by a telephone modem, 
 is configured to be a router providing a network connection 
 to one Windows system and also to be a workstation.
 
 Which is the lesser of evils: running a dns for one client 
 or forwarding name requests over the slow connection?

Maybe dnsmasq is what you need.

Regards,
Andrei
-- 
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)


signature.asc
Description: Digital signature

forwarding _versus_ domain name service on a Linux router

[PETER EASTHOPE]

Folk,

A system, connected to the 'net by a telephone modem, 
is configured to be a router providing a network connection 
to one Windows system and also to be a workstation.

Which is the lesser of evils: running a dns for one client 
or forwarding name requests over the slow connection?

Thanks,   ... Peter E.

http://carnot.yi.org/ 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Linux Router

[Christian Schmidt]

Hallo Mathias,

Mathias Kruemmel, 25.06.2006 (d.m.y):

 der Router sowie die clients könne ihre eigene IP anpingen. abgesehen 
 das der eine Rechner als Router arbeiten soll muss es doch möglich sein 
 das sich die rechner (192.168.20.1 und 192.168.20.2) im gleichen Netz 
 anpingen können. Ich habe keine firewall aktiv. Wenn ich nur 2 
 Netzwerkkarten statt der jetzigen drei einbaue dann geht es. Kann es 
 sein das sich evtl. in meinem Router die Karten beißen?

Sowohl der Router als auch die Clients muessen aber wissen, ueber
welche Route bzw. welches Interface sie die anderen IP-Subnetze
erreichen koennen.
Da solltest Du IMO mal ansetzen.

Gruss,
Christian Schmidt

-- 
Wer A sagt, wird auch Au sagen.
-- Zarko Petan


signature.asc
Description: Digital signature

Linux Router

[Mathias Kruemmel]

Hallo Leute,

ich möchte mir einen Router bauen der die Netze 192.168.20.0, 
192.168.21.0 und 192.168.22.0 verbindet. Dazu habe  ich in meinem Linux 
Rechner drei Netzwerkkarten eingebaut und die interfaces in der 
/etc/network/interfaces mit ip-adressen und allen anderen werten 
bestückt. Ich habe den drei Karten die jeweils erste ip aus den 
jeweiligen netzen gegeben (also 192.168.20.1, 21.1 und 22.1) Danach habe 
ich mit


echo 1 /proc/sys/net/ipv4/ip_forward

das routing eingeschaltet.

ein ifconfig zeigte mir alle devices mit den entsprechenden IP-Adressen  an.

Folgendes Problem was ich jetzt habe ist das die adresse 192.168.20.1 
(Router) den Client 192.168.20.2 nicht anpingen kann.


Als ich das ganze Szenario nur mit 2 Netzen sprich 2 Netzwerkkarten 
probierte, funktioniete das anpingen und das routing zwischen diesen 
beiden Netzen (192.168.20.0 und 192.168.21.0)


Ist dieses Szenario mit den drei Netzwerkkarten bzw. den verbinden der 
drei verschiedenen Netze über den Router überhaupt möglich?


Danke für eure Antworten


--
Haeufig gestellte Fragen und Antworten (FAQ): 
http://www.de.debian.org/debian-user-german-FAQ/


Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)

Re: Linux Router

[Richard Mittendorfer]

Also sprach Mathias Kruemmel [EMAIL PROTECTED] (Sat, 24 Jun 2006
23:35:17 +0200):
 Hallo Leute,

'abend
 
 ich möchte mir einen Router bauen der die Netze 192.168.20.0, 
 192.168.21.0 und 192.168.22.0 verbindet. Dazu habe  ich in meinem
 Linux  Rechner drei Netzwerkkarten eingebaut und die interfaces in der
 
 /etc/network/interfaces mit ip-adressen und allen anderen werten 
 bestückt. Ich habe den drei Karten die jeweils erste ip aus den 
 jeweiligen netzen gegeben (also 192.168.20.1, 21.1 und 22.1) Danach
 habe  ich mit
 
 echo 1 /proc/sys/net/ipv4/ip_forward

cat /proc/sys/net/ipv4/ip_forward ergibt hoffentlich 1. :-)
 
 das routing eingeschaltet.

Was sagt # route -n bzw. # ip route show ?

 ein ifconfig zeigte mir alle devices mit den entsprechenden
 IP-Adressen  an.

Ok. Irgendwelche errors, kollisionen?

 Folgendes Problem was ich jetzt habe ist das die adresse 192.168.20.1

Firewall aktiv? Kannst du dein eigenes Interface anpingen?
 
 (Router) den Client 192.168.20.2 nicht anpingen kann.

Hat der Klient eventuell den ICMP ECHO Reply ausgeschalten. Wer/Was ist
der Klient?

Netzwerkverwehr mit tcpdump/(t)ethereal mitschneiden und sehen, wohin
die Pakete flitzen...

 Als ich das ganze Szenario nur mit 2 Netzen sprich 2 Netzwerkkarten 
 probierte, funktioniete das anpingen und das routing zwischen diesen 
 beiden Netzen (192.168.20.0 und 192.168.21.0)
 
 Ist dieses Szenario mit den drei Netzwerkkarten bzw. den verbinden der
 drei verschiedenen Netze über den Router überhaupt möglich?

Selbstvernatuerlich.

sl ritch

Re: Linux Router

[Thorsten Haude]

Moin,

* Mathias Kruemmel wrote (2006-06-24 23:35):
ich möchte mir einen Router bauen der die Netze 192.168.20.0, 
192.168.21.0 und 192.168.22.0 verbindet.

Ich gehe mal von /24 aus.


ein ifconfig zeigte mir alle devices mit den entsprechenden IP-Adressen  an.

Wie sieht die Routingtabelle aus?


Folgendes Problem was ich jetzt habe ist das die adresse 192.168.20.1 
(Router) den Client 192.168.20.2 nicht anpingen kann.

Klappt ein Ping in die anderen Netze? Klappt ein Ping von einem
anderen Host in 192.168.20.0?


Ist dieses Szenario mit den drei Netzwerkkarten bzw. den verbinden der 
drei verschiedenen Netze über den Router überhaupt möglich?

Klar.


Thorsten
-- 
It is exactly because markets are amoral that we cannot
leave the allocation of resources entirely to them.
- George Soros


pgpc5OQ45do6j.pgp
Description: PGP signature

Re: Linux Router

[Mathias Kruemmel]

Richard Mittendorfer schrieb:

Also sprach Mathias Kruemmel [EMAIL PROTECTED] (Sat, 24 Jun 2006
23:35:17 +0200):
  

Hallo Leute,



'abend
 
  
ich möchte mir einen Router bauen der die Netze 192.168.20.0, 
192.168.21.0 und 192.168.22.0 verbindet. Dazu habe  ich in meinem

Linux  Rechner drei Netzwerkkarten eingebaut und die interfaces in der

/etc/network/interfaces mit ip-adressen und allen anderen werten 
bestückt. Ich habe den drei Karten die jeweils erste ip aus den 
jeweiligen netzen gegeben (also 192.168.20.1, 21.1 und 22.1) Danach

habe  ich mit

echo 1 /proc/sys/net/ipv4/ip_forward



cat /proc/sys/net/ipv4/ip_forward ergibt hoffentlich 1. :-)
 
  

das routing eingeschaltet.



Was sagt # route -n bzw. # ip route show ?

  

ein ifconfig zeigte mir alle devices mit den entsprechenden
IP-Adressen  an.



Ok. Irgendwelche errors, kollisionen?

  

Folgendes Problem was ich jetzt habe ist das die adresse 192.168.20.1



Firewall aktiv? Kannst du dein eigenes Interface anpingen?
 
  

(Router) den Client 192.168.20.2 nicht anpingen kann.



Hat der Klient eventuell den ICMP ECHO Reply ausgeschalten. Wer/Was ist
der Klient?

Netzwerkverwehr mit tcpdump/(t)ethereal mitschneiden und sehen, wohin
die Pakete flitzen...

  
Als ich das ganze Szenario nur mit 2 Netzen sprich 2 Netzwerkkarten 
probierte, funktioniete das anpingen und das routing zwischen diesen 
beiden Netzen (192.168.20.0 und 192.168.21.0)


Ist dieses Szenario mit den drei Netzwerkkarten bzw. den verbinden der
drei verschiedenen Netze über den Router überhaupt möglich?



