[masq] Limitation problem....
Hi, I 've just configured an Internet Access with the fallowing : - linux 2.0.34 box (Slackware 3.5) - valid Ip adress from my ISP on eth0 - network 192.168.0.x on eth1 - all network matters well configured - no problems meet with simple forwarding - BUT If I try to build a strong firewall, I can't use all the port limitation that should be used with ipfwadm. Have a look at my masquerading configurating file: #!/bin/sh # # /etc/rc.d/rc.masq: Ip masquerading initialization script. # # first deny all acces /sbin/ipfwadm -F -p deny # # Then flush all the rules /sbin/ipfwadm -A -f /sbin/ipfwadm -F -f /sbin/ipfwadm -I -f /sbin/ipfwadm -O -f # # We need particular acces # First the Web /sbin/ipfwadm -F -a m -S 192.168.0.7/32 -D 0.0.0.0/0 ## THIS WORK FINE BUT ALLOWS ALL ACCESS FOR THIS IP #/sbin/ipfwadm -F -a accept -b -P tcp -S 192.168.0.7/32 80 -D 0.0.0.0/0 1024:65535 ## BUT THIS DOESN'T WORK !!! ## AND THIS EXACTLY THE LINE I FOUND IN THE HOWTO !!! In fact as soon as I try to limit access, all the connexion for the specified Ip is blocked !!! And that is the same for any port. I can't even use the -P flag. Is someone who know the answer ??? Sincerely yours, Marc Cassuto. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
[masq] FW: [masq] FTP and other services
I've got the ip_masq_ftp module loaded (in kernel 2.0.34) and have no problems FTPing as a client behind the the masq box, or connecting to the FTP service running on the masq'ed box from either side... As long as the the username making the connection has an account on the linux box. -brian [EMAIL PROTECTED] -Original Message- From: Fred Viles [SMTP:[EMAIL PROTECTED]] Sent: Friday, February 05, 1999 4:22 PM To: [EMAIL PROTECTED]; David Dionne Subject:Re: [masq] FTP and other services On 5 Feb 99, at 14:22, David Dionne wrote about "[masq] FTP and other services": | Hey, I am running masq at home with a 192.168.1.0/24 network. Everything | seems to be working fine but ftp. I seem to remember hearing something | about ftp and mabey some other services that are affected as well. Does | anyone have any suggestions? If you are talking about an ftp client running on a masqueraded machine, talking to an external server, only passive mode will work unless you load the ip_masq_ftp FTP masq module. If you are talking about running an FTP server on a masqueraded machine, you need to use port-forwarding (the IPPORTFW patch for 2.0.x kernels) to forward incoming connections correctly. That will enable external clients using non-passive mode to work. But PASV mode will not work for the external clients. To support external PASV mode clients, further patches to the kernel and the ip_masq_ftp module are required. - Fred Viles mailto:[EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] Limitation problem....
Hey marc, I 've just configured an Internet Access with the fallowing : - linux 2.0.34 box (Slackware 3.5) Upgrade that kernel to at least 2.0.36. To be honest, I would recommend to upgrade to the 2.2.x kernels since it sounds like its MUCH faster too. But, be warned, you'll have to convert to IPCHAINS since IPFWADM support has been dropped in the 2.1 and 2.2 kernels. If I try to build a strong firewall, I can't use all the port limitation that should be used with ipfwadm. This isn't a very strong ruleset. Check out the ruleset in the TrinityOS doc and see if it will do what you need: http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html #/sbin/ipfwadm -F -a accept -b -P tcp -S 192.168.0.7/32 80 -D 0.0.0.0/0 1024:65535 ## BUT THIS DOESN'T WORK !!! ## AND THIS EXACTLY THE LINE I FOUND IN THE HOWTO !!! No... you are specifing FORWARDING here. That should be: /sbin/ipfwadm -I -a accept -b -P tcp -S 192.168.0.7/32 80 -D 0.0.0.0/0 1024:65535 But.. This is kinda messed up if you want this rule to allow WWW browsing on the Internet. This rule is saying you are going to originate port 80 traffic to the Internet. This isn't how WWW works unless you are running a WWW server. Your DESTINATION should be port 80 for normal surfing. In fact as soon as I try to limit access, all the connexion for the specified Ip is blocked !!! And that is the same for any port. I can't even use the -P flag. Learning firewall rulesets takes a while. I recommend that you using the TrinityOS doc as a template and open it up as you need. As it stands, its VERY restrictive. :) --David .. | David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED] | !! `- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -' - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
[masq] Does IPMASQ Have A Memory Leak?
