Re: [masq] [masq] [masq] Load distribution over two interfaces

[Doug Clements]

>A 10Mb/s connection is a LOT of traffic.  How many people are you
>talking about?  20 people would be WELL served off a 10Mb/s switched
>link.

Only 5 people. Maybe 6.

>   http://ipmasq.cjb.net/
>   http://dijon.nais.com/~nevo/masq/

Thanks for the references..

>Hehehe.. true but you'll probably have to split of your traffic via DNS.
>Are all your addresses given out via DHCP?

Yes, the two external interfaces will have dhcp assigned addresses, but the
internal address will be static.

>Yes and no.  If you setup your own domain, you run your own DNS!
>But.. though www.abc.com will resolve to your dorm address,
>say 10.0.0.100 will resolve back to a campus name.  Though this
>is annoying, it won't break anything though some sites will complain
>about this split.

We may just pitch in and get a domain. That'd add to the coolness a whole lot.

>No.. I think you get it.  Problem is.. I'm not aware of any FTP clients
>that work this way.  And, if you were doing this FTP from a MASQed
>machine, I suppose a special IP_MASQ_FTP module could be written
>to do this but thats beyond my knowledge.

Actually, the way I was thinking of this was that the masq (ipfwadm) would
take care of all this. All the interface switching, blah, blah would be
taken care of independant of the applications and corresponding modules.
Ones that aren't known to be compatible can be dealt with in a 'normal'
masqing way. Since ipmasqing already does the address translation, why
can't it do this in addition? The only thing that would have to be tweaked
would be ipmasq.

I realize this isn't coded yet, but I think it might be something to
consider, if it isn't too hard. Just be able to feed it the interfaces to
balance on, and a weight for each protocol/port. Maybe add in a protocol or
two that are only allowed on a certain interface (maybe to take care of the
ftp problem), and away you go.

>No probs.. hehe.. I get a sick pleasure helping out on weird
>esoteric problems like this!

I'll take that as a compliment =)

--Doug Clements
[EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] Linux receives modem call?!

[ming]

Hi,

I am sorry that I know this is not the masquerade topic. However,
I need a help for how Linux accepts a modem dial-in, and issue IP
to the dialer, and makes dial-in to ppp network...?

Thanks,
ming
[EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] IP Masq - FTP problems

[Carl Petersen]

Hi,
The MTU on eth0 is 1500 and ppp0 is 1500.
I've varified that all ip_masq_* modules are loaded.

David A. Ranch wrote:
> 
> What is your Linux box's MTU on the Internet connection?
> 
> --David
> ..
> |  David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED]  |
> !!
> `- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -'
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] IP Masq - FTP problems

[Carl Petersen]

lsmod gives the folling result:
Module  Pages   Used By
ax88140 3   1 (autoclean)
ip_masq_vdo_live1   0
ip_masq_cuseeme 1   0
ip_masq_irc 1   0
ip_masq_raudio  1   0
ip_masq_ftp 1   0

This is from a running system.  Should the helpers be "used by"
some process?

--Carl

Fred Viles wrote:
> 
> That should work fine.  You've verified that the FTP masquerade
> "helper" module (ip_masq_ftp) is loaded?  lsmod should show it.  If
> it's not loaded then masqueraded FTP clients will only work in
> passive mode.
> 
> - Fred Viles 
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] [masq] Load distribution over two interfaces

[Doug Clements]

>connection post haste!  What are you doing in your dorm room that
>needs so much traffic?  MP3 server or something?  Also.. very FEW

Nah, no mp3 server, but we're going to shove lots of people into a dorm,
and there's not going to be enough switch ports. We figured that while the
masqing was already going to happen, we might as well try to take advantage
of the two switch ports. A couple of the guys also work in the Science
Library on Campus, and were planning on doing some heavy-duty file
transfers from dorm->work and back again. Then of course, there is the
occasional shared mp3 directory, networked games of TA and Quake[I,II], X
connections to the labs (once we figure out how to get X through the masq)
and of naturally, the sheer coolness of having a dual-10BT connection to
the rest of the campus.

>Well.. many switches out there auto-detect full duplex.  You might
>try to find someone that has a new 10BaseT or 100BaseT card and
>see if they are running in full duplex mode.  Again.. this ASSUMES
>that each user gets their own SWITCH port.  A upstream hub port will
>not do.

We'll give this a try.