Selbstvernatuerlich.

sl ritch


  
der Router sowie die clients könne ihre eigene IP anpingen. abgesehen 
das der eine Rechner als Router arbeiten soll muss es doch möglich sein 
das sich die rechner (192.168.20.1 und 192.168.20.2) im gleichen Netz 
anpingen können. Ich habe keine firewall aktiv. Wenn ich nur 2 
Netzwerkkarten statt der jetzigen drei einbaue dann geht es. Kann es 
sein das sich evtl. in meinem Router die Karten beißen?



--
Haeufig gestellte Fragen und Antworten (FAQ): 
http://www.de.debian.org/debian-user-german-FAQ/


Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)

Re: Linux Router

[Thorsten Haude]

Moin,

* Mathias Kruemmel wrote (2006-06-25 00:04):
der Router sowie die clients könne ihre eigene IP anpingen.

Ok. Was ist mit den anderen Fragen?


abgesehen das der eine Rechner als Router arbeiten soll muss es doch
möglich sein das sich die rechner (192.168.20.1 und 192.168.20.2) im
gleichen Netz anpingen können. Ich habe keine firewall aktiv. Wenn
ich nur 2 Netzwerkkarten statt der jetzigen drei einbaue dann geht
es.

Wissen wir schon.


Kann es sein das sich evtl. in meinem Router die Karten beißen?

Ja.


Thorsten
-- 
Necessity is the plea for every infringement of human freedom.
It is the argument of tyrants; it is the creed of slaves.
- William Pitt


pgp9V5Mo5lD8B.pgp
Description: PGP signature

Re: Linux Router

[Mathias Kruemmel]

Mathias Kruemmel schrieb:

Richard Mittendorfer schrieb:

Also sprach Mathias Kruemmel [EMAIL PROTECTED] (Sat, 24 Jun 2006
23:35:17 +0200):
 

Hallo Leute,



'abend
 
 
ich möchte mir einen Router bauen der die Netze 192.168.20.0, 
192.168.21.0 und 192.168.22.0 verbindet. Dazu habe  ich in meinem

Linux  Rechner drei Netzwerkkarten eingebaut und die interfaces in der

/etc/network/interfaces mit ip-adressen und allen anderen werten 
bestückt. Ich habe den drei Karten die jeweils erste ip aus den 
jeweiligen netzen gegeben (also 192.168.20.1, 21.1 und 22.1) Danach

habe  ich mit

echo 1 /proc/sys/net/ipv4/ip_forward



cat /proc/sys/net/ipv4/ip_forward ergibt hoffentlich 1. :-)
 
 

das routing eingeschaltet.



Was sagt # route -n bzw. # ip route show ?

 

ein ifconfig zeigte mir alle devices mit den entsprechenden
IP-Adressen  an.



Ok. Irgendwelche errors, kollisionen?

 

Folgendes Problem was ich jetzt habe ist das die adresse 192.168.20.1



Firewall aktiv? Kannst du dein eigenes Interface anpingen?
 
 

(Router) den Client 192.168.20.2 nicht anpingen kann.



Hat der Klient eventuell den ICMP ECHO Reply ausgeschalten. Wer/Was ist
der Klient?

Netzwerkverwehr mit tcpdump/(t)ethereal mitschneiden und sehen, wohin
die Pakete flitzen...

 
Als ich das ganze Szenario nur mit 2 Netzen sprich 2 Netzwerkkarten 
probierte, funktioniete das anpingen und das routing zwischen diesen 
beiden Netzen (192.168.20.0 und 192.168.21.0)


Ist dieses Szenario mit den drei Netzwerkkarten bzw. den verbinden der
drei verschiedenen Netze über den Router überhaupt möglich?



Selbstvernatuerlich.

sl ritch


  
der Router sowie die clients könne ihre eigene IP anpingen. abgesehen 
das der eine Rechner als Router arbeiten soll muss es doch möglich 
sein das sich die rechner (192.168.20.1 und 192.168.20.2) im gleichen 
Netz anpingen können. Ich habe keine firewall aktiv. Wenn ich nur 2 
Netzwerkkarten statt der jetzigen drei einbaue dann geht es. Kann es 
sein das sich evtl. in meinem Router die Karten beißen?




Entwarnung!

ich habe das ganze auf einer VMware Plattform ausprobiert und dort die 
devices in den einstellungen verwechselt. Sorry und nochmal danke für 
eure Anstrengungen



--
Haeufig gestellte Fragen und Antworten (FAQ): 
http://www.de.debian.org/debian-user-german-FAQ/


Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)

Re: Elsterformular und Linux-Router

[Thomas Reiss]

Hallo Thomas Antepoth, 
 
[...]
 Elster benötigt in der augenblicklichen Version einen direkten Connect zum 
 Elsterserver und daher läuft SQUID als Proxy nicht mit ELSTER zusammen.

Stimmt, hatte in der Arbeit das selbe Problem.

[...]
 
  Hat jemand schon mal so was zum Laufen bekommen?
 
 Nein. Du solltest Dich aber mit einem Anruf bei der Elster-Hotline[1] noch 
 einmal vergewissern. 12 Wochen ist eine lange Zeit und zwischenzeitlich 
 mag sich da durchaus etwas getan haben.
 

Ja.
Es hat sich was getan.
Wie schon ein Vorposter geschrieben hat, gibt es ein Stück Java Software
welches einen HTTP-Tunnel erzeugt bzw. als Proxy eingesetzt wird.
Näheres ist auf der Homepage von elster.de zu finden.

Gruß
Thomas


-- 
Haeufig gestellte Fragen und Antworten (FAQ): 
http://www.de.debian.org/debian-user-german-FAQ/

Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)

Re: Elsterformular und Linux-Router

[Werner Opriel]

Werner Opriel wrote:

 Ich versuche die Elsterdatenuebertragung ebenfalls ueber Linux Router aus
 einem internen Netz herzustellen. Das LAN ist dabei durch eine DMZ vom
 Internet getrennt. Der DMZ-Proxy ist aus den oben beschriebenen Gruenden
 hier nicht im Spiel, die Elster Server werden also direkt angesprochen.
 Hinweis:
 Seit kurzer Zeit gibt es einen HTTP_Tunnel (benoetigt Java Webstart)
 unter: https://www.elster.de/elfo_tunnel.php?tunnelversion=1.0.0
 mit dem angeblich auch Squid funktionieren soll.
 
 Folgende Regeln sollen den direkten Kontakt eines Client aus dem internen
 Netz zu einem der Elsterserver ermoeglichen:
 
 # Router LAN -- DMZ
 # ---
 
 ELSTER_PORT=8000
 ELSTER_SERV=62.157.211.58 62.157.211.59 62.157.211.60 \
 193.109.238.26 193.109.238.27 213.182.157.66
 
 # Anfragen an externe Elster Server und Elster-Port  gewaehren
 for EP in $ELSTER_SERV
 do
  $IPTABLES -A FORWARD -p TCP --sport $UNPRIVPORTS -d $EP \
  --dport $ELSTER_PORT -m state --state NEW,ESTABLISHED,RELATED \
  -o $DMZ_IF -i $LAN_IF -j ACCEPT
 done
 
 # eingehende Pakete von Elster Servern zu bestehenden Verbindungen
 # zulassen (Rueckkanal)
 for EP in $ELSTER_SERV
 do
  $IPTABLES -A FORWARD -i $DMZ_IF -o $LAN_IF -s $EP \
  -m state --state ESTABLISHED,RELATED -j ACCEPT
 done
 
 # Router DMZ -- Internet
 # ---
 
 # die Elsterformular-Upload-Server und der zugehoerige Port
 ELSTER_SERVER=(62.157.211.58 \
 62.157.211.59 \
 62.157.211.60 \
  193.109.238.26 \
   193.109.238.27 \
   213.182.157.66)
 ELSTER_PORT=8000
 
 # Source  NAT  -- (SNAT/Masquerading)
 $IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE
 
 # Enable IP Forwarding
 echo 1  /proc/sys/net/ipv4/ip_forward
 
 # Anfragen (TCP) mit Zielport 8000
 # fuer den Zugriff auf die Elsterserver zulassen
 
 for ES in ${ELSTER_SERVER[*]}
 do
  $IPTABLES -A FORWARD -p TCP --sport $UNPRIVPORTS \
  --dport $ELSTER_PORT -o $EXT_IF -i $DMZ_IF -d $ES \
  -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 done
 
