Re: [masq] [masq] Limitation problem....

1999-02-10 Thread Charles Shoemaker 

I had trouble with that, too, but I have used ipportfw to do this 
kind of redirection, like 
ipportfw -A -t outside-ip/80 -R inside-ip/80
There's new syntax with ipmasqadm, but it's pretty close to that.

I missed the beginning of this thread, so I hope I'm not missing your 
point.
Charlie Shoemaker

> Subject:   Re:  [masq] Limitation problem

> 
> >But I can't understand half of the rules
> >And this is really boring for me...
> 
> Yeah.. it is pretty dry stuff.  I know where you are coming 
> from.
> 
> 
> 
> >> /sbin/ipfwadm -I -a accept -b -P tcp -S 192.168.0.7/32 80 -D 0.0.0.0/0
> >> 1024:65535
> >That did not work much more
> 
> Try pulling the "-b" option out and try again.
> 
> 
> 
> >Hu... Where I can find a doc about
> >the difference between the different list,
> >and in particular -F -I and -O.
> >Or can you explain us (for all masq reader) clearly what is their 
> >aim???
> 
> Well, you could read the ipfwadm man page but its pretty ugly.
> 
> 
> How is this?  I just added it to my TrinityOS doc so if you 
> have anything to add to make it clearer, etc.. lemmie know.
> 
> --
> 
> Think of a IPFWADM or IPCHAINS ruleset like the following:
> 
>   - All interfaces (any network cards, the localhost
> interface, etc) on a Linux box have INPUT, OUTPUT,
> and FORWARD rules.
> 
>   For example:
> 
> 
>   - Say you have a packet from the Internet that 
> wants to reach your Linux box.
> 
>   1) The packet is sent from the remote computer
>   on the Internet
> 
>   2) The packet is received on the INPUT rule on 
>   the -External NIC card- of the Linux box
> 
>   3) If the packet is matched to allow the packet
>   through:  
> 
>  Some matching criteria can include:
>   - source IP address
>   - traffic on TCP and specific port 
>   - traffic on TCP and specific port 
>   - destination IP address
>   - etc
> 
>   then let the packet though.  If not matched, 
>   its either REJECTED or DENIED.  You can 
>   also log the fact that this packet was
>   killed.
> 
>   4) If passed, the packet then goes to the Linux
>   box to be processed.  Once the reply 
>   traffic is calculated by TELNET, etc, this 
>   output traffic is then sent to the OUTPUT 
>   filter.
> 
>   5) If the packet is matched to allow the packet
>   through, its let though.  (see #3 above).
>   If not matched, its either REJECTED or 
>   DENIED.  You can also log the fact that 
>   this packet was killed.
> 
>   6) If passed, the packet leaves the Linux box to go
>  over the Internet connection destined to that
>  remote computer.
> 
>   NOTE:  As you've seen, I've left out the FORWARD 
>   rule.  Basically, all that the FORWARD rule
>   does is if the packet is matched to be
>   allowed, the packet is FORWARDed directly
>   to some other interface.  Once forwarded,
>   the receiving interface will still try to
>   match this packet against it's INPUT rule. 
> 
> 
>  +--+
>  |  Linux TCP/IP stack  |
>  |  |
> +--->| Input:  Output:  |
> |+--+
> | |
> | |
>+--- +   |   ++|  
>| Input  |   |   | Output ||
>|  Rule  |   |   |  Rule  ||
>||   |   |||
>+-IN--->|  P a s s ? |---+   +---|  P a s s ? |<---+
>|   | or |   |   | or |
>^   |Deny/Reject?|   |   |Deny/Reject?|
>    ++   |   ++
>   Send   |  |  |
>  +--> Dump packet   |  +--> Dump packet   
> Remote(possibly log it) |   (possibly log it)
> Internet|
> site|
> |
>  Receive <--+
> 
>

Re: [masq] ipfwadm rules from TrinityOS doc, how not to log

1999-02-10 Thread Fuzzy Fox 

Hirendra Hindocha <[EMAIL PROTECTED]> wrote:
>
> I followed the excellent documentation on how to setup ipfwadm 
> but after setting it up , I started seeing a ton of messages in 
> the messages file
> 
> Feb  7 00:10:24 c526184-a kernel: IP fw-in rej eth0 UDP 0.0.0.0:68 255.255.255.2

UDP port 68 is the "bootp" protocol, I believe.  Why not find out who's
flodding your network with bootp requests?  Sounds like it's killing
your network performance of your entire network if they are being logged
so much.