>http: www.abc.com  --> 10.0.100.100
>mp3:  mp3.abc.com (CNAME to www) --> 10.0.100.100
>
>ftp:  ftp.abc.com  --> 10.0.200.200
>mail: mail.abc.com (CNAME to ftp) --> (set via the MX record)

I think I get what you're saying.. But wouldn't that require access to the
campus DNS?

>There *are* systems out there that load balance over modems or
>ethernet connections but they ONLY work for short connected traffic
>like HTTP, etc.  Long term traffic like FTPs can only use one
>connection at a time.

I guess I just don't understand this.. using one connection at a time is
fine. I don't want to have one ftp session going over two cards, but if I
need to start up 4 or 5 at a time, why not have 2 on one card and 2 on
another? Since it's based on connections, just keep the connection on the
originating card until it dies. Am I missing the point?

>You can do this.. its called EQL for Linux or MultiLink-PPP.  The problem
>is, those are protocols.  So, the remote equipment has to support the
>protocol too.  EQL is Linux.. EtherChannel is Cisco.. etc.  All proprietary.
>MultiLink-PPP is a possibility but again.. you need a remote Multilink-PPP
>server on the other end and that upstream hub/switch will NOT support
>either.

Ok, so multi-link over ethernet is a no-go unless the switch (or is it the
router?) at the other end can do EQL.

Thanks for your help.. feel free to stop explaining if I ask too many
questions =)

--Doug Clements
[EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] [masq] Load distribution over two interfaces

[David A. Ranch]

>Nah, no mp3 server, but we're going to shove lots of people into a dorm,
>and there's not going to be enough switch ports. We figured that while the
>masqing was already going to happen, we might as well try to take advantage
>of the two switch ports. 

A 10Mb/s connection is a LOT of traffic.  How many people are you
talking about?  20 people would be WELL served off a 10Mb/s switched
link.



>A couple of the guys also work in the Science
>Library on Campus, and were planning on doing some heavy-duty file
>transfers from dorm->work and back again. 

Gigs?  If not.. a GOOD 10Mb/s connection will serve you nicely.

>Then of course, there is the
>occasional shared mp3 directory, networked games of TA and Quake[I,II], 

These really aren't high bandwidth stuff.  Games need low latency though.


>X connections to the labs (once we figure out how to get X through the masq)

On Ambrose's MASQ site:

http://ipmasq.cjb.net/

Check out the MASQ Application Page:

http://dijon.nais.com/~nevo/masq/


>and of naturally, the sheer coolness of having a dual-10BT connection to
>the rest of the campus.

Hehehe.. true but you'll probably have to split of your traffic via DNS.
Are all your addresses given out via DHCP?



>>http: www.abc.com --> 10.0.100.100
>>mp3:  mp3.abc.com (CNAME to www) --> 10.0.100.100
>>
>>ftp:  ftp.abc.com --> 10.0.200.200
>>mail: mail.abc.com (CNAME to ftp) --> (set via the MX record)
>
>I think I get what you're saying.. But wouldn't that require access to the
>campus DNS?

Yes and no.  If you setup your own domain, you run your own DNS!
But.. though www.abc.com will resolve to your dorm address, 
say 10.0.0.100 will resolve back to a campus name.  Though this
is annoying, it won't break anything though some sites will complain
about this split.



>I guess I just don't understand this.. using one connection at a time is
>fine. I don't want to have one ftp session going over two cards, but if I
>need to start up 4 or 5 at a time, why not have 2 on one card and 2 on
>another? Since it's based on connections, just keep the connection on the
>originating card until it dies. Am I missing the point?

No.. I think you get it.  Problem is.. I'm not aware of any FTP clients
that work this way.  And, if you were doing this FTP from a MASQed 
machine, I suppose a special IP_MASQ_FTP module could be written
to do this but thats beyond my knowledge.


>Thanks for your help.. feel free to stop explaining if I ask too many
>questions =)

No probs.. hehe.. I get a sick pleasure helping out on weird
esoteric problems like this!

--David
..
|  David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED]  |
!!
`- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -'
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] port forwarding

[David A. Ranch]

>> >ipfwadm -I -p accept
>> >ipfwadm -O -p accept
>> >ipfwadm -F -p deny
>>
>> These are bad defaults.  Set your default to deny or reject and then
>> explictly ALLOW traffic in.
>>
>I set these defaults in an effort to prevent filtering while I am getting
>port forwarding to work.  Once everything works, I plan to clamp things
>down.

Ok.. fair enough.