 # Antworten (Rueckkanal) von Elster Servern explizit zulassen
 
 for ES in ${ELSTER_SERVER[*]}
 do
 $IPTABLES -A FORWARD -i $EXT_IF -o $DMZ_IF -s $ES \
  -m state --state ESTABLISHED,RELATED -j ACCEPT
 done

#-
 
 Die Verbindung kommt auch zustande, bricht allerdings nach kurzer Zeit mit
 einem Timeout ab.. Ein tcpdump zeigt folgendes:
 ...
   4.828341 192.168.10.1 - 193.109.238.27 TCP 1057  8000 [PSH, ACK]
 Seq=8302 Ack=2855 Win=7667 Len=271
   4.886292 193.109.238.27 - 192.168.10.1 TCP 8000  1057 [ACK] Seq=2855
 Ack=3265 Win=13050 Len=0
   4.887251 192.168.10.1 - 193.109.238.27 TCP 1057  8000 [PSH, ACK]
 Seq=8573 Ack=2855 Win=7667 Len=596
   4.892174 193.109.238.27 - 192.168.10.1 TCP [TCP Dup ACK 37#1] 8000 
   1057
 [ACK] Seq=2855 Ack=3265 Win=13050 Len=0
   4.892614 193.109.238.27 - 192.168.10.1 TCP [TCP Dup ACK 37#2] 8000 
   1057
 [ACK] Seq=2855 Ack=3265 Win=13050 Len=0
   4.893559 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission] 1057 
 8000 [PSH, ACK] Seq=3265 Ack=2855 Win=7667 Len=610
   4.952832 193.109.238.27 - 192.168.10.1 TCP [TCP Dup ACK 37#3] 8000 
   1057
 [ACK] Seq=2855 Ack=3265 Win=13050 Len=0
   4.966322 193.109.238.27 - 192.168.10.1 TCP 8000  1057 [ACK] Seq=2855
 Ack=3875 Win=14790 Len=0
   5.773056 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission] 1057 
 8000 [PSH, ACK] Seq=3875 Ack=2855 Win=7667 Len=1460
   7.578914 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission] 1057 
 8000 [PSH, ACK] Seq=3875 Ack=2855 Win=7667 Len=1460
  11.190700 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission] 1057 
 8000 [PSH, ACK] Seq=3875 Ack=2855 Win=7667 Len=1460
  18.414291 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission] 1057 
 8000 [PSH, ACK] Seq=3875 Ack=2855 Win=7667 Len=1460
  32.861325 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission] 1057 
 8000 [PSH, ACK] Seq=3875 Ack=2855 Win=7667 Len=1460
 
 Irgendeine Idee wo es hier zwickt?
 
Problem geloest !
Ich hatte ein Path MTU Discovery Problem.
Die dargestellten Regeln sind soweit ok. Wie man sehen kann wird die
Verbindung zwar aufgebaut und erste Datenpakete getauscht, aber
ab einem best. Punkt bricht die Verbindung ab.
Hier fuehrte eine zu  strenge ICMP Regel (nicht abgebildet) dazu, das die
Kommunikation ueber Paketgroesse bzw. fragmentation-needed nicht zustande
kam. :-(
Die Folge war ein Timeout auf der Clientseite.


-- 
Haeufig gestellte Fragen und Antworten (FAQ): 
http://www.de.debian.org/debian-user-german-FAQ/

Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)

Re: Elsterformular und Linux-Router

[Werner Opriel]

Ich versuche die Elsterdatenuebertragung ebenfalls ueber Linux Router aus
einem internen Netz herzustellen. Das LAN ist dabei durch eine DMZ vom
Internet getrennt. Der DMZ-Proxy ist aus den oben beschriebenen Gruenden
hier nicht im Spiel, die Elster Server werden also direkt angesprochen.
Hinweis:
Seit kurzer Zeit gibt es einen HTTP_Tunnel (benoetigt Java Webstart) unter:
https://www.elster.de/elfo_tunnel.php?tunnelversion=1.0.0
mit dem angeblich auch Squid funktionieren soll.

Folgende Regeln sollen den direkten Kontakt eines Client aus dem internen
Netz zu einem der Elsterserver ermoeglichen:

# Router LAN -- DMZ 
# ---

ELSTER_PORT=8000 
ELSTER_SERV=62.157.211.58 62.157.211.59 62.157.211.60 \
193.109.238.26 193.109.238.27 213.182.157.66

# Anfragen an externe Elster Server und Elster-Port  gewaehren
for EP in $ELSTER_SERV 
do
 $IPTABLES -A FORWARD -p TCP --sport $UNPRIVPORTS -d $EP \
 --dport $ELSTER_PORT -m state --state NEW,ESTABLISHED,RELATED \
 -o $DMZ_IF -i $LAN_IF -j ACCEPT
done

# eingehende Pakete von Elster Servern zu bestehenden Verbindungen
# zulassen (Rueckkanal)
for EP in $ELSTER_SERV 
do
 $IPTABLES -A FORWARD -i $DMZ_IF -o $LAN_IF -s $EP \
 -m state --state ESTABLISHED,RELATED -j ACCEPT
done

# Router DMZ -- Internet
# ---

# die Elsterformular-Upload-Server und der zugehoerige Port
ELSTER_SERVER=(62.157.211.58 \
62.157.211.59 \
62.157.211.60 \
 193.109.238.26 \
  193.109.238.27 \
  213.182.157.66)
ELSTER_PORT=8000 

# Source  NAT  -- (SNAT/Masquerading) 
$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE 

# Enable IP Forwarding  
echo 1  /proc/sys/net/ipv4/ip_forward

# Anfragen (TCP) mit Zielport 8000
# fuer den Zugriff auf die Elsterserver zulassen

for ES in ${ELSTER_SERVER[*]}
do
 $IPTABLES -A FORWARD -p TCP --sport $UNPRIVPORTS \
 --dport $ELSTER_PORT -o $EXT_IF -i $DMZ_IF -d $ES \
 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done

# Antworten (Rueckkanal) von Elster Servern explizit zulassen

for ES in ${ELSTER_SERVER[*]}
do
$IPTABLES -A FORWARD -i $EXT_IF -o $DMZ_IF -s $ES \
 -m state --state ESTABLISHED,RELATED -j ACCEPT
done
#-

Die Verbindung kommt auch zustande, bricht allerdings nach kurzer Zeit mit
einem Timeout ab.. Ein tcpdump zeigt folgendes:
...
  4.828341 192.168.10.1 - 193.109.238.27 TCP 1057  8000 [PSH, ACK]
Seq=8302 Ack=2855 Win=7667 Len=271
  4.886292 193.109.238.27 - 192.168.10.1 TCP 8000  1057 [ACK] Seq=2855
Ack=3265 Win=13050 Len=0
  4.887251 192.168.10.1 - 193.109.238.27 TCP 1057  8000 [PSH, ACK]
Seq=8573 Ack=2855 Win=7667 Len=596
  4.892174 193.109.238.27 - 192.168.10.1 TCP [TCP Dup ACK 37#1] 8000  1057
[ACK] Seq=2855 Ack=3265 Win=13050 Len=0
  4.892614 193.109.238.27 - 192.168.10.1 TCP [TCP Dup ACK 37#2] 8000  1057
[ACK] Seq=2855 Ack=3265 Win=13050 Len=0
  4.893559 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission] 1057 
8000 [PSH, ACK] Seq=3265 Ack=2855 Win=7667 Len=610
  4.952832 193.109.238.27 - 192.168.10.1 TCP [TCP Dup ACK 37#3] 8000  1057
[ACK] Seq=2855 Ack=3265 Win=13050 Len=0
  4.966322 193.109.238.27 - 192.168.10.1 TCP 8000  1057 [ACK] Seq=2855
Ack=3875 Win=14790 Len=0
  5.773056 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission] 1057 
8000 [PSH, ACK] Seq=3875 Ack=2855 Win=7667 Len=1460
  7.578914 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission] 1057 
8000 [PSH, ACK] Seq=3875 Ack=2855 Win=7667 Len=1460
 11.190700 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission] 1057 
8000 [PSH, ACK] Seq=3875 Ack=2855 Win=7667 Len=1460
 18.414291 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission] 1057 
8000 [PSH, ACK] Seq=3875 Ack=2855 Win=7667 Len=1460
 32.861325 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission] 1057 
8000 [PSH, ACK] Seq=3875 Ack=2855 Win=7667 Len=1460

Irgendeine Idee wo es hier zwickt?