> Feb  7 00:10:24 c526184-a kernel: IP fw-in rej eth0 ICMP/3 255.255.255.255

ICMP/3 is "Destination unreachable"; some router is sending these to the
broadcast address, it would appear.  More performanc-killers for your
network.  You really need to find out who's causing all the trouble,
rather than just turn off the logging and ignore it.

Your computer is trying to tell you about a problem.  Don't shoot the
messenger.  Shoot the guy causing the problem.  :)

-- 
   [EMAIL PROTECTED] (Fuzzy Fox)  || "Nothing takes the taste out of peanut
sometimes known as David DeSimone  ||  butter quite like unrequited love."
  http://www.dallas.net/~fox/  ||   -- Charlie Brown
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] net-tools and icmp masquerading

1999-02-10 Thread Fuzzy Fox 

Michele Nicosia <[EMAIL PROTECTED]> wrote:
>
> Well, but i'm not so interested now, to migrate to 2.2, it is full of
> 'features' that i do not looking for, and the isdn,pppd/ipppd packages
> doesn't work correctly.

My reading of the linux-kernel mailing list agrees with yours; the ISDN
developers are not well-synchronized with the Linux 2.2 release.

> > error: masq_info.c: Internal Error `ip_masquerade unknown type'
> 
> This messages comeout form any ws, that use ping internet.domain,
> connecteds to a linux masqureade machine.  Everybody can test it.

Interesting.  I believe you will find that your net-tools package needs
to be upgraded to comply with the newer features of 2.2.  Not the least
of these is the fact that "ifconfig" will report terribly wrong numbers
for the packet and byte counts of interfaces.  The message you see above
will probably go away, as well.

-- 
   [EMAIL PROTECTED] (Fuzzy Fox)  || "Nothing takes the taste out of peanut
sometimes known as David DeSimone  ||  butter quite like unrequited love."
  http://www.dallas.net/~fox/  ||   -- Charlie Brown
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] net games from behind masquerading firewall

1999-02-10 Thread Andrew Gaskill 

I'm having difficulty playing net games like quake2, half-life, and
redline from behind my linux masquerading firewall.  Even with the quake
module loaded quake2 hangs after a minute or two.  Redline won't even
find games at a given ip address.  I tried autofw-ing all tcp and udp
traffic on ports 8000 to 8999, but it still doesn't work.  Any tips?
-- 
___
Andrew Gaskill ([EMAIL PROTECTED]) /
IRC: Undernet: Sentrik   /
/
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] mail delivery

1999-02-10 Thread sysadmin 

there are tons of the networking and linux lists

go to http://www.linux.org/help/index.html
and
http://www.linux.org/help/lists.html

mail -s subscribe [EMAIL PROTECTED] < /dev/null

mail -s subscribe [EMAIL PROTECTED] < /dev/null

http://www.vlug.org/ezarc/

http://linuxtoday.com/mail-lists/

http://linux.box.sk/

but if someone feels we need one more general linux list; I will support that too, but 
the only list I had a hard time finding was
one that talked about ipmasq  and ipfwadm,  now because of 2.2.x  I am looking to talk 
more about ipchains
and this was the only list I could find dedicated to this pursuit

because of the length of time that some of the other lists have been going and the 
shear size of them, who ever was looking might
actually be better off going there, and maybe those kind folks at indyramp who admin 
this list could put some kind of foot note on
this list to redirect certain conversations
so if people want to talk about linux security we all go to one list
and general networking topics go to another list
and hopefully we can get other lists to do the same and redirect more people to this 
list to talk about ipmasqing only

am I way off base, I could just be talking out my ass again



NETWORK SERVICES;  [EMAIL PROTECTED]
Multiactive Technologies Inc.
300-1066 West Hastings Street
604-601-8000___Office
604-899-2843___Directline
604-899-2899___Faxline
Linux is like a wigwam - no windows, no gates, apache inside!
-Original Message-
From: Bryan Burlingame <[EMAIL PROTECTED]>
To: 'Fuzzy Fox' <[EMAIL PROTECTED]>; [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Tuesday, February 09, 1999 7:13 PM
Subject: Re: [masq] mail delivery