>> >ipfwadm -I -d deny -o -P all -S 206.63.241.175 -W eth0 -D 0/0 2
>> >ipfwadm -I -d deny -o -P all -S 192.168.0.200 -W eth1 -D 0/0 2
>> >ipfwadm -I -a deny -o -P all -S 206.63.241.175 -W eth0 -D 0/0
>> >ipfwadm -I -a deny -o -P all -S 192.168.0.200 -W eth1 -D 0/0
>> >ipfwadm -F -a masquerade -S 192.168.0.0/24 -D 0/0
>>
>> Why the explict denies?  Also.. you should deny UDP and TCP.  Don't
>> disable ICMP!  You are doing this via "-P all".
>>
>The explicit denies were in there when I installed the system, I think when
>I said yes to "IP Spoofing Protection".
>I extended them to cover the 2nd ethernet card.

What Linux distrobution prompted you for this?  Having an option
like this would be great but these are NOT filters for spoofing.
If you want to see an example of anti-spoofing filters, etc, 
look at the TrinityOS IPFWADM ruleset.



>That is my entire ruleset.
>
>I just tried running with a ruleset of:
>   ipfwadm -I -p accept
>   ipfwadm -O -p accept
>   ipfwadm -F -p accept
>   ipfwadm -F -a masquerade -S 192.168.0.0/24 -D 0/0
>   ipportfw -A -u206.63.251.175/80 -R 192.168.0.100/80
>   ipportfw -A -t206.63.251.175/80 -R 192.168.0.100/80

Ok.. if you enter in each rule at the command line, do you
get any errors?

What does a "ipportfw -L" say?

--David
..
|  David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED]  |
!!
`- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -'
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] port forwarding

[Jim Montague]

> -Original Message-
> From: David A. Ranch [mailto:[EMAIL PROTECTED]]
> Sent: Monday, January 11, 1999 11:11 PM
> To: Jim Montague; Linux IP Masquarede
> Subject: Re: [masq] port forwarding
>
>
>
> >My ipfwadm rules are:
> >
> > ipfwadm -I -p accept
> > ipfwadm -O -p accept
> > ipfwadm -F -p deny
>
> These are bad defaults.  Set your default to deny or reject and then
> explictly ALLOW traffic in.
>

I set these defaults in an effort to prevent filtering while I am getting
port forwarding to work.  Once everything works, I plan to clamp things
down.

>
> >   ipfwadm -I -d deny -o -P all -S 127.0.0.0/8 -W
> eth0 -D 0/0 2
> >   ipfwadm -I -d deny -o -P all -S 127.0.0.0/8 -W
> eth1 -D 0/0 2
> >   ipfwadm -I -i deny -o -P all -S 127.0.0.0/8 -W eth0 -D 0/0
> >   ipfwadm -I -i deny -o -P all -S 127.0.0.0/8 -W eth1 -D 0/0
>
> These are bad too.  You need localhost for lots of stuff.  Permit
> localhost for internal access.
>
> > ipfwadm -I -d deny -o -P all -S 206.63.241.175 -W eth0 -D 0/0 2
> > ipfwadm -I -d deny -o -P all -S 192.168.0.200 -W eth1 -D 0/0 2
> > ipfwadm -I -a deny -o -P all -S 206.63.241.175 -W eth0 -D 0/0
> > ipfwadm -I -a deny -o -P all -S 192.168.0.200 -W eth1 -D 0/0
> > ipfwadm -F -a masquerade -S 192.168.0.0/24 -D 0/0
>
> Why the explict denies?  Also.. you should deny UDP and TCP.  Don't
> disable ICMP!  You are doing this via "-P all".
>

The explicit denies were in there when I installed the system, I think when
I said yes to "IP Spoofing Protection".
I extended them to cover the 2nd ethernet card.

> >my ipportfw rules are:
> > ipportfw -A -u206.63.251.175/80 -R 192.168.0.100/80
> > ipportfw -A -t206.63.251.175/80 -R 192.168.0.100/80
>
> These are right.
>
>
> ...Using tcpdump (running on the Linux server), I can see that
> >the packets are getting forwarded through the firewall, but the
> web server
> >doesn't seem to see them.
>
> It sounds like your IPFWADM INPUT or OUTPUT ruleset is filtering
> the traffic.  Is that your ENTIRE ruleset above or just a part of
> it?

That is my entire ruleset.

I just tried running with a ruleset of:
ipfwadm -I -p accept
ipfwadm -O -p accept
ipfwadm -F -p accept
ipfwadm -F -a masquerade -S 192.168.0.0/24 -D 0/0
ipportfw -A -u206.63.251.175/80 -R 192.168.0.100/80
ipportfw -A -t206.63.251.175/80 -R 192.168.0.100/80

and still couldn't connect.