-- 
Haeufig gestellte Fragen und Antworten (FAQ): 
http://www.de.debian.org/debian-user-german-FAQ/

Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)

Re: Elsterformular und Linux-Router

[Matthias Houdek]

Am Dienstag, 12. April 2005 09:14 schrieb Werner Opriel:
 Ich versuche die Elsterdatenuebertragung ebenfalls ueber Linux Router
 aus einem internen Netz herzustellen. Das LAN ist dabei durch eine
 DMZ vom Internet getrennt. Der DMZ-Proxy ist aus den oben
 beschriebenen Gruenden hier nicht im Spiel, die Elster Server werden
 also direkt angesprochen. Hinweis:
 Seit kurzer Zeit gibt es einen HTTP_Tunnel (benoetigt Java Webstart)
 unter: https://www.elster.de/elfo_tunnel.php?tunnelversion=1.0.0
 mit dem angeblich auch Squid funktionieren soll.

Wenn HTTP(S), dann geht auch Squid. Welche Daten letztlich über das 
Protokoll übertragen werden, spielt keine Rolle mehr.

 Folgende Regeln sollen den direkten Kontakt eines Client aus dem
 internen Netz zu einem der Elsterserver ermoeglichen:

 # Router LAN -- DMZ
 # ---

 ELSTER_PORT=8000
 ELSTER_SERV=62.157.211.58 62.157.211.59 62.157.211.60 \
 193.109.238.26 193.109.238.27 213.182.157.66

 # Anfragen an externe Elster Server und Elster-Port  gewaehren
 for EP in $ELSTER_SERV
 do
  $IPTABLES -A FORWARD -p TCP --sport $UNPRIVPORTS -d $EP \
  --dport $ELSTER_PORT -m state --state NEW,ESTABLISHED,RELATED \
  -o $DMZ_IF -i $LAN_IF -j ACCEPT
 done

Mit dem Hinweis, das die Variablen $UNPRIVPORTS, $DMZ_IF und $LAN_IF bei 
dir entsprechend belegt sind. 

 # eingehende Pakete von Elster Servern zu bestehenden Verbindungen
 # zulassen (Rueckkanal)
 for EP in $ELSTER_SERV
 do
  $IPTABLES -A FORWARD -i $DMZ_IF -o $LAN_IF -s $EP \
  -m state --state ESTABLISHED,RELATED -j ACCEPT
 done

Warum nicht beides in einer Schleife?

 # Router DMZ -- Internet
 # ---

OK, das dürfte für den OP das interessante sein:

 # die Elsterformular-Upload-Server und der zugehoerige Port
 ELSTER_SERVER=(62.157.211.58 \
 62.157.211.59 \
 62.157.211.60 \
  193.109.238.26 \
   193.109.238.27 \
   213.182.157.66)
 ELSTER_PORT=8000

 # Source  NAT  -- (SNAT/Masquerading)
 $IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE

Mit $EXT_IF = Internet-IF.

 # Enable IP Forwarding
 echo 1  /proc/sys/net/ipv4/ip_forward

 # Anfragen (TCP) mit Zielport 8000
 # fuer den Zugriff auf die Elsterserver zulassen

 for ES in ${ELSTER_SERVER[*]}
 do
  $IPTABLES -A FORWARD -p TCP --sport $UNPRIVPORTS \
  --dport $ELSTER_PORT -o $EXT_IF -i $DMZ_IF -d $ES \
  -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 done

 # Antworten (Rueckkanal) von Elster Servern explizit zulassen

 for ES in ${ELSTER_SERVER[*]}
 do
 $IPTABLES -A FORWARD -i $EXT_IF -o $DMZ_IF -s $ES \
  -m state --state ESTABLISHED,RELATED -j ACCEPT
 done
 #

Anmerkungen: Siehe oben.


 Die Verbindung kommt auch zustande, bricht allerdings nach kurzer
 Zeit mit einem Timeout ab.. Ein tcpdump zeigt folgendes:
 ...
   4.828341 192.168.10.1 - 193.109.238.27 TCP 1057  8000 [PSH, ACK]
 Seq=8302 Ack=2855 Win=7667 Len=271
   4.886292 193.109.238.27 - 192.168.10.1 TCP 8000  1057 [ACK]
 Seq=2855 Ack=3265 Win=13050 Len=0
   4.887251 192.168.10.1 - 193.109.238.27 TCP 1057  8000 [PSH, ACK]
 Seq=8573 Ack=2855 Win=7667 Len=596
   4.892174 193.109.238.27 - 192.168.10.1 TCP [TCP Dup ACK 37#1] 8000
  1057 [ACK] Seq=2855 Ack=3265 Win=13050 Len=0
   4.892614 193.109.238.27 - 192.168.10.1 TCP [TCP Dup ACK 37#2] 8000
  1057 [ACK] Seq=2855 Ack=3265 Win=13050 Len=0
   4.893559 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission]
 1057  8000 [PSH, ACK] Seq=3265 Ack=2855 Win=7667 Len=610
   4.952832 193.109.238.27 - 192.168.10.1 TCP [TCP Dup ACK 37#3] 8000
  1057 [ACK] Seq=2855 Ack=3265 Win=13050 Len=0
   4.966322 193.109.238.27 - 192.168.10.1 TCP 8000  1057 [ACK]
 Seq=2855 Ack=3875 Win=14790 Len=0
   5.773056 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission]
 1057  8000 [PSH, ACK] Seq=3875 Ack=2855 Win=7667 Len=1460
   7.578914 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission]
 1057  8000 [PSH, ACK] Seq=3875 Ack=2855 Win=7667 Len=1460
  11.190700 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission]
 1057  8000 [PSH, ACK] Seq=3875 Ack=2855 Win=7667 Len=1460
  18.414291 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission]
 1057  8000 [PSH, ACK] Seq=3875 Ack=2855 Win=7667 Len=1460
  32.861325 192.168.10.1 - 193.109.238.27 TCP [TCP Retransmission]
 1057  8000 [PSH, ACK] Seq=3875 Ack=2855 Win=7667 Len=1460

Es kommt gar keine TCP-Verbindung erst zustande. Sniffer mal auf beiden 
Gateways, wo was rein- und rausgeht.

-- 
Gruß
MaxX

Bitte beachten: Diese Mailadresse nimmt nur Listenmails entgegen.
Für PM bitte den Empfänger gegen den Namen in der Sig tauschen.

Elsterformular und Linux-Router

[Kersten Tams]

hi,
ich bin fast am verzweifeln...
Ich habe einen Win-ME-Client an einem Debian Server (Kernel 2.4) hängen.
Netzwerk funktioniert, Ins Internet komme ich auch damit. Nun will (muß)
ich von dem Win-PC meine Steuererklärung ans Finanzamt senden. Da steht
denn in der Hilfe zu dem Elster-Programm ich soll ein Gateway einrichten,
das den Port 4000 auf den Port 8000 bei der IP 62.157.211.58 (und noch 5
weitere) legt.
Ich habe hier squid am laufen, finde aber nicht wo und wie ich das in der
squid.conf einstellen muß. habe schon 1000 Sachen probiert, aber nichts
klappt. Auch Google ist nicht sehr ergiebig. 
Hat jemand schon mal so was zum Laufen bekommen?
Bin für jeden Hinweis dankbar.
Gruß Kersten Tams


-- 
Haeufig gestellte Fragen und Antworten (FAQ): 
http://www.de.debian.org/debian-user-german-FAQ/

Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)

Re: Elsterformular und Linux-Router

[Andreas Kretschmer]

Kersten Tams [EMAIL PROTECTED] schrieb:
 Ich habe hier squid am laufen, finde aber nicht wo und wie ich das in der
 squid.conf einstellen muß. habe schon 1000 Sachen probiert, aber nichts
 klappt. Auch Google ist nicht sehr ergiebig. 
 Hat jemand schon mal so was zum Laufen bekommen?

Ich, auf Arbeit.

Mit Squid wird das IMHO nix, Du brauchst iptables, um IP_Masquerade zu
machen. Ich hoffe, das reicht Dir. Ansonsten frag noch mal nach.