I would like to see one created, if it doesn't already exist.

--bburling

-Original Message-
From: Fuzzy Fox [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 09, 1999 4:01 PM
To: [EMAIL PROTECTED]
Subject: Re: [masq] mail delivery


This message is highly off-topic for this list, because it's not about
IP Masquerade in the slightest.  Now, I'm not any sort of net.cop, and I
gladly answer questions on any type of subject, if I feel that I know
the answer, but really, it's important to keep a mailing list on-topic,
for those who do not wish to be bothered by reading extraneous messages.

It appears, from the large number of messages which are related to
networking, but not really masquerade-related, that there is some sort
of demand for a list which revolves, topic-wise, around the subject of
networking, firewalling, and related subjects.  Is there such a list
that these topics could be taken to, so that they receive the wider
audience that they deserve?  Or if there is no such list, is there any
interest in creating one?


Vaughan McPherson <[EMAIL PROTECTED]> wrote:
>
> I want to be able to download the messages automatically and then drop
> then into individual locally hosted mail accounts so that users only
> receive mail inteded for them.

It sounds like you want the "fetchmail" package, and to use its
"multi-drop" delivery features.  I suggest you look into that, and
see if it meets your needs.

--
   [EMAIL PROTECTED] (Fuzzy Fox)  || "Nothing takes the taste out of peanut
sometimes known as David DeSimone  ||  butter quite like unrequited love."
  http://www.dallas.net/~fox/  ||   -- Charlie Brown
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] [masq] mail delivery

1999-02-10 Thread Sean A. Walberg 

On Tue, 9 Feb 1999, Fuzzy Fox wrote:

> It appears, from the large number of messages which are related to
> networking, but not really masquerade-related, that there is some sort
> of demand for a list which revolves, topic-wise, around the subject of
> networking, firewalling, and related subjects.  Is there such a list
> that these topics could be taken to, so that they receive the wider
> audience that they deserve?  Or if there is no such list, is there any
> interest in creating one?

As far as firewalls go there is the firewall-wizards list (check out
www.greatcircle.com).  In terms of networking, I don't think there is a
general purpose list (at least not one that I have been on).  I think it
is a good idea.

I'd surely join such a list, and participate in it's administration or
moderation if needed.  Unfortunately our teleco is delaying the
installation of my ADSL line, otherwise I'd set it up immediately myself
on ertw.com

Sean

---
Sean Walberg <[EMAIL PROTECTED]>  http://come.to/the_dark_side


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] net-tools and icmp masquerading

1999-02-10 Thread Michele Nicosia 


If I understand your question correctly, you are wondering what happened
to the CONFIG_IP_MASQUERADE_ICMP configuration option?  It is no longer
needed, because 2.2 masquerades ICMP traffic without a special config
option.

Well, buit i'm not so interesting, now, to migrate to 2.2, it is full of 
'feasture' that i do not looking for, and the isdn,pppd/ipppd packages 
doesn't work correctly.

> error: masq_info.c: Internal Error `ip_masquerade unknown type'

I'm not familiar with this message; what did you do that made it show up
on your screen?  It looks like a compile error in the source file??

This messages comeout form any ws, that use ping internet.domain, 
connecteds to a linux masqureade machine.Everybody can test it.

Please note that you should not edit "config.h" directly and insert
"HAVE_WHATEVER" options directly.  You should instead use the standard
kernel configuration system, either "make xconfig", "make menuconfig",
or "make config", whichever you like best.

