Re: [masq] Linux receives modem call?!
I am sorry that I know this is not the masquerade topic. However, I need a help for how Linux accepts a modem dial-in, and issue IP to the dialer, and makes dial-in to ppp network...? This is all covered in the PPP-HOWTO. --DAvid .. | David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED] | !! `- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -' - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] [masq] Linux receives modem call?!
Hey Charles, # /etc/ppp/options.ppp0 modem crtscts 38400 #defaultroute asyncmap 0 lock 192.168.1.14:192.168.1.16 proxyarp passive Unless you are going to have a remote subnet behind that PPP connection, you don't need the proxyarp line. Sometimes it works, sometimes it doesn't. What does or doesn't work? Are you getting an immeadiate PPP connection or does the user have to login and then initiate that script? (DRanch: does the Trinity doc cover this? I've downloaded the new one, but not had a chance to check out this topic.) The TrinityOS doc covers dialing OUT with Linux and how to dial INTO a linux box for terminal access. Starting up a PPP session once you are already dialed in is simple. Basically, with your /etc/ppp/options file from above, running "pppd /dev/ttyS0" should work fine! --David .. | David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED] | !! `- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -' - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] A possible bug in the ip_masq_quake code?
[EMAIL PROTECTED] said: } The problem happens when you double-click on the Quake2 entry in the } left-hand window to "update the servers". The first or second time, } you will get a good list of servers and decently low ping times. If } you do this a few more times, all of the sudden, all the ping times } goto and from the Linux server's logs, you see: } Jan 13 00:07:09 trinity2 kernel: ip_masq_new(proto=UDP): no free } ports. } The only solution I found to this problem is to reboot. I cannot } unload the ip_masq_quake module since it is "in use" I know zilch about quake However I guess its making a UDP connection to each server in turn, and that there are a number of servers - guesstimate of the order of a thousand plus. Thats going to open up masq tunnels which with UDP remain until they time out. A workround is probably to set the UDP timeout down to something small - a few seconds ought to be OK I guess for quake, also for DNS what other UDP are people putting through their masq?? The quake module would possibly be able to diddle with the timeouts as another near solution. [or if a signoff was sent as part of the protocol it could close the tunnel down] Nigel. -- [ [EMAIL PROTECTED] - Systems Software Engineer ] [ Tel : +44 113 207 6112 Fax : +44 113 234 6065 ] [ Real life is but a pale imitation of a Dilbert strip ] [ We're recruiting http://www.theplanet.net/profile/recruit.htm ] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
[masq] Dranchs WWW site: TrinityOS update
Lots of updates especially security things for Samba. 85 users on the list and counting! == 01/13/99Added the "logit" script to aid in real-time troubleshooting. *Sent [Section 9] Update* Added a note to move the loading of SSHd higher up in the rc.local file to speed up reboots. [Section 30] Added the (no_root_squash) and (ro,nosuid,noexec) NFS examples for more NFS ideas and security [Section 40] 01/12/99Corrected the Contents page to reflect that Samba does both File and Print sharing Added [Section 47] for UNIX (and thus Samba) Printing Added [Section 48] for SWAN / IP-SEC VPNs [not completed] [Section 2] Corrected the Samba entry to reflect FilePrinting Added the UNIX (samba) print feature Added the SWAN / IPSEC VPN feature [not completed] [Section 3] Added a DNS hostname (roadrunner) (doh!), the SMB Workgroup (ACME123) name, added a internal MASQ'ed machine name (coyote), and cleaned up all remaining issues for the the search/replace section [Section 7] Fixed a TERRIBLE mistake where all the /etc/rc.d/init.d script files were 755! Also fixed the perms for /etc/cron.daily.tmpwatch [Section 7] Added a little reminder to periodically use the RPM update tools documented in [Section 43] [Section 7] Made the recommendation to change the default UMASK from 755 to 750. [Section 7] Made a note where I've notied that some of the daemon start/stop GUI tools disable/enable some daemons that you DON'T want upon first use [Section 8] Fixed permission problems (changed to 700) of /var/log/log.to.ttys and /var/log/sendlogs. [Section 9] Clarified that the user needs download IPFWADM before they can user IP MASQ. [Section 10] Enabled and clarified why it is important to load the Real Audio MASQ module for performance reasons. [Section 10] Fixed perms on the commented lines for /etc/ppp/ip-up to be 700. [Section 10] Fixed perms for /etc/rc.d/rc.firewall to 700 [Section 10] Fixed perms on /etc/rc.d/rc.serial to 700 [Section 16] Fixed perms on /etc/cron.15minutes/getdate to 700 [Section 26] Fixed perms on /etc/rc.d/rc.raid to 700 [Section 31] Lots of important changes to the Samba section: - Deleted all "s so not to confuse the reader - Added the "server string" line - Changed the "WORKGROUP" to "acme123" - Added