Andreas
-- 
Diese Message wurde erstellt mit freundlicher Unterstützung eines freilau-
fenden Pinguins aus artgerechter Freilandhaltung.   Er ist garantiert frei
von Micro$oft'schen Viren. (#97922 http://counter.li.org) GPG 7F4584DA
Was, Sie wissen nicht, wo Kaufbach ist? Hier: N 51.05082°, E 13.56889° ;-)


-- 
Haeufig gestellte Fragen und Antworten (FAQ): 
http://www.de.debian.org/debian-user-german-FAQ/

Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)

Re: Elsterformular und Linux-Router

[Thomas Antepoth]

On Mon, 11 Apr 2005, Kersten Tams wrote:


 Ich habe einen Win-ME-Client an einem Debian Server (Kernel 2.4) hängen.
 Netzwerk funktioniert, Ins Internet komme ich auch damit. Nun will (muß)
 ich von dem Win-PC meine Steuererklärung ans Finanzamt senden. Da steht
 denn in der Hilfe zu dem Elster-Programm ich soll ein Gateway einrichten,
 das den Port 4000 auf den Port 8000 bei der IP 62.157.211.58 (und noch 5
 weitere) legt.

Elster benötigt in der augenblicklichen Version einen direkten Connect zum 
Elsterserver und daher läuft SQUID als Proxy nicht mit ELSTER zusammen.

Dies war vor ca. 12 Wochen die Aussage der Elster-Hotline. Gleichzeitig 
sagte die Helpdesk-Mitarbeiterin, daß doch recht viele Anfragen zu Proxy 
und Elster eingingen und daß daher die Chancen recht gut stünden, in einer 
der kommenden Versionen mit Proxy-Unterstützung zu funktionieren.


 Hat jemand schon mal so was zum Laufen bekommen?

Nein. Du solltest Dich aber mit einem Anruf bei der Elster-Hotline[1] noch 
einmal vergewissern. 12 Wochen ist eine lange Zeit und zwischenzeitlich 
mag sich da durchaus etwas getan haben.


t++

[1] https://www.elster.de/hotline.php

Re: Elsterformular und Linux-Router

[Matthias Houdek]

Am Montag, 11. April 2005 17:47 schrieb Kersten Tams:
 hi,
 ich bin fast am verzweifeln...
 Ich habe einen Win-ME-Client an einem Debian Server (Kernel 2.4)
 hängen. Netzwerk funktioniert, Ins Internet komme ich auch damit. Nun
 will (muß) ich von dem Win-PC meine Steuererklärung ans Finanzamt
 senden. Da steht denn in der Hilfe zu dem Elster-Programm ich soll
 ein Gateway einrichten, das den Port 4000 auf den Port 8000 bei der
 IP 62.157.211.58 (und noch 5 weitere) legt.
 Ich habe hier squid am laufen, finde aber nicht wo und wie ich das in
 der squid.conf einstellen muß. 

Das wird so auch nicht funktionieren. 

Squid ist ein HTTP- und (eingeschränkt) FTP-Proxy (=Stellvertreter). 
Das bedeutet vereinfacht, dass es für den angefragten HTTP-Server den 
anfragenden Client vertritt und so die Seiten zugeschickt bekommt und 
auf der anderen Seite dem anfragenden Client den angefragten 
HTTP-Server vortäuscht. 

Das Elster-Programm läuft aber offensichtlich nicht über HTTP. Also kann 
Squid hier auch nichts machen. Du brauchst also entweder einen 
HTTP-Tunnel durch den Squid (auf deiner Seite könntest du da sicher 
etwas entsprechendes installieren, aber dir wird der andere 
Tunnelausgang im Internet fehlen) oder du musst auf dem Linux das 
IP-Forwarding sowie Masquerading einschalten. Dann sind natürlich 
entsprechende Firewall-Regeln, die nur die entsprechenden Ports für die 
betreffenden IP-Adressen freigeben, sinnvoll -- iptables.

-- 
Gruß
MaxX

Bitte beachten: Diese Mailadresse nimmt nur Listenmails entgegen.
Für PM bitte den Empfänger gegen den Namen in der Sig tauschen.

Re: Elsterformular und Linux-Router

[Kersten Tams]

Andreas Kretschmer wrote:

[...]
 Hat jemand schon mal so was zum Laufen bekommen?
 
 Ich, auf Arbeit.
 
 Mit Squid wird das IMHO nix, Du brauchst iptables, um IP_Masquerade zu
 machen. Ich hoffe, das reicht Dir. Ansonsten frag noch mal nach.
 
hi,
mache ich hiermit ;-)
ich habe gerade versucht mal mit webmin etwas einzustellen. Ehrlich gesagt
habe ich das nicht ganz verstanden. 
Was ist prerouting und postrouting und wo muß ich nun die Ports und IPs
einstellen? Ich habe da zwar eine entfernte Ahnung, aber ich will mir auch
nichts total verbauen.
Kannst Du mir ein paar Tips geben, was ich wo einstellen muß? Es gibt da so
viele zusätzliche Parameter, daß ich überhaupt nicht mehr durchblicke.
Normalerweise würde ich mir das ja in aller Ruhe reinziehen und so lange
probieren, bis es läuft (habe ich bislang so gemacht), Momentan wartet das
Finanzamt aber auf meine Erklärung und die sind nicht zimperlich mit
Mahngeldern, so daß ich keine Zeit für diesen harten Weg habe.
Ich hoffe auf ein wenig Verständnis, wenn ich um ein kleines Beispiel
bitte :-)
Gruß Kersten


-- 
Haeufig gestellte Fragen und Antworten (FAQ): 
http://www.de.debian.org/debian-user-german-FAQ/

Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)

Re: Elsterformular und Linux-Router

[Andreas Kretschmer]

Kersten Tams [EMAIL PROTECTED] schrieb:

 Andreas Kretschmer wrote:
 
 [...]
  Hat jemand schon mal so was zum Laufen bekommen?
  
  Ich, auf Arbeit.
  
  Mit Squid wird das IMHO nix, Du brauchst iptables, um IP_Masquerade zu
  machen. Ich hoffe, das reicht Dir. Ansonsten frag noch mal nach.
  
 hi,
 mache ich hiermit ;-)
 ich habe gerade versucht mal mit webmin etwas einzustellen. Ehrlich gesagt
 habe ich das nicht ganz verstanden. 

http://netfilter.org


 Was ist prerouting und postrouting und wo muß ich nun die Ports und IPs
 einstellen? Ich habe da zwar eine entfernte Ahnung, aber ich will mir auch
 nichts total verbauen.

 iptables -t nat -A POSTROUTING -s client -j MASQUERADE

Damit macht Dein Gateway IP-Masquerade für den Client. Dazu muß aber
auch der Linux-Kernel als Router arbeiten:

echo 1  /proc/sys/net/ipv4/ip_forward


Wenn Du _keine_ weiteren iptables-Regeln hast, reicht das schon. Bedenke
aber, daß damit der Client vollen Zugang auf das Internet hat - was man
normalerweise als Admin nicht will. Das kann man einschränken:

 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A FORWARD -p TCP -s client --dport 8000 -j ACCEPT
 iptables -A FORWARD -p TCP -s client -j REJECT --reject-with tcp-reset
 iptables -A FORWARD -p TCP -s client -j REJECT --reject-with 
icmp-port-unreachable

Man könnte in der 2. Regel noch die erlaubten IP-Adressen der 6 Server
angeben. Auf dem Client mußt Du noch eine Default-Route (oder
Host-Routen zu den 6 Servern) setzen


 Kannst Du mir ein paar Tips geben, was ich wo einstellen muß? Es gibt da so

Lies die Doku zu iptables. Falls Eigenwerbung erlaubt ist:
http://www.linuxinfotag.de/7/detail/7


 viele zusätzliche Parameter, daß ich überhaupt nicht mehr durchblicke.