Title: Does IPMASQ Have A Memory Leak? The Problem: When I first boot, top reveals 16 Meg of ram used. This slowly increases, and after a couple of days, this up to 62 Meg! Why? Does Linux have a memory leak? I decided to upgrade to the 2.2.1 kernel. Still happens. Then a friend of mine mentioned: I had a problem like this before: the early masq code had a memory leak in it. Unless you are using experimental kernel features, this is probably not a kernel problem since the 2.2.1 kernel has been pretty well tested. Try shutting down some services to narrow down where the leak is. What am I running: HTTP Apache 1.3.2 DNS - Unpublished Primary BIND 8.1.2 IPMASQ with IPCHAINS Sendmail with POP So I shut everything down, but ipmasq, and still the memory slowly creaps up. Has anyone seen this? or have any suggestions? Thanks...Geoff
Re: [masq] Does IPMASQ Have A Memory Leak?
The Problem: When I first boot, top reveals 16 Meg of ram used. This slowly increases, and after a couple of days, this up to 62 Meg! Why? Does Linux have a memory leak? Are you using or did you compile in IPAUTOFW port forwarding support? "I had a problem like this before: the early masq code had a memory leak in it. Unless you are using experimental kernel features, this is probably not a kernel problem since the 2.2.1 kernel has been pretty well tested. Try shutting down some services to narrow down where the leak is. " I agree. Stop the other processes and narrow it down. If you do find a leak, please let us know! --David .. | David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED] | !! `- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -' - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
[masq] dumb question?
I have been looking for the modules to install for masq support for ftp. I can't find them anywhere. Can you tell me where to get them, where to put them, and how to activate them? Chad - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] Does IPMASQ Have A Memory Leak?
Geoff Wild [EMAIL PROTECTED] wrote: The Problem: When I first boot, top reveals 16 Meg of ram used. This slowly increases, and after a couple of days, this up to 62 Meg! Do you have a 64 MB machine? Sounds normal to me. My machine shows this output from "free": total used free sharedbuffers cached Mem: 63276 59560 3716 15084 3916 19916 -/+ buffers/cache: 35728 27548 Swap: 130748 12480 118268 Why? Does Linux have a memory leak? As you can see, I have 59 MB of memory "used". Does that mean my kernel has leaked memory all over the place? No. It means that Linux is keeping some things still "buffered" in memory, just in case I ever need it. If memory needs to be allocated for some other task, the buffered memory can be freed in an instant, so it is not really causing a problem. But it is not "free" in the sense that there is nothing useful in it. The memory is used, but most of it is still available for other use. Relax. :) -- [EMAIL PROTECTED] (Fuzzy Fox) || "Nothing takes the taste out of peanut sometimes known as David DeSimone || butter quite like unrequited love." http://www.dallas.net/~fox/ || -- Charlie Brown - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] setsockopt Error Message
Which kernel options would I need in particular? Fuzzy Fox wrote: DKM [EMAIL PROTECTED] wrote: Why do I get that "setsockopt" error message when trying to use IPAUTOFW or IPMASQADM or IPPORTFW? It means that your kernel does not have the necessary kernel options compiled into it. I upgraded from 1.0.36 to 2.2.1 and then got similar error messages with IPFWADM. Any hints? 2.2 uses ipchains, which you will need to upgrade to, and learn. :) -- [EMAIL PROTECTED] (Fuzzy Fox) || "Nothing takes the taste out of peanut sometimes known as David DeSimone || butter quite like unrequited love." http://www.dallas.net/~fox/ || -- Charlie Brown - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]