I do not understasnd, i'm talking about net-tools, not kernel conf, the 
kernel have all the flag setupped correctly, in fact the masquerading is 
ok, are net tools not ok.


Bye



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] Works fine except sending email...

1999-02-10 Thread Matthew McGehrin 

On 9 Feb 99, at 20:28, Pim Messelink wrote:

> Like I said, everything works, even receiving email! BUT, whenever I
> want to send email, whatever emailclient I use, it fails. I use the
> SMTP server of the ISP but I have tried several other SMTP servers
> with the same result. The emailclient I regulary use gives this output

Did you try using your "linux" box to do the outgoing mail for you?

Try configuring sendmail, to perform your delivery for outgoing mail.

And change that for your email client. See if sendmail can deliver 
the message.


-- Matthew

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] Email problem

1999-02-10 Thread Pim Messelink 

Hoi Gill,

dinsdag, 9 februari 1999, you wrote:
GB>  I had a similar problem, check your /etc/mail/Ip allow file.
GB> in my file i have my local ip address setup this lets each workstation send and 
receive email
GB> #/ etc/mail/ip allow
GB> # this is my file for email relay for my win95 workstations
GB> 192.168.1
GB>  The end

I had no /etc/mail dir... I used Slackware 3.5 to setup linux. I made
the dir and created the file "ip allow" as mentioned. But it doesn't
work. But I don't want to send mail using my linux box as an
smtp-server, I have tried it and it doesn't work.
Seems I wasn't right in my first email: short messages *do*
arrive at their destiny (messages like "testing" as subject and no
text) but large emails (like this) or emails with attachments don't
arrive. The email client just says "Sending message text"
and then nothing.

GB> Good Luck.
GB> Gill Blue
Thanx!

Greetz,

Pimmus.
mailto:[EMAIL PROTECTED]

--
Heisenberg may have been here.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] Limitation problem....

1999-02-10 Thread David A. Ranch 


>But I can't understand why we have to enable
>all HIGH ports for reply tcp/udp traffic.


After that original email, I've updated it a little more.  
See below:


>So why all policies used are DENY ??

Hmmm.. good question!  They should be reject!
The reason why I didn't catch this is because though
the default policy is to DENY traffic, at the bottom
of the INPUT and OUTPUT rules, I REJECT the traffic
there.  So, I *AM* rejecting traffic by using a
IPFWADM command vs. setting the default policy to 
REJECT.

Good eye!

--David


**
If you are unfamiliar with how TCP/IP packet filters work, 
this should give you a good start.  Please understand that 
you should have a decent understanding of how TCP/IP works 
to be able to fully understand the following:

--

Think of a IPFWADM or IPCHAINS ruleset like the following:

- All interfaces (any network cards, the localhost
  interface, etc) on a Linux box have INPUT, OUTPUT,
  and FORWARD rules.

For example:

- Say you have a TELNET packet (port 23) from the 
  Internet that wants to reach your Linux box.

1) The TELNET packet is sent from the remote 
computer on the Internet

2) The packet is received on PORT 23 to the 
INPUT rule on the -External NIC card- 

3) If the TELNET packet is matched to allow 
the packet through:  

   FYI: Some ideas of possible packet 
firewall rules can include:
- source and destination IP addresses
- TCP or UDP traffic
- specific source and destinatiopn ports (TELNET, etc)
- etc

Then let the packet IN though the packet firewall.  
If not matched, the packet is either REJECTED 
or DENIED.  You can also log the fact that 
this packet was killed.

4) If passed, the TELNET packet then goes to the 
TELNET daemon on the Linux box to be processed.  

Once the reply TELNET traffic is generated, the actual 
return traffic will be returned on a HIGH PORT ( port > 1024 )
and NOT on port 23.  

If you don't understand this, please
read up on TCP/IP fundamentals since this discussion is out
of the scope of TrinityOS.

For this example, lets say the return TELNET traffic is n 
port 32000.  Now, this return port 3200 traffic is then 
sent to the OUTPUT filter of the EXTERNAL NIC card.