Das ist auf dem ersten Blick schlimmer als auf dem zweiten ;-)


-- 
Diese Message wurde erstellt mit freundlicher Unterstützung eines freilau-
fenden Pinguins aus artgerechter Freilandhaltung.   Er ist garantiert frei
von Micro$oft'schen Viren. (#97922 http://counter.li.org) GPG 7F4584DA
Was, Sie wissen nicht, wo Kaufbach ist? Hier: N 51.05082°, E 13.56889° ;-)


-- 
Haeufig gestellte Fragen und Antworten (FAQ): 
http://www.de.debian.org/debian-user-german-FAQ/

Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)

Re: Linux Router

[Ken Gilmour]

Captain's Log, stardate Tue, 14 Dec 2004 12:23:08 -0600, from the fingers of 
Michael Madden came the words:
 The main point is that there are so many things to do in Linux in
 order to configure it for masquerading (Recompiling Kernel etc).
 There also so many different commands that do exactly the same
 thing but in different ways. If a person is starting off in
 firewalling it's not good to overwhelm them with information.
 With OpenBSD, you simply edit stuff that's already there, for
 example. These are the steps i would take to setup a gateway on a
 brand newly setup OpenBSD machine:

 Uncomment the following in /etc/sysctl.conf

 net.inet.ip.forwarding=1
 net.inet6.ip6.forwarding=1 (if using IPv6)

 Uncomment and edit this line in /etc/pf.conf (stuff in  needs
 to be edited, stuff in [] is optional)

 nat [pass] on interface [af] from src_addr [port src_port] to
 dst_addr [port dst_port] - ext_addr [pool_type] [static-
 port]

 You may then reboot the machine or just issue the following two
 commands:

 # sysctl net.inet.ip.forwarding=1

 Or

 # sysctl net.inet6.ip6.forwarding=1 (if using IPv6)

 Then

 # pfctl -f /etc/pf.conf

 You now have a fully working NAT box.

 To perform IP forwarding uncomment the port redirect line in
 pf.conf and modify it to your taste then issue:

 # pfctl -f /etc/pf.conf

 The default configuration for the machine has zero known security
 holes. (have a look at www.openbsd.org for security info)

 Regards,

 Ken


 Forgive me if I'm new to the OpenBSD approach, but I've installed
 OpenBSD 3.6 on a laptop with 2 PCMCIA cards, and I cannot get any
 of my clients behind the firewall to see beyond the firewall.

 My two network cards are setup as:

 bsdrouter# ifconfig ep1
 ep1: flags=8863UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST
 mtu 1500 address: 00:60:97:87:8b:4d media: Ethernet 10baseT
 inet 172.16.1.100 netmask 0x broadcast 172.16.255.255 inet6
 fe80::260:97ff:fe87:8b4d%ep1 prefixlen 64 scopeid 0x5 bsdrouter#
 ifconfig ep2
 ep2: flags=8863UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST
 mtu 1500 address: 00:10:4b:ec:64:80 media: Ethernet 10baseT
 inet 192.168.3.1 netmask 0xff00 broadcast 192.168.3.255 inet6
 fe80::210:4bff:feec:6480%ep2 prefixlen 64 scopeid 0x6

 I've got IP forwarding enabled:

 bsdrouter# cat /etc/sysctl.conf
 net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of
 packets

 Finally I've setup pf.conf:

 bsdrouter# cat /etc/pf.conf
 f=ep1
 int_if=ep2
 nat on $ext_if from !($ext_if) - ($ext_if:0)

 I rebooted the machine after the above network setup, and while I'm
 on the router I can see the 192.168.3.x network, the 172.16.x.x
 network, and the internet.  But my Windows machines behind the
 firewall cannot reach beyond the firewall even though the OpenBSD
 router is set as the default gateway.  On machines on the
 172.16.x.x network, I can reach the router at 172.16.1.100 and the
 machines behind the router (if I add a route to the 172.16.x.x
 machines).

 Has anyone experienced this before?

 Thanks,
 Mike

Hi Mike

Have you set a rule to allow the NAT to pass through the box? Simply adding 
pass to your above command should do that for you.

nat pass on $ext_if from !($ext_if) - ($ext_if:0)

Also, The macro for your external interface I assume it's not set to f=ep1 
Was that just a couple of missed characters while copying and pasting? (it 
should read ext_if=ep1 not f=ep1)

Here is my pf.conf from one of my firewalls if it's any help to you. You might 
want to comment out the Block stuff and change the IP addresses for 
redirection etc.

# macros
int_if = fxp0
ext_if = rl0

tcp_services = { 22, 80, }
icmp_types = echoreq

priv_nets = { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }

# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all

# nat/rdr
nat on $ext_if from $int_if:network to any - ($ext_if)
#rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port 8021
#rdr pass on $ext_if proto tcp from any to $ext_if port smtp - 10.2.0.15
#rdr pass on $int_if proto tcp from any to $int_if port 350 - 10.2.2.202

# filter rules
block all

pass quick on lo0 all

pass in on $ext_if inet proto tcp from any to 10.2.0.15 port smtp
block drop in  quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

#pass in on $ext_if inet proto tcp from any to ($ext_if) \
#   port $tcp_services flags S/SA keep state

#pass in inet proto icmp all icmp-type $icmp_types keep state

pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

Regards,

Ken

Re: Linux Router

[Ken Gilmour]

Captain's Log, stardate Tue, 14 Dec 2004 14:22:48 -0600, from the fingers of 
Michael Madden came the words:
 I figured out what was wrong with my OpenBSD 3.6 setup. I needed to
 setup pf=YES in /etc/rc.conf.  I must have missed this when reading
 though the install documentation.

 Anyhow these are the steps that worked for me:

 1.) Install OpenBSD 3.6 according to the directions at:
 http://www.openbsd.org/faq/faq4.html

 2.) Add the following line to /etc/sysctl.conf:
 net.inet.ip.forwarding=1

 3.) Add the following line to /etc/pf.conf: nat on ep1 from
 ep2:network to any - (ep1)

 4.) Add the following to /etc/rc.conf: pf=YES

 Thanks again for all the help.

 Thanks,

 Mike

Glad you got it going Mike! Sorry i didn't mention that last pf=YES comment... 
I was doing it from the top of my head. Good job figuring it out!

Thanks and Regards,

Ken Gilmour BOFH
Script Monkey
Irish Operations

Re: Linux Router

[Michael Madden]

 The main point is that there are so many things to do in Linux in order to 
 configure it for masquerading (Recompiling Kernel etc). There also so many 
 different commands that do exactly the same thing but in different ways. If a 
 person is starting off in firewalling it's not good to overwhelm them with 
 information. With OpenBSD, you simply edit stuff that's already there, for 
 example. These are the steps i would take to setup a gateway on a brand newly 
 setup OpenBSD machine:
 
 Uncomment the following in /etc/sysctl.conf
 
 net.inet.ip.forwarding=1
 net.inet6.ip6.forwarding=1 (if using IPv6)
 
 Uncomment and edit this line in /etc/pf.conf (stuff in  needs to be edited, 
 stuff in [] is optional)
 
 nat [pass] on interface [af] from src_addr [port src_port] to dst_addr 
 [port dst_port] - ext_addr [pool_type] [static-port]
 
 You may then reboot the machine or just issue the following two commands:
 
 # sysctl net.inet.ip.forwarding=1
 
 Or
 
 # sysctl net.inet6.ip6.forwarding=1 (if using IPv6)
 
 Then
 
 # pfctl -f /etc/pf.conf
 
 You now have a fully working NAT box.
 
 To perform IP forwarding uncomment the port redirect line in pf.conf and 
 modify it to your taste then issue:
 
 # pfctl -f /etc/pf.conf
 
 The default configuration for the machine has zero known security holes. 
 (have a look at www.openbsd.org for security info)
 
 Regards,
 
 Ken
 

Forgive me if I'm new to the OpenBSD approach, but I've installed OpenBSD 3.6
on a laptop with 2 PCMCIA cards, and I cannot get any of my clients behind the
firewall to see beyond the firewall.

My two network cards are setup as:

bsdrouter# ifconfig ep1
ep1: flags=8863UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST mtu 1500
address: 00:60:97:87:8b:4d
media: Ethernet 10baseT
inet 172.16.1.100 netmask 0x broadcast 172.16.255.255
inet6 fe80::260:97ff:fe87:8b4d%ep1 prefixlen 64 scopeid 0x5
bsdrouter# ifconfig ep2
ep2: flags=8863UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST mtu 1500
address: 00:10:4b:ec:64:80
media: Ethernet 10baseT
inet 192.168.3.1 netmask 0xff00 broadcast 192.168.3.255
inet6 fe80::210:4bff:feec:6480%ep2 prefixlen 64 scopeid 0x6

I've got IP forwarding enabled:

bsdrouter# cat /etc/sysctl.conf
net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of packets

Finally I've setup pf.conf:

bsdrouter# cat /etc/pf.conf
f=ep1
int_if=ep2
nat on $ext_if from !($ext_if) - ($ext_if:0)

I rebooted the machine after the above network setup, and while I'm  
on the router I can see the 192.168.3.x network, the 172.16.x.x network,
and the internet.  But my Windows machines behind the firewall cannot
reach beyond the firewall even though the OpenBSD router is set as the
default gateway.  On machines on the 172.16.x.x network, I can reach the
router at 172.16.1.100 and the machines behind the router (if I add a route
to the 172.16.x.x machines). 