the "bind interfaces only = true" setting for more security - Added the "create mask" and "directory mask" to fix Samba to UNIX permission problems (all files were getting set to 755) thus all "other" users could see the files. - Added the "force group" setting to improve SMB/UNIX file sharing. - Added the "fake oplocks" setting to improve performance - Added the "IPTOS_LOWDELAY" setting for LAN segments - Added the "veto oplocks" setting for the CDROM changer - Added the "browsable = no" to [Homes] so users don't see duplicated things in the browse list - Added the "user = %S" to increase security - Added the "[HpLj2p]" section for SMB printing - Added the directions to use "testparm" to check the /etc/smb.conf file. - Added a forgotten (and mandatory section) on creating the /etc/smbpasswd file - Added instructions on how to configure Win95/NT to get all the machines into the same SMB workgroup - Added how to mount your Win95/NT shares onto your Linux box with smbclient and smbmount! [Section 33] - Clarified the use of mkisofs [Section 39] Fixed perms on /etc/cron.10minutes/re-sync
Re: [masq] IP Masq - FTP problems
Yes, if i fire up an ftp session on one of the clients the "Used By" field increments. I have experimented and found out that only passive ftp sessions work. From a linux box on the lan an ftp session must be switched to "passive" before I "NLIST" a directory. Perhaps this is the way it's supposed to work? Next I'll look at the ip_masq_ftp source code and see just what its doing? --Carl David A. Ranch wrote: No.. to be honest, I don't know what the "Pages" and "Used By" fields mean though, when a module is being used, the "Used By" field will increment per client. So, when you try to FTP out to the internet on port 21, does your ip_masq_ftp counter increase? --David - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] [masq-dev] A possible bug in the ip_masq_quake code?
"David A. Ranch" schrieb: Linux 2.0.36 w/ ipportfw patch ftp, quake, and raudio MASQ modules loaded UDP ports 2000-2020 IPPORTFWed The problem happens when you double-click on the Quake2 entry in the left-hand window to "update the servers". The first or second time, you will get a good list of servers and decently low ping times. If you do this a few more times, all of the sudden, all the ping times goto and from the Linux server's logs, you see: Jan 13 00:07:09 trinity2 kernel: ip_masq_new(proto=UDP): no free ports. Hey, I wonder if the loose UDP patch will help that. It reuses UDP ports more efficiently. (It's in 2.2.0-pre7, and a version for 2.0.36 can be found at http://www.alumni.caltech.edu/~dank/peer-nat.html - Dan -- Speaking only for myself, not for my employer - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] [masq] [masq-dev] A possible bug in the ip_masq_quake code?
On Thu, 14 Jan 1999, Dan Kegel wrote: Date: Thu, 14 Jan 1999 07:04:44 -0800 From: Dan Kegel [EMAIL PROTECTED] To: "David A. Ranch" [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: [masq] [masq-dev] A possible bug in the ip_masq_quake code? "David A. Ranch" schrieb: Linux 2.0.36 w/ ipportfw patch ftp, quake, and raudio MASQ modules loaded UDP ports 2000-2020 IPPORTFWed The problem happens when you double-click on the Quake2 entry in the left-hand window to "update the servers". The first or second time, you will get a good list of servers and decently low ping times. If you do this a few more times, all of the sudden, all the ping times goto and from the Linux server's logs, you see: Jan 13 00:07:09 trinity2 kernel: ip_masq_new(proto=UDP): no free ports. Hey, I wonder if the loose UDP patch will help that. It reuses UDP ports more efficiently. (It's in 2.2.0-pre7, and a version for 2.0.36 can be found at http://www.alumni.caltech.edu/~dank/peer-nat.html - Dan Possibly, but I doubt it. Quake and Quake2 are masquerading friendly. The problem the original author is having is that masquerading timeouts are set too high. The default, I believe, is 5 minutes. Now assuming he has 1000 entries in his gamespy table, he does a query which opens 1000 ports which only need to be open for a few seconds, but stay open for 5 minutes. Now he does a query again 1 minute later, which means there are 2000 ports open. Now he does another 1 minute later to give 3000 ports open. As you can see, this will quickly fill up the masquerading tables. This happens to me all the time, since I've got two computers behind my masquerading host that play. The solution? Use smaller udp timeouts. # ipfwadm -M -s 0 0 60 will leave the tcp and tcpfin timeouts at their default, and will set the udp timeouts to 1 minute. I really don't see a reason why they can't be set even lower or why udp has a timeout in the first place, since udp is packet based, not connection based. Btw, another person said he didn't need the quake masquerading module to play quake or quake2. This is correct for a couple of reasons: 1) if you only have one host playing quake behind your masquerading host, or if you have more than one host but they're all playing on different servers, then the module is not necessary. The module is only necessary when 2 or more hosts want to play on the same server. 2) the module does absolutely _nothing_ for quake2. If you look at the module source, you'll see a couple of port numbers at the beginning: 26000 and 27000. Quake2's default port is 27910. The quake module apparently does work for quake2 if the port is added. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