5) If the packet is matched to allow the packet
OUT, then let through.  (like #3 above ).
If not matched, its either REJECTED or 
DENIED.  You can also log the fact that 
this packet was killed.

6) If passed, the HIGH POR packet leaves the Linux box 
to go over the Internet connection destined to that
remote computer.


FORWARD rules: As you've read above, I've left out the FORWARD 
rule.  Basically, all that a FORWARD rule does 
is if a given packet matches for a FORWARD rule, 
the packet is directly FORWARDed to some other 
interface.  This is is what a "router" does on
a simple level.  Once forwarded, the receiving 
interface will check this packet against it's 
INPUT rule.  Etc.. etc.. etc..

 +--+
 |  Linux TCP/IP stack  |
   {PORT 23} |  |
+--->| Input:  Output:  |
|+--+
| |
| |
   +--- +   |   ++|  
   | Input  |   |   | Output ||
   |  Rule  |   |   |  Rule  ||
{PORT 23}  ||   |   |||
   +-IN--->|  P a s s ? |---+   +---|  P a s s ? |<---+
   |   | or |   |   | or |  {PORT 3200}
   ^   |Deny/Reject?|   |   |Deny/Reject?|
   ++

Re: [masq] clients can't see whole net

1999-02-10 Thread Matthew McGehrin 

On 9 Feb 99, at 14:19, Christoph Monig wrote:

> For some clients, parts of the Internet disappear. you can't ping, ftp,
> or http to some  adresses, while to others you can.
> When I reboot my masq-gate, everything seems to turn back to normal.
> My setuip is an Ethernet device for my LAN and a ppp-dialout to the
> Internet.

How many clients are using your masq-gate at the same time? 

Which Linux are you running?

Initially, I would check your timers, if alot of clients are connecting, 
I would make it less.

I have been using the following, it works fine for a "home-network" 
and also a "busy-office-network".

# timeouts
# 15 minutes for tcp, 5 mins - after a fin, 10 mins  for udp
/sbin/ipfwadm -M -s 900 300 600

I forget what the "default" values are. 

-- Matthew


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] clients can't see whole net

1999-02-10 Thread Fuzzy Fox 

Christoph Monig <[EMAIL PROTECTED]> wrote:
>
> For some clients, parts of the Internet disappear. you can't ping, ftp,
> or http to some
> adresses, while to others you can.

Are you using ipautofw?  It is known to cause symptoms similar to this,
if you use its features too aggressively.

> When I reboot my masq-gate, everything seems to turn back to normal.

You really should do more analysis rather than just reboot.  That way
you can find out what the problem is.  :)

My guess is that you are running out of ports.  Run the command

ipfwadm -M -l -n

and see how many connections are active at the time of the problem.  If
there are a large number of them, it means your masq box is being
overloaded with requests.  You can attempt to reduce them by reducing
the timeouts, as another poster suggested, but if you do, you run the
risk of long-term, idle connections being spontaneously disconnected
(such as a telnet session left idle for too long).

If most of your traffic is web-related (port 80), you may consider
running a transparent-proxy version of Squid, to multiplex the
connections without using the masq layer.

You might also consider rebuilding your kernel with a larger number of
masq ports, but I would try that only after determining the source of
the problem.  You may simply have an over-aggressive client behind your
network (such as GameSpy) which uses up all the ports because it
continually disconnects and reconnects.  If so, then stop running the
naughty client.  :)

-- 
   [EMAIL PROTECTED] (Fuzzy Fox)  || "Nothing takes the taste out of peanut
sometimes known as David DeSimone  ||  butter quite like unrequited love."
  http://www.dallas.net/~fox/  ||   -- Charlie Brown
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] mail delivery

1999-02-10 Thread Fuzzy Fox 

This message is highly off-topic for this list, because it's not about
IP Masquerade in the slightest.  Now, I'm not any sort of net.cop, and I
gladly answer questions on any type of subject, if I feel that I know
the answer, but really, it's important to keep a mailing list on-topic,
for those who do not wish to be bothered by reading extraneous messages.