Has anyone experienced this before?

Thanks,
Mike


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Linux Router

[Michael Madden]

I figured out what was wrong with my OpenBSD 3.6 setup.
I needed to setup pf=YES in /etc/rc.conf.  I must have
missed this when reading though the install documentation.
Anyhow these are the steps that worked for me:
1.) Install OpenBSD 3.6 according to the directions at:
http://www.openbsd.org/faq/faq4.html
2.) Add the following line to /etc/sysctl.conf:
net.inet.ip.forwarding=1
3.) Add the following line to /etc/pf.conf:
nat on ep1 from ep2:network to any - (ep1)
4.) Add the following to /etc/rc.conf:
pf=YES
Thanks again for all the help.
Thanks,
Mike
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Linux Router

[Ken Gilmour]

Captain's Log, stardate Mon, 13 Dec 2004 14:11:46 -0600, from the fingers of 
Michael Madden came the words:
 Does anyone know of a decent Linux based router project out there?
 In the past I've used LRP (http://www.linuxrouter.org), but it
 looks like the project isn't maintained anymore.

 My requirements are pretty simple.  I want to route traffic from
 network A to network B and route traffice from network B to A.  I
 don't need firewalling, but would like IP forwarding and NAT.  Any
 recommendations?

Linux is capable of routing by default almost. All you need are two interfaces 
and linux. You can use iptables (or ipchains if you're using an old distro) to 
do this. Personally i prefer OpenBSD to do this because it's very compact etc 
but I've also used Debian Woody to do the same task.

The only problem i have with Linux's iptables as opposed to OpenBSD's PF is 
that iptables has an overwhelming amount of stuff it can do and you can easily 
break it. But it is, however, much more configurable. You can set them to just 
allow everything through and use NAT and IP Forwarding in the process.

HTH

Regards,

Ken

RE: Linux Router

[Croy, Nathan]

 From: Michael Madden [mailto:[EMAIL PROTECTED]
 Sent: Monday, December 13, 2004 5:31 PM
 
 Thanks for all the advice.  I guess something like
 LRP appealed to me more since it was floppy based
 and didn't require setting up a distro with many
 unneeded utilities. Does anyone know of an active
 floppy based firewall (Linux or *BSD)?

(maybe this time i'll reply to the list ;-)

I've never used it, but CoyoteLinux [1] appears to be active.
It even has a Windows based Wizard, if you are so inclined.

[1] http://www.coyotelinux.com/products.php?Product=coyote


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Linux Router

[Ron Johnson]

On Mon, 2004-12-13 at 17:31 -0600, Michael Madden wrote:
 Alex Barylo wrote:
[snip]
 
 Thanks for all the advice.  I guess something like
 LRP appealed to me more since it was floppy based
 and didn't require setting up a distro with many
 unneeded utilities. Does anyone know of an active
 floppy based firewall (Linux or *BSD)?

floppyfw does the trick.

-- 
-
Ron Johnson, Jr.
Jefferson, LA USA
PGP Key ID 8834C06B I prefer encrypted mail.

The United States is not a nation to which peace is a
necessity.
Grover Cleveland



signature.asc
Description: This is a digitally signed message part

Re: Linux Router

[Joao Clemente]

Croy, Nathan wrote:
From: Michael Madden [mailto:[EMAIL PROTECTED]
Sent: Monday, December 13, 2004 5:31 PM
Thanks for all the advice.  I guess something like
LRP appealed to me more since it was floppy based
and didn't require setting up a distro with many
unneeded utilities. Does anyone know of an active
floppy based firewall (Linux or *BSD)?
I've never used it, but CoyoteLinux [1] appears to be active.
It even has a Windows based Wizard, if you are so inclined.
[1] http://www.coyotelinux.com/products.php?Product=coyote
I've used Coyote for a long time. It was great. Easy to setup and it has 
a 2.4 kernel (so you can use iptables if you need to manually tweek 
something), a wizard that works OK from windows, and a shell menu-driven 
or web interface that allows you to setup most cenarios...
anything more complicated than you find in the interfacem you can go to 
the shell and setup yourself

Using floppy = read-only medium, easy system backup ;-), no noise, low 
heat... I was using it in a diskless/fanless P200 Classic with 16Mb Ram

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Linux Router

[Ken Gilmour]

Captain's Log, stardate Mon, 13 Dec 2004 17:31:18 -0600, from the fingers of 
Michael Madden came the words:
 Thanks for all the advice.  I guess something like
 LRP appealed to me more since it was floppy based
 and didn't require setting up a distro with many
 unneeded utilities. Does anyone know of an active
 floppy based firewall (Linux or *BSD)?

OpenBSD is what i would most recommend. It can be installed from two floppies 
and fully customised. (www.openbsd.org) I _really_ love PF. Others may 
disagree. I've never had any problems with Linux firewalling / NATing / IP 
Forwarding for as long as i can remember, but i prefer OpenBSD simply because 
it only installs exactly what you tell it to from the time you put the floppy 
in (which some other people would have a problem with) and it's very low 
maintenance. The only time i ever needed to shut down an OpenBSD machine is 
when i was moving office. So far I've never needed to upgrade any hardware 
(probably because it doesn't do much work anyway).

# du -h pf.conf
2.0Kpf.conf

There's a Great man who once said Donuts - Is there anything they can't do? 
(Homer Simpson). Maybe when PF can be used as a contraceptive we can say that 
too!

Re: Linux Router

[Scarletdown]

Michael Madden wrote:
Alex Barylo wrote:
I second that - I use my old AMD-K6 box with Sarge as a firewall. I use
and _highly_ recommend FIAIF firewall (http://www.fiaif.net/) - I
picked it up from securityfocus.com top tools.
HTH,
Alex.

Thanks for all the advice.  I guess something like
LRP appealed to me more since it was floppy based
and didn't require setting up a distro with many
unneeded utilities. Does anyone know of an active
floppy based firewall (Linux or *BSD)?

Freesco is a pretty decent floppy based router.
freesco.org

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Linux Router

[William Ballard]

On Mon, Dec 13, 2004 at 05:31:18PM -0600, Michael Madden wrote:
 unneeded utilities. Does anyone know of an active
 floppy based firewall (Linux or *BSD)?

No.  Use an old laptop with a hard drive, and two PCMCIA net cards.
Take one floppy.  Put the OpenBSD install image on it.
Install OpenBSD via FTP and configure pf.

The package management system is similar to apt-get -- you can install 
an app and all dependencies with one command.

It is absolutely breathtaking as a router.  Utterly secure and never 
needs looking at.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Linux Router

[Alex Barylo]

I second that - I use my old AMD-K6 box with Sarge as a firewall. I use
and _highly_ recommend FIAIF firewall (http://www.fiaif.net/) - I
picked it up from securityfocus.com top tools.

HTH,
Alex.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Linux Router

[Bruce Park]

Ken Gilmour wrote:
Captain's Log, stardate Mon, 13 Dec 2004 14:11:46 -0600, from the fingers of 
Michael Madden came the words:
Does anyone know of a decent Linux based router project out there?
In the past I've used LRP (http://www.linuxrouter.org), but it
looks like the project isn't maintained anymore.
My requirements are pretty simple.  I want to route traffic from
network A to network B and route traffice from network B to A.  I
don't need firewalling, but would like IP forwarding and NAT.  Any
recommendations?

Linux is capable of routing by default almost. All you need are two interfaces 
and linux. You can use iptables (or ipchains if you're using an old distro) to 
do this. Personally i prefer OpenBSD to do this because it's very compact etc 
but I've also used Debian Woody to do the same task.
The only problem i have with Linux's iptables as opposed to OpenBSD's PF is 
that iptables has an overwhelming amount of stuff it can do and you can easily 
break it. But it is, however, much more configurable. You can set them to just 
allow everything through and use NAT and IP Forwarding in the process.
Ken,
Can you explain this in further detail? I've used iptables on Woody for 
almost two years without any problems. Thanks.

bp
HTH
Regards,
Ken


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Linux Router

[Michael Madden]

Alex Barylo wrote:
I second that - I use my old AMD-K6 box with Sarge as a firewall. I use
and _highly_ recommend FIAIF firewall (http://www.fiaif.net/) - I
picked it up from securityfocus.com top tools.
HTH,
Alex.