[masq] Configuring IP MASQ on RedHat 4.2
Hello everyone... I'm looking for some help on Setting up IP MASQ on RedHat 4.2, Kernel 2.0.30 . I've previously got IP MASQ configured and working on RedHat 4.2, but it's been 8months or so, and at the time it took me forever to finally get it working. Well I've ran into the same problem as last time. I've read the help on the IP Masquerading Web page, the Mini-HOWTO on IP MASQ, the Mini-HOWTO on Modules, and various mailing list posts. I compiled the Kernel with the approperiate options enabled listed in the IP MASQ mini-HOWTO, and then did 'make dep;make clean;make zImage;make modules; make modules_install' Then added the 'depmod -a' and so on listed in the "mini" to my rc.local, and it never fails I end up with ###Unresolved symbol in module ip_masq.o right down the list. It took me forever to solve this problem last time, and I was hoping you guys could offer some help. It would be greatly appreciated. -Adam email: [EMAIL PROTECTED] P.S. I'm using RedHat 4.2 due to a memory leak in glib that crashes a M.U.D. that I host. Other wise I would have upgraded. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
[masq] ICQ NetMeeting
Hi all !. Can some one, please, let me know how to configure the masq, to use ICQ and NetMeeting on the workstations ?. Thank you very much, Jorge. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] IP Masq - FTP problems
I have experimented and found out that only passive ftp sessions work. From a linux box on the lan an ftp session must be switched to "passive" before I "NLIST" a directory. Perhaps this is the way it's supposed to work? No, active FTPs work for most people as long as they are FTPing to a remote site on port 21. Are you using a strong IPFWADM ruleset? Are you allowing port 20 out? --DAvid .. | David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED] | !! `- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -' - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] [masq] [masq-dev] A possible bug in the ip_masq_quake code?
snip The solution? Use smaller udp timeouts. # ipfwadm -M -s 0 0 60 will leave the tcp and tcpfin timeouts at their default, and will set the udp timeouts to 1 minute. I really don't see a reason why they can't be set even lower or why udp has a timeout in the first place, since udp is packet based, not connection based. Like I posted in an eariler email, I've now put the UDP timeouts down to 60 seconds. I had it abnormally high due to ICQ users were seeing me come and go (flapping). After running a tcpdump, I noticed that ICQ (in its stock setup) sent updates no longer than every 8 minutes. I was then later told that ICQ has a firewall timeout adjustment for this exact issue. I'm trying the new settings out now as we speak. Btw, another person said he didn't need the quake masquerading module to play quake or quake2. This is correct for a couple of reasons: Interesting! I appreciate your knowledge on the quake module and Q2 on this one! Thanks everyone and I appologize for the false alarm but I definately learned something from this thread and I imagine other people did too! --David .. | David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED] | !! `- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -' - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] ICQ NetMeeting
Can some one, please, let me know how to configure the masq, to use ICQ and NetMeeting on the workstations ?. See http://doncaster.on.ca/~lnevo/masq/ for details Tim Fletcher .~. /V\ L I N U X [EMAIL PROTECTED] // \\ Don't fear the penguin /( )\ ^^-^^ Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam (For non-latiners: "I have a catapult. Give me all the money, or I will fling an enormous rock at your head.") - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
[masq] X across masq
Hello all.. I am new to this list and this issue may have been already dealt with. If so, please feel free to reply to me personally to avoid useless traffic to the rest of the list. We have a linux box using the 2.0.35 kernel's msaq. When behind the masq, we observed it not possible (with the default rules) to use X across the masq. In specific, the X server is behind the masq (on the private network) and the X client (the machine running the apps) is out on the internet. Is there a ruleset I can use to allow the X data to be transported? If not, is there a proxy that can be run on the masq machine? Any other solutions? Is there a ip_masq_xwindows module in the works? Thanks for your help. -Chris === Chris Ruvolo Computer Science Dept. [EMAIL PROTECTED] Rochester Institute of Technology --- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] Load distribution over two interfaces