Thanks!
    Jim

>
> --David
> .-
> ---.
> |  David A. Ranch - Linux/Networking/PC hardware
> [EMAIL PROTECTED]  |
> !
>!
> `- For more detailed info, see
http://www.ecst.csuchico.edu/~dranch -'

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] [masq] Load distribution over two interfaces

[David A. Ranch]

>This is a campus connection.. They only have 10BT for the dorms (2 ports
>for a 2 person room), and it's actually going to a fiber ring around
>campus..

Any admin worth their salt would see something wrong when someone is
hogging 20MB of a 100Mb/s link!  I would think they would axe your 
connection post haste!  What are you doing in your dorm room that
needs so much traffic?  MP3 server or something?  Also.. very FEW
OSes can support full throughput of a 100Mb/s card.  Heheh.. NT
can only support ~40Mb/s!  Don't worry.. I think Linux can support
100Mb/s on a fast box.


>That's a spiffy idea, but we don't have access on the switch to manage it,
>and the network boys are a little stuffy.

Well.. many switches out there auto-detect full duplex.  You might
try to find someone that has a new 10BaseT or 100BaseT card and
see if they are running in full duplex mode.  Again.. this ASSUMES
that each user gets their own SWITCH port.  A upstream hub port will
not do.


>>Sure.. put different IP addresses on each NIC and change DNS to
>>let WWW traffic to goto one NIC and sendmail to the other.
>
>I don't quite understand.. I get the part about each NIC having it's own
>address, but how exactly do you route certain services over certain
>interfaces?

http: www.abc.com   --> 10.0.100.100

mp3:  mp3.abc.com (CNAME to www) --> 10.0.100.100

--

ftp:  ftp.abc.com   --> 10.0.200.200

mail: mail.abc.com (CNAME to ftp) --> (set via the MX record)


etc..  btw.. a CNAME is basically a DNS alias.


>I'm surprised there isn't a neat little package for this sort of thing. It
>seems relatively simple in concept, as long as you don't care what IP
>address everything is coming from.. You just flip-flop between NICs as
>connections go out, and *bamf*, you have load balancing. 

Most Internet traffic is based on CONNECTIONS.  They establish
direct connections with a given MAC address.  Remember:

Fully qualified domain names are read by humans
IP addresses are read by routers
Ethernet MAC addresses are read my PCs   
(see the OSI model for more details)


There *are* systems out there that load balance over modems or
ethernet connections but they ONLY work for short connected traffic 
like HTTP, etc.  Long term traffic like FTPs can only use one 
connection at a time.



>It wouldn't even have to be limited to ethernet, in the same way as
>dual-ppp connections are limited. Any interface that can be masqued over
>should be able to balance over. You could even get crazy with say, a 100BT
>connection, a 10BT connection, and a dialup. You weight each interface
>according to it's speed, and throw that into the algoritm.

You can do this.. its called EQL for Linux or MultiLink-PPP.  The problem 
is, those are protocols.  So, the remote equipment has to support the
protocol too.  EQL is Linux.. EtherChannel is Cisco.. etc.  All proprietary.
MultiLink-PPP is a possibility but again.. you need a remote Multilink-PPP
server on the other end and that upstream hub/switch will NOT support
either.

Sorry mon.. 

--David
..
|  David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED]  |
!!
`- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -'
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] if-out errors when using external SMTP

[David A. Ranch]

>IP fw-out deny eth0 ICMP/3 x.x.x.x y.y.y.y  L=108 S=0xC0 I=26547 F=0x T=64

These are ICMP Destination Unreachables and they should NOT
be filtered out.  TCP/IP needs ICMP!


>And I have the following outgoing firewall rules set up for ICMP (assuming
>this is where it is):
>
> ipfwadm -O -a accept -P icmp -W $EXTERNAL_INTERFACE \
> -S $IPADDR   0   4 812  -D $ANYWHERE
>
> ipfwadm -O -a accept -P icmp -W $EXTERNAL_INTERFACE \
> -S $IPADDR 3 11 -D $DHCP_SERVERS
>
> ipfwadm -O -a deny -P icmp -o -W $EXTERNAL_INTERFACE \
> -S $ANYWHERE -D $ANYWHERE

Why are you filtering ICMP?


>Can someone explain what this is, and offer a suggested change to my
>firewall rules to eliminate this error?