It appears, from the large number of messages which are related to
networking, but not really masquerade-related, that there is some sort
of demand for a list which revolves, topic-wise, around the subject of
networking, firewalling, and related subjects.  Is there such a list
that these topics could be taken to, so that they receive the wider
audience that they deserve?  Or if there is no such list, is there any
interest in creating one?


Vaughan McPherson <[EMAIL PROTECTED]> wrote:
>
> I want to be able to download the messages automatically and then drop
> then into individual locally hosted mail accounts so that users only
> receive mail inteded for them.

It sounds like you want the "fetchmail" package, and to use its
"multi-drop" delivery features.  I suggest you look into that, and
see if it meets your needs.

-- 
   [EMAIL PROTECTED] (Fuzzy Fox)  || "Nothing takes the taste out of peanut
sometimes known as David DeSimone  ||  butter quite like unrequited love."
  http://www.dallas.net/~fox/  ||   -- Charlie Brown
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] Limitation problem....

1999-02-10 Thread Fuzzy Fox 

Marc Cassuto <[EMAIL PROTECTED]> wrote:
>
> > /sbin/ipfwadm -I -a accept -b -P tcp -S 192.168.0.7/32 80 -D 0.0.0.0/0 1024:65535
> That did not work much more

You didn't say what you expect it to do, but if your intent is to allow
traffic to reach external web servers, the rule is backwards from what
it needs to be.

The above rule says to accept packets that are FROM one of your local
machines, using a SOURCE port of 80, to any destination on any non-root
port.  That sounds good, I guess, but remember that HTTP traffic has a
DESTINATION port of 80, not a SOURCE port of 80.  So your rule does not
match the traffic you're trying to accept.  The "-b" option does not
help this situation, because it reverses both the source and
destionation addresses, as well as the port numbers.  Try this:

   ipfwadm -I -a accept -b -P tcp -S 192.168.0.7/32 1024:65535 -D 0.0.0.0/0 80

This allows incoming packets from any source port on your local network,
to any destination as long as the destionation port is 80.  The "-b"
option also permits replies coming back in the opposite direction (i.e.
source port is 80, reply to the original sending port).

You must think in terms of sources and destionation IP addresses and
ports in order for this stuff to become clear.  It takes time, but it's
not all that complicated when you think about it.  :)

> Hu...  Where I can find a doc about the difference between the
> different list, and in particular -F -I and -O.

I don't recall the web site that has a picture diagram showing the
relationship, but it's basically this:

Any incoming packet is passed through the INPUT ruleset.

Any packet that matches the ROUTE table will be forwarded.

If the packet is to be forwarded, it is passed through the
FORWARD ruleset.

Any outgoing packet is passed through the OUTPUT ruleset.

>From the above, you can see that a packet which is being forwarded
through your masq box will be passed by all three rulesets:  Through
INPUT when it comes in, through FORWARD when it gets forwarded, and
through OUTPUT when it goes out.


As for typical uses of these:

The INPUT ruleset is normally used to stop traffic from flowing in a
certain direction.  It works best because it is the first rule invoked,
so it will easily filter out traffic that you don't want.

The FORWARD ruleset is normally used to enable masquerading.  You will
always want this to operate in only one direction (i.e. masquerade
internal traffic, heading towards the outside network.  Never in the
other direction).

The OUTPUT ruleset is hardly ever used, beyond simply rejecting traffic
that your box might generate incorrectly.  Mostly as a safeguard
(i.e. sending out packets to the external net which have internal IP
addresses).  If you have set up your other rules and route tables
correctly, these output rules will never trigger.  :)

-- 
   [EMAIL PROTECTED] (Fuzzy Fox)  || "Nothing takes the taste out of peanut
sometimes known as David DeSimone  ||  butter quite like unrequited love."
  http://www.dallas.net/~fox/  ||   -- Charlie Brown
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] net-tools and icmp masquerading

1999-02-10 Thread Fuzzy Fox 

Michele Nicosia <[EMAIL PROTECTED]> wrote:
>
> In order to see the masquerade packet I need to add HAVE_FW_MASQUERADE
> to config.h, but in order to see the icmp packet what is the tricks??