Doug Clements [EMAIL PROTECTED] wrote: Any particular place I should look if I say, wanted to act like I was cool and start coding this? Maybe some kernel programming stuff? I'm not sure exactly what I'm getting into here, but maybe it's not so hard. The main reason you're not having much luck on this list is because you're assuming that it's an IP Masq issue. It isn't! It's a routing issue. You see, masquerade only comes into play AFTER the kernel has already decided how it's going to route the packet that it received. The routing table makes the decision of where the packet will go, and only THEN does the kernel consult the ipfwadm/ipchains rule sets, in order to decide if that decision should be allowed/denied/masq'd. There's really no way to add a rule that says "no wait, I didn't mean to route it that way, try this instead." :) Now, that said, there is considerable code in the development (2.1 and pre-release 2.2) kernels involving routing. Just browsing through the Configure.help file, I found these fun options just waiting to be played with: CONFIG_IP_ADVANCED_ROUTER If you intend to run your Linux box mostly as a router, i.e. as a computer that forwards and redistributes network packets, say Y; you will then be presented with several options that allow more precise control about the routing process. CONFIG_IP_MULTIPLE_TABLES Normally, a router decides what to do with a received packet based solely on the packet's final destination address. If you say Y here, the Linux router will also be able to take the packet's source address into account. Furthermore, if you also say Y to "IP: use TOS value as routing key" below, the TOS (Type-Of-Service) field of the packet can be used for routing decisions as well. CONFIG_IP_ROUTE_MULTIPATH Normally, the routing tables specify a single action to be taken in a deterministic manner for a given packet. If you say Y here however, it becomes possible to attach several actions to a packet pattern, in effect specifying several alternative paths to travel for those packets. The router considers all these paths to be of equal "cost" and chooses one of them in a non-deterministic fashion if a matching packet arrives. CONFIG_IP_ROUTE_TOS The header of every IP packet carries a TOS (Type of Service) value with which the packet requests a certain treatment, e.g. low latency (for interactive traffic), high throughput, or high reliability. If you say Y here, you will be able to specify different routes for packets with different TOS values. Disclaimer: I don't know how to use any of the above; just pointing out that they are available. :) -- [EMAIL PROTECTED] (Fuzzy Fox) || "Nothing takes the taste out of peanut sometimes known as David DeSimone || butter quite like unrequited love." http://www.dallas.net/~fox/ || -- Charlie Brown - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] ICQ NetMeeting
Hi Tim, thanks for your answer. Can some one, please, let me know how to configure the masq, to use ICQ and NetMeeting on the workstations ?. See http://doncaster.on.ca/~lnevo/masq/ for details Tim Fletcher .~. I went there, did what described: ipautofw -A -r tcp 2000 3000 -h 192.168.0.17 And I´ve got this: setsockopt: Protocol not available Any sugestion, please ? Thanks to all, Jorge. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
[masq] Battle.net masq module.....
Anyone that is a programmer game to attempt a battle.net masq module. Looks like Blizzard finally got smart and started allow multi connects from a single ip. They still only allow one connect per key, but this way multi machines behind a masq machine can finally get to diablo and starcraft.. StompeR - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
[masq] Ftp across gateway machine
Whenever I try to telnet or ftp to a box behind my gateway I end up with the following error messages: Jan 14 02:06:26 takamine in.telnetd[1550]: connect from unknown Jan 14 02:06:32 takamine in.telnetd[1551]: warning: can't get client address: Connection reset by peer Jan 14 02:06:32 takamine in.telnetd[1551]: connect from unknown Jan 14 02:06:44 takamine in.telnetd[1552]: warning: can't get client address: Connection reset by peer Ping seems to work ok though... any ideas? Thanks, Doug I have the following set-up: Linux box (gateway RH 5.1) -- ppp0 (12.7.120.83) eth0 (12.7.121.239) Linux Box (takamine) -- eth0 (12.7.121.240) Win 95 -- eth (12.7.121.241) - My masq setup is: echo "ip_masq" /sbin/ipfwadm -F -f /sbin/ipfwadm -F -p accept /sbin/depmod -a /sbin/modprobe ip_masq_ftp.o /sbin/modprobe ip_masq_raudio.o /sbin/modprobe ip_masq_irc.o /sbin/modprobe ipip.o /sbin/modprobe ip_alias.o /sbin/ipfwadm -F -a m -S 12.7.121.0/24 -D 0.0.0.0/0 -W ppp0 /sbin/ifconfig eth0 12.7.121.239 /sbin/route add -net 12.7.121.0 - And my routing table looks like: Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface tc1.pacinfo.com * 255.255.255.255 UH0 00 ppp0 12.7.121.0 * 255.255.255.0 U 0 08 eth0 127.0.0.0 * 255.0.0.0 U 0 02 lo default * 0.0.0.0 U 0 0 17 ppp0 default tc1.pacinfo.com 0.0.0.0 UG0 00 ppp0 -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] ICQ NetMeeting
I went there, did what described: ipautofw -A -r tcp 2000 3000 -h 192.168.0.17 And I´ve got this: setsockopt: Protocol not available Any sugestion, please ? http://www.ox.compsoc.org.uk/~steve/portforwarding.html Tim Fletcher .~. /V\ L I N U X [EMAIL PROTECTED] // \\ Don't fear the penguin [EMAIL PROTECTED] /( )\ ^^-^^ Cat, n.: Lapwarmer with built-in buzzer. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]