Delete all your ICMP lines in your ruleset!

--David


..
|  David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED]  |
!!
`- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -'
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] [masq] IP Masq - FTP problems

[David A. Ranch]

>No, I'm taking about masqueraded client machines connecting to ftp
>servers on the internet. Some ftp clients work some just hang; usually
>on a LIST command.

What is your Linux box's MTU on the Internet connection?

--David
..
|  David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED]  |
!!
`- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -'
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] port forwarding

[David A. Ranch]

>My ipfwadm rules are:
>
>   ipfwadm -I -p accept
>   ipfwadm -O -p accept
>   ipfwadm -F -p deny

These are bad defaults.  Set your default to deny or reject and then
explictly ALLOW traffic in.


>   ipfwadm -I -d deny -o -P all -S 127.0.0.0/8 -W eth0 -D 0/0 2
>   ipfwadm -I -d deny -o -P all -S 127.0.0.0/8 -W eth1 -D 0/0 2
>   ipfwadm -I -i deny -o -P all -S 127.0.0.0/8 -W eth0 -D 0/0
>   ipfwadm -I -i deny -o -P all -S 127.0.0.0/8 -W eth1 -D 0/0

These are bad too.  You need localhost for lots of stuff.  Permit
localhost for internal access.

>   ipfwadm -I -d deny -o -P all -S 206.63.241.175 -W eth0 -D 0/0 2
>   ipfwadm -I -d deny -o -P all -S 192.168.0.200 -W eth1 -D 0/0 2
>   ipfwadm -I -a deny -o -P all -S 206.63.241.175 -W eth0 -D 0/0
>   ipfwadm -I -a deny -o -P all -S 192.168.0.200 -W eth1 -D 0/0
>   ipfwadm -F -a masquerade -S 192.168.0.0/24 -D 0/0

Why the explict denies?  Also.. you should deny UDP and TCP.  Don't
disable ICMP!  You are doing this via "-P all". 

>my ipportfw rules are:
>   ipportfw -A -u206.63.251.175/80 -R 192.168.0.100/80
>   ipportfw -A -t206.63.251.175/80 -R 192.168.0.100/80

These are right.


...Using tcpdump (running on the Linux server), I can see that
>the packets are getting forwarded through the firewall, but the web server
>doesn't seem to see them.  

It sounds like your IPFWADM INPUT or OUTPUT ruleset is filtering 
the traffic.  Is that your ENTIRE ruleset above or just a part of
it?

--David
..
|  David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED]  |
!!
`- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -'
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] [masq] Mail Errors

[David A. Ranch]

>That being said, aren't there other identd servers available for Linux? 
>I seem to remember someone mentioning something called "midentd", but I
>don't know what that is.

They are listed on Ambrose's MASQ WWW site.

--David
..
|  David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED]  |
!!
`- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -'
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] [masq] Load distribution over two interfaces

[Doug Clements]

>Why don't you just get a Fast Ethernet card for $40 and save yourself
>the waste of a port on your switch?

This is a campus connection.. They only have 10BT for the dorms (2 ports
for a 2 person room), and it's actually going to a fiber ring around
campus..

>If the switch doesn't have multiple 100Mb/s ports, why don't you
>enable Full Duplex on both the switch port and the upstream NIC card
>(if its not an option, replace the NIC with one that does
>support Full Duplex).

That's a spiffy idea, but we don't have access on the switch to manage it,
and the network boys are a little stuffy.

>Sure.. put different IP addresses on each NIC and change DNS to
>let WWW traffic to goto one NIC and sendmail to the other.

I don't quite understand.. I get the part about each NIC having it's own
address, but how exactly do you route certain services over certain
interfaces?

>This has nothing to do with IPFWADM.  Its just routing basics.

I'm surprised there isn't a neat little package for this sort of thing. It
seems relatively simple in concept, as long as you don't care what IP
address everything is coming from.. You just flip-flop between NICs as
connections go out, and *bamf*, you have load balancing. Throw in a neet
little algorithm based on average traffic generated to make it a little
more even (say, one quake connection is worth 2 ftp connections, so if one
interface has a quake session going, the machine would throw 2 ftp
connections over the other interface before going back to the first) It
seems you shouldn't care for most things.. http, ftp, telnet, pop, etc.. I
mean, ipfwadm already does the address translation (wrong term?) for these
types of things.