If I understand your question correctly, you are wondering what happened
to the CONFIG_IP_MASQUERADE_ICMP configuration option?  It is no longer
needed, because 2.2 masquerades ICMP traffic without a special config
option.

> error: masq_info.c: Internal Error `ip_masquerade unknown type'

I'm not familiar with this message; what did you do that made it show up
on your screen?  It looks like a compile error in the source file??

Please note that you should not edit "config.h" directly and insert
"HAVE_WHATEVER" options directly.  You should instead use the standard
kernel configuration system, either "make xconfig", "make menuconfig",
or "make config", whichever you like best. 

-- 
   [EMAIL PROTECTED] (Fuzzy Fox)  || "Nothing takes the taste out of peanut
sometimes known as David DeSimone  ||  butter quite like unrequited love."
  http://www.dallas.net/~fox/  ||   -- Charlie Brown
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] IPCHAINS and ICQ, etc.

1999-02-10 Thread DKM 

Hi, anyone know how to configure IPCHAINS to use ICQ (on 4 win98
machines internally).  I used to use IPAUTOFW but since upgrading to
2.2.1 IPAUTOFW doesn't work.  Should it?

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

[masq] ipfwadm rules from TrinityOS doc, how not to log

1999-02-10 Thread Hirendra Hindocha 

Hi,

I followed the excellent documentation on how to setup ipfwadm 
but after setting it up , I started seeing a ton of messages in 
the messages file and syslogd was taking up about 90% of the
CPU time , so what I did for the moment was turn off logging for
the Input firewall. I'd like to turn  it back on but would like
to ignore the following messages from being sent to syslogd. 

Feb  7 00:10:24 c526184-a kernel: IP fw-in rej eth0 UDP 0.0.0.0:68
255.255.255.2
55:67 L=328 S=0x00 I=11 F=0x T=255
Feb  7 00:10:24 c526184-a kernel: IP fw-in rej eth0 ICMP/3
255.255.255.255 0.0.0
.0 L=56 S=0x00 I=28994 F=0x0040 T=1
Feb  7 00:10:24 c526184-a kernel: IP fw-in rej eth0 ICMP/3
255.255.255.255 0.0.0
.0 L=56 S=0x00 I=48691 F=0x0040 T=1

So , what input firewall rule do I need to set to not log the above ? 

Any help is greatly appreciated,
Thanks

Hiren

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] mail delivery

1999-02-10 Thread Bryan Burlingame 

I would like to see one created, if it doesn't already exist.

--bburling

-Original Message-
From: Fuzzy Fox [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 09, 1999 4:01 PM
To: [EMAIL PROTECTED]
Subject: Re: [masq] mail delivery


This message is highly off-topic for this list, because it's not about
IP Masquerade in the slightest.  Now, I'm not any sort of net.cop, and I
gladly answer questions on any type of subject, if I feel that I know
the answer, but really, it's important to keep a mailing list on-topic,
for those who do not wish to be bothered by reading extraneous messages.

It appears, from the large number of messages which are related to
networking, but not really masquerade-related, that there is some sort
of demand for a list which revolves, topic-wise, around the subject of
networking, firewalling, and related subjects.  Is there such a list
that these topics could be taken to, so that they receive the wider
audience that they deserve?  Or if there is no such list, is there any
interest in creating one?


Vaughan McPherson <[EMAIL PROTECTED]> wrote:
>
> I want to be able to download the messages automatically and then drop
> then into individual locally hosted mail accounts so that users only
> receive mail inteded for them.

It sounds like you want the "fetchmail" package, and to use its
"multi-drop" delivery features.  I suggest you look into that, and
see if it meets your needs.

-- 
   [EMAIL PROTECTED] (Fuzzy Fox)  || "Nothing takes the taste out of peanut
sometimes known as David DeSimone  ||  butter quite like unrequited love."
  http://www.dallas.net/~fox/  ||   -- Charlie Brown
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]