Thanks for all the advice.  I guess something like
LRP appealed to me more since it was floppy based
and didn't require setting up a distro with many
unneeded utilities. Does anyone know of an active
floppy based firewall (Linux or *BSD)?
Thanks,
Mike
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Linux Router

[Ken Gilmour]

Captain's Log, stardate Mon, 13 Dec 2004 19:26:40 -0500, from the fingers of 
Bruce Park came the words:
 Ken Gilmour wrote:
snip
 The only problem i have with Linux's iptables as opposed to
 OpenBSD's PF is that iptables has an overwhelming amount of stuff
 it can do and you can easily break it. But it is, however, much
 more configurable. You can set them to just allow everything
 through and use NAT and IP Forwarding in the process.


 Ken,

 Can you explain this in further detail? I've used iptables on Woody
 for almost two years without any problems. Thanks.

The main point is that there are so many things to do in Linux in order to 
configure it for masquerading (Recompiling Kernel etc). There also so many 
different commands that do exactly the same thing but in different ways. If a 
person is starting off in firewalling it's not good to overwhelm them with 
information. With OpenBSD, you simply edit stuff that's already there, for 
example. These are the steps i would take to setup a gateway on a brand newly 
setup OpenBSD machine:

Uncomment the following in /etc/sysctl.conf

net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1 (if using IPv6)

Uncomment and edit this line in /etc/pf.conf (stuff in  needs to be edited, 
stuff in [] is optional)

nat [pass] on interface [af] from src_addr [port src_port] to dst_addr 
[port dst_port] - ext_addr [pool_type] [static-port]

You may then reboot the machine or just issue the following two commands:

# sysctl net.inet.ip.forwarding=1

Or

# sysctl net.inet6.ip6.forwarding=1 (if using IPv6)

Then

# pfctl -f /etc/pf.conf

You now have a fully working NAT box.

To perform IP forwarding uncomment the port redirect line in pf.conf and modify 
it to your taste then issue:

# pfctl -f /etc/pf.conf

The default configuration for the machine has zero known security holes. (have 
a look at www.openbsd.org for security info)

Regards,

Ken

Re: Linux Router

[Sridhar M.A.]

On Mon, Dec 13, 2004 at 05:31:18PM -0600, Michael Madden wrote:

Thanks for all the advice.  I guess something like
LRP appealed to me more since it was floppy based
and didn't require setting up a distro with many
unneeded utilities. Does anyone know of an active
floppy based firewall (Linux or *BSD)?

If you have a cd drive, why not try the Live CD Router? Just boot off
the cd and it runs.

  http://www.wifi.com.ar/english/cdrouter.html

HTH,

-- 
Sridhar M.A.   GPG KeyID : F6A35935
  Fingerprint: D172 22C4 7CDC D9CD 62B5  55C1 2A69 D5D8 F6A3 5935

Plus ,ca change, plus c'est la m^eme chose.
[The more things change, the more they remain the same.]
-- Alphonse Karr, Les Gu^epes


signature.asc
Description: Digital signature

Re: Linux Router

[Ron Johnson]

On Mon, 2004-12-13 at 15:46 -0800, Scarletdown wrote:
 Michael Madden wrote:
 
  Alex Barylo wrote:
[snip]
 
 
 Freesco is a pretty decent floppy based router.
 
 freesco.org

Note, though, that it uses kernel 2.0.39.

-- 
-
Ron Johnson, Jr.
Jefferson, LA USA
PGP Key ID 8834C06B I prefer encrypted mail.

Don't be so open minded that your brains fall out.
s. keeling



signature.asc
Description: This is a digitally signed message part

Re: Linux Router automisches wiedereinwählen

[Steffen Ille]

Im Gegensatz zur TLUG Mailingliste ist das hier ziemlich armselig.
Da quält mann google und braucht ne Antwort auf die Frage nach nem 24/7 dsl
mit 100%-igem Reconn und kriegt als Antwort ne Debatte über die Moral und
Surfgewohnheiten des Plebus.
Vielen Dank ihr X-perten... hat sehr geholfen mein Problem zu lösen.



-- 
Haeufig gestellte Fragen und Antworten (FAQ): 
http://www.de.debian.org/debian-user-german-FAQ/

Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)

Re: Linux Router automisches wiedereinwählen

[Udo Mueller]

Hallo Steffen,

* Steffen Ille schrieb [18-03-03 23:07]:
 Im Gegensatz zur TLUG Mailingliste ist das hier ziemlich armselig.
 Da quält mann google und braucht ne Antwort auf die Frage nach nem 24/7 dsl
 mit 100%-igem Reconn und kriegt als Antwort ne Debatte über die Moral und
 Surfgewohnheiten des Plebus.
 Vielen Dank ihr X-perten... hat sehr geholfen mein Problem zu lösen.

Und genau an dieser Antwort können die anderen sehen, warum du
keine Lösung bekommen hast. 
Wenn die TLUG besser ist, dann geh doch. 

Beschwerst dich darüber, daß dir keiner hilft, aber deinen Namen
hab ich persönlich auch noch nicht gerade oft gelesen...

*kopfschüttlend*

Bezahl uns oder diejenigen, die dir helfen sollen, dann kannst du
auch solche Sprüche ablassen. Überleg mal, wo du hier bist!

Gruss Udo

-- 
Wenn ich einem Schwein eine RedHat-CD um den Hals binde und es trete
kann man sagen, dass KDE  Co. auch ohne Ram schnell laufen.
-- Robin S. Socha in de.comp.os.unix.linux.newusers--


pgp0.pgp
Description: PGP signature

Re: Linux Router automisches_wiedereinwählen

[Ruediger Noack]

 --- Udo Mueller [EMAIL PROTECTED] schrieb: 
 
 * Steffen Ille schrieb [18-03-03 23:07]:
  [Scheißendreck]
 
 Beschwerst dich darüber, daß dir keiner hilft, aber deinen Namen
 hab ich persönlich auch noch nicht gerade oft gelesen...
 
Ich habe eben mal das Archiv ab Februar durchsucht (weil ich das
Ursprungsposting finden wollte) - erfolglos.

Gruß
Rüdiger
-- 


__

Gesendet von Yahoo! Mail - http://mail.yahoo.de
Bis zu 100 MB Speicher bei http://premiummail.yahoo.de


-- 
Haeufig gestellte Fragen und Antworten (FAQ): 
http://www.de.debian.org/debian-user-german-FAQ/

Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)

Linux router.

[Vincent M.]

Salut,

Je ne maitrise pas parfaitement iptables et j'ai essayé ceci pour faire 
marcher MSN talking sur 192.168.1.2 sachant que le router linux est 
192.168.1.1:

###
#MSN Talking pour l'@ IP 192.168.1.2:
###
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 2000 -j DNAT --to 
192.168.1.2

IPTABLES=/sbin/iptables
OUT_DEV=ppp0
IN_HOST=192.168.1.2
TCP_PORT_RANGE=36988:45202
UDP_PORT_RANGE=36988:45202
TCP_LISTENING_PORT=36988
$IPTABLES -t nat -A POSTROUTING -o $OUT_DEV -j MASQUERADE
$IPTABLES -t nat -A PREROUTING -i $OUT_DEV -p tcp --dport 
$TCP_PORT_RANGE -j DNAT --to-dest $IN_HOST
$IPTABLES -t nat -A PREROUTING -i $OUT_DEV -p udp --dport 
$UDP_PORT_RANGE -j DNAT --to-dest $IN_HOST
$IPTABLES -A FORWARD -p tcp -i $OUT_DEV --dport $TCP_PORT_RANGE -d 
$IN_HOST -j ACCEPT
$IPTABLES -A FORWARD -p udp -i $OUT_DEV --dport $UDP_PORT_RANGE -d 
$IN_HOST -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $OUT_DEV -p tcp --dport 
$TCP_LISTENING_PORT -j DNAT --to-dest $IN_HOST
$IPTABLES -A FORWARD -p tcp -i $OUT_DEV --dport $TCP_LISTENING_PORT -d 
$IN_HOST -j ACCEPT


Mais bon ca ne marche pas :-(
Existe-t-il un moyen de faire la chose sans partir dans une instal d'un 
serveur H323 ?  Existe-t-il une appli pour générer ce genre de règles 
qui marche comme un serveur web, style webmin: http://www.webmin.com/


Merci.