Re: [masq] Limitation problem....
Hi all and David in particular, If I try to build a strong firewall, I can't use all the port limitation that should be used with ipfwadm. This isn't a very strong ruleset. I knew, but it was only the begining... Check out the ruleset in the TrinityOS doc and see if it will do what you need: http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html In fact, I already knew this link, but first I'd like to do something I understand. And effectively the Trinity ruleset work!!! But I can't understand half of the rules And this is really boring for me... #/sbin/ipfwadm -F -a accept -b -P tcp -S 192.168.0.7/32 80 -D 0.0.0.0/0 1024:65535 ## BUT THIS DOESN'T WORK !!! ## AND THIS EXACTLY THE LINE I FOUND IN THE HOWTO !!! No... you are specifing FORWARDING here. That should be: /sbin/ipfwadm -I -a accept -b -P tcp -S 192.168.0.7/32 80 -D 0.0.0.0/0 1024:65535 That did not work much more But.. This is kinda messed up if you want this rule to allow WWW browsing on the Internet. This rule is saying you are going to originate port 80 traffic to the Internet. This isn't how WWW works unless you are running a WWW server. Your DESTINATION should be port 80 for normal surfing. Hu... Where I can find a doc about the difference between the different list, and in particular -F -I and -O. Or can you explain us (for all masq reader) clearly what is their aim??? The Ip-masquerading mini howto is a bit heavy about this... Learning firewall rulesets takes a while. I recommend that you using the TrinityOS doc as a template and open it up as you need. As it stands, its VERY restrictive. :) But it does not expicit lot of things... A big thank you David, sincerely, Marc CAssuto. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] Limitation problem....
Secon hello today... David A. Ranch wrote: Check out the ruleset in the TrinityOS doc and see if it will do what you need: http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html I'm working hard on this ruleset. But I can't understand why we have to enable all HIGH ports for reply tcp/udp traffic. Moreover David A. Ranch the autor of the TrinityOS document (Oh it's you ) tell : "Rejecting traffic is better than DENYING it since it makes the IPFWADM'ED machine look like its not CAPABLE of doing that particular protocol!" So why all policies used are DENY ?? Thank you. Marc Cassuto. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
[masq] clients can't see whole net
Hello all, I've using masquerading since acouple of days, and now a curious problem occured: For some clients, parts of the Internet disappear. you can't ping, ftp, or http to some adresses, while to others you can. When I reboot my masq-gate, everything seems to turn back to normal. What can that be ? Has anyone any experience with this problem or knows how to fix it ? My setuip is an Ethernet device for my LAN and a ppp-dialout to the Internet. Thank you in advance, -Christoph - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] setsockopt Error Message
Title: RE: [masq] setsockopt Error Message The info you need is right here: http://www.tor.shaw.wave.ca/~ambrose/ipmasq-HOWTO.html Rgds...Geoff -Original Message- From: DKM [mailto:[EMAIL PROTECTED]] Sent: Monday, February 08, 1999 6:56 PM To: Fuzzy Fox Cc: [EMAIL PROTECTED] Subject: Re: [masq] setsockopt Error Message Which kernel options would I need in particular? Fuzzy Fox wrote: DKM [EMAIL PROTECTED] wrote: Why do I get that setsockopt error message when trying to use IPAUTOFW or IPMASQADM or IPPORTFW? It means that your kernel does not have the necessary kernel options compiled into it. I upgraded from 1.0.36 to 2.2.1 and then got similar error messages with IPFWADM. Any hints? 2.2 uses ipchains, which you will need to upgrade to, and learn. :) -- [EMAIL PROTECTED] (Fuzzy Fox) || Nothing takes the taste out of peanut sometimes known as David DeSimone || butter quite like unrequited love. http://www.dallas.net/~fox/ || -- Charlie Brown - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
[masq] net-tools and icmp masquerading
Hi all, in this moment i'm moving form 2.0.35 to 2.2.1 and i'm reistalling some utility with new release like net-tools.In order to see the masqurade packet i need to add HAVE_FW_MASQUERADE to config.h , but in order to see th eicmp packet whati is the tricks?? i reistalled ther kernel with all the support for the masquerading/ipchains support but the netstat show me this error: masq_info.c: Internal Error `ip_masquerade unknown type' Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
[masq] Works fine except sending email...