It wouldn't even have to be limited to ethernet, in the same way as
dual-ppp connections are limited. Any interface that can be masqued over
should be able to balance over. You could even get crazy with say, a 100BT
connection, a 10BT connection, and a dialup. You weight each interface
according to it's speed, and throw that into the algoritm.

I would be happy try to make it happen, but coding isn't exactly my
specialty. Maybe for a class project..

--Doug Clements
[EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] Load distribution over two interfaces

[David A. Ranch]

>Is it possible to have the outgoing load balanced over the two external
interfaces? It would seem plausible, since we're going out to a switch, 
>and we would have 2 cards 10mbit each, totalling a theoretical 20mbit
>connection to a 100mbit uplink.

Why don't you just get a Fast Ethernet card for $40 and save yourself
the waste of a port on your switch?  

If the switch doesn't have multiple 100Mb/s ports, why don't you 
enable Full Duplex on both the switch port and the upstream NIC card 
(if its not an option, replace the NIC with one that does
support Full Duplex).

Regardless, the combination of multiple NIC cards for a faster
virtual connection is possible but I've never heard of it done
on Linux.  Cisco's version is called EtherChannel on Cisco 
Switches and it is proprietary to Cisco.  Linux does this over
modem lines with EQL though it will only work to other remote 
Linux boxes and/or Livingston Portmasters.


>Even if it isn't natural load balancing, is there a way to have all traffic
>of say, web type, go over one nic, and all quake traffic go over another?

Sure.. put different IP addresses on each NIC and change DNS to 
let WWW traffic to goto one NIC and sendmail to the other.


>Or is this method fundamentally flawed by something simple that I'm
>missing? If ipfwadm can't do this, I'm sure someone knows of something like
>this that will get the job done.. :) Thanks a bunch..

This has nothing to do with IPFWADM.  Its just routing basics.

--David
..
|  David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED]  |
!!
`- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -'
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] port forwarding

[Jim Montague]

I am having problems getting port forwarding to work.  I know this may not
be the forum to ask this in, but I am not sure where else to ask.

My private network consists of:
a Debian Linux 2.0.34 Server (IP 192.168.0.100) running the Apache web
server.
a Debian Linux 2.0.34 Server (IP 192.168.0.200 internally, IP 206.63.251.175
externally) configured with IP Masquerading and IP Port Forwarding.  (I did
install the port forwarding patch for the 2.0.34 kernel).  This server is my
firewall.  It is connected to my ISP via DSL.
a Windows NT server (IP 192.168.0.4).  I can dial up my ISP via this
machine.
a couple of other Windows 95 machines.

The IP Masquerading came up and worked without error the first time I booted
it up.
However, I have been wrestling with the port forwarding for a while now
without getting anywhere.

My ipfwadm rules are:

ipfwadm -I -p accept
ipfwadm -O -p accept
ipfwadm -F -p deny
   ipfwadm -I -d deny -o -P all -S 127.0.0.0/8 -W eth0 -D 0/0 2
   ipfwadm -I -d deny -o -P all -S 127.0.0.0/8 -W eth1 -D 0/0 2
   ipfwadm -I -i deny -o -P all -S 127.0.0.0/8 -W eth0 -D 0/0
   ipfwadm -I -i deny -o -P all -S 127.0.0.0/8 -W eth1 -D 0/0
ipfwadm -I -d deny -o -P all -S 206.63.241.175 -W eth0 -D 0/0 2
ipfwadm -I -d deny -o -P all -S 192.168.0.200 -W eth1 -D 0/0 2
ipfwadm -I -a deny -o -P all -S 206.63.241.175 -W eth0 -D 0/0
ipfwadm -I -a deny -o -P all -S 192.168.0.200 -W eth1 -D 0/0
ipfwadm -F -a masquerade -S 192.168.0.0/24 -D 0/0

my ipportfw rules are:
ipportfw -A -u206.63.251.175/80 -R 192.168.0.100/80
ipportfw -A -t206.63.251.175/80 -R 192.168.0.100/80

When I try to access my Linux web server (I disconnect the NT machine from
the network and dial up my ISP), the browser doesn't get any response from
the web server.  Using tcpdump (running on the Linux server), I can see that
the packets are getting forwarded through the firewall, but the web server
doesn't seem to see them.  I know that the web server is running, because
when I connect the NT machine back to my internal network, I can access it
just fine.  I get the same results when I forward ports 20 and 21 and try to
use ftp.

I would appreciate any clues as to where to debug from here or any
suggestions of where else to ask questions.

Thanks!
    Jim Montague

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]