Hoi Masq, I have set up a linux box to connect our local win95(sorry) network to internet via a slip connection using a cable modem. And everything works, except email. (for the detectives among you: I'am sending this from my own computer temporarily connected with the cable modem) Here's the setup: local machines(win95): linux box: ISP 192.168.0.2---\eth slip |---192.168.0.1 195.96.12x.x195.96.120.254 192.168.0.3---/ And I use IPFWADM to set default forwarding accept and masquerading (i know, i know) and use DIALD to set up the connection(currently *ALWAYS* up) My kernel is version 2.0.35 and I use IPFWADM 2.3.0 . I have made all the modules and turned on the option ICMP masquerading in kernel config. Like I said, everything works, even receiving email! BUT, whenever I want to send email, whatever emailclient I use, it fails. I use the SMTP server of the ISP but I have tried several other SMTP servers with the same result. The emailclient I regulary use gives this output when I send mail: logging on to server, sending message header, sending message text and when the status bar reaches 100% it just waits... So I logged on to the server (=linux box) en did a NETSTAT, and this is what it said: Proto Recv.-Q Send-Q Local AddressForeign Address State tcp 1 0 8dyn25.delft.casema.net:auth sun4000.casema.net:45710 Time Wait When I use the cable modem on my personal computer it works fine! (You reading this email proofs it) Does anybody recognizes this problem? Please help me out here, because I ran out of ideas... Greetz, Pimmus. mailto:[EMAIL PROTECTED] -- If scientific reasoning were limited to the logical processes of arithmetic, we should not get very far in our understanding of the physical world. One might as well attempt to grasp the game of poker entirely by the use of the mathematics of probability. -- Vannevar Bush - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
Re: [masq] Limitation problem....
But I can't understand half of the rules And this is really boring for me... Yeah.. it is pretty dry stuff. I know where you are coming from. /sbin/ipfwadm -I -a accept -b -P tcp -S 192.168.0.7/32 80 -D 0.0.0.0/0 1024:65535 That did not work much more Try pulling the "-b" option out and try again. Hu... Where I can find a doc about the difference between the different list, and in particular -F -I and -O. Or can you explain us (for all masq reader) clearly what is their aim??? Well, you could read the ipfwadm man page but its pretty ugly. How is this? I just added it to my TrinityOS doc so if you have anything to add to make it clearer, etc.. lemmie know. -- Think of a IPFWADM or IPCHAINS ruleset like the following: - All interfaces (any network cards, the localhost interface, etc) on a Linux box have INPUT, OUTPUT, and FORWARD rules. For example: - Say you have a packet from the Internet that wants to reach your Linux box. 1) The packet is sent from the remote computer on the Internet 2) The packet is received on the INPUT rule on the -External NIC card- of the Linux box 3) If the packet is matched to allow the packet through: Some matching criteria can include: - source IP address - traffic on TCP and specific port - traffic on TCP and specific port - destination IP address - etc then let the packet though. If not matched, its either REJECTED or DENIED. You can also log the fact that this packet was killed. 4) If passed, the packet then goes to the Linux box to be processed. Once the reply traffic is calculated by TELNET, etc, this output traffic is then sent to the OUTPUT filter. 5) If the packet is matched to allow the packet through, its let though. (see #3 above). If not matched, its either REJECTED or DENIED. You can also log the fact that this packet was killed. 6) If passed, the packet leaves the Linux box to go over the Internet connection destined to that remote computer. NOTE: As you've seen, I've left out the FORWARD rule. Basically, all that the FORWARD rule does is if the packet is matched to be allowed, the packet is FORWARDed directly to some other interface. Once forwarded, the receiving interface will still try to match this packet against it's INPUT rule. +--+ | Linux TCP/IP stack | | | +---| Input: Output: | |+--+ | | | | +--- + | ++| | Input | | | Output || | Rule | | | Rule || || | ||| +-IN---| P a s s ? |---+ +---| P a s s ? |---+ | | or | | | or | ^ |Deny/Reject?| | |Deny/Reject?| ++ | ++ Send | | | +-- Dump packet | +-- Dump packet Remote(possibly log it) | (possibly log it) Internet| site| | Receive --+ --David .. | David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED] | !! `- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -' - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL