Re: Firewall/IP-masquerading
on Tue, Sep 05, 2000 at 12:59:25PM -0700, Nate Amsden sent 1.1K bytes on their merry way: not sure what kernels your using but: I am using kernel 2.2.16. I'm using 2.2.17 (woody) - i've never gotten MASQ to work with DNS on 2.2 i've always had to put a DNS on the masq machine and point machines to it instead, this was not the case in 2.0 where it was able to masq without any trouble. DNS works fine fromt he other side of my MASQ router; Perhaps there is some difference between UDP dns requests and TCP? *shrug* I would suspect some stray ipchains rule is denying the DNS traffic. No rules are denying DNS traffic. I even can't ping any host from the firewalling box although a connection to my ISP is established, surely. Dan -- Spinfire Magenta In Real Life: Dan Noe Freelance Hacker http://www.isomerica.net/ 31 5B 89 66 F7 E8 73 34 50 6A 79 C4 32 E1 0E 4A -- Sent through GMX FreeMail - http://www.gmx.net pgpRbAaaikfPU.pgp Description: PGP signature
Re: Firewall/IP-masquerading
Nate Amsden [EMAIL PROTECTED] writes: not sure what kernels your using but: - i've never gotten MASQ to work with DNS on 2.2 i've always had to put a DNS on the masq machine and point machines to it instead, this was not the case in 2.0 where it was able to masq without any trouble. Hmm. I'm not sure what you mean here. I have a firewall/masq machine and I know for a fact that my main PC, which sits behind this firewall, has no problem reaching my remote DNS servers using masquerading (I don't currently run a DNS server myself). try putting a DNS on yer masq box and point everything to it. Yikes! That's not a trivial task and it's of questionable value given what I'm able to do, as stated above. Willi Dyck wrote: Hi. I don't understand the world (Debian)anymore. As soon as I compile things like - ip firewalling - ip masquerading - ip forwarding into the kernel, I can't ping any host by it's name. I am able to ping IP's. Seems like a DNS Lookup failure. But why?? I didn't changed any file I only compiled the features listed above. When I boot the old kernel again the problem seems to be gone. WHY??? What is the logical thing here??? Thanx for your help. My guess is that you've got a chain in the default rules that's blocking DNS access. DNS access isn't a simple one to block/unblock, if I remember correctly. Just look at the logs (/var/log/syslog) and see if any of the output rules, with a source inside your LAN, is being denied. Personally, if I were you I'd get PMFirewall, I have no chains blocking DNS access, I'm only blocking telnet and netbios. And /var/log/syslog isn't saying a word about ipchains. I wonder if my firewall script was started at startup/links are set. How to check it? http://www.pmfirewall.com/PMFirewall/ And start with the rules they insert and build on that. It's quick, asks simple questions and gets you going quickly. Gary -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null -- Sent through GMX FreeMail - http://www.gmx.net
Re: Firewall/IP-masquerading
Willi Dyck [EMAIL PROTECTED] writes: Willi Dyck wrote: Hi. I don't understand the world (Debian)anymore. As soon as I compile things like - ip firewalling - ip masquerading - ip forwarding into the kernel, I can't ping any host by it's name. I am able to ping IP's. Seems like a DNS Lookup failure. But why?? I didn't changed any file I only compiled the features listed above. When I boot the old kernel again the problem seems to be gone. WHY??? What is the logical thing here??? Thanx for your help. Gary Hennigan writes: My guess is that you've got a chain in the default rules that's blocking DNS access. DNS access isn't a simple one to block/unblock, if I remember correctly. Just look at the logs (/var/log/syslog) and see if any of the output rules, with a source inside your LAN, is being denied. Personally, if I were you I'd get PMFirewall, I have no chains blocking DNS access, I'm only blocking telnet and netbios. And /var/log/syslog isn't saying a word about ipchains. I wonder if my firewall script was started at startup/links are set. How to check it? ipchains -L will show you all the chains you have installed. Also, in Debian potato, there's ipchains-save which prints out all the installed chains in a format that can be restored via ipchains-restore. Gary
Firewall/IP-masquerading
Hi. I don't understand the world (Debian)anymore. As soon as I compile things like - ip firewalling - ip masquerading - ip forwarding into the kernel, I can't ping any host by it's name. I am able to ping IP's. Seems like a DNS Lookup failure. But why?? I didn't changed any file I only compiled the features listed above. When I boot the old kernel again the problem seems to be gone. WHY??? What is the logical thing here??? Thanx for your help. -- Sent through GMX FreeMail - http://www.gmx.net
Re: Firewall/IP-masquerading
not sure what kernels your using but: - i've never gotten MASQ to work with DNS on 2.2 i've always had to put a DNS on the masq machine and point machines to it instead, this was not the case in 2.0 where it was able to masq without any trouble. try putting a DNS on yer masq box and point everything to it. nate Willi Dyck wrote: Hi. I don't understand the world (Debian)anymore. As soon as I compile things like - ip firewalling - ip masquerading - ip forwarding into the kernel, I can't ping any host by it's name. I am able to ping IP's. Seems like a DNS Lookup failure. But why?? I didn't changed any file I only compiled the features listed above. When I boot the old kernel again the problem seems to be gone. WHY??? What is the logical thing here??? Thanx for your help. -- Sent through GMX FreeMail - http://www.gmx.net -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null -- ::: ICQ: 75132336 http://www.aphroland.org/ http://www.linuxpowered.net/ [EMAIL PROTECTED]
Re: Firewall/IP-masquerading
on Tue, Sep 05, 2000 at 12:59:25PM -0700, Nate Amsden sent 1.1K bytes on their merry way: not sure what kernels your using but: I'm using 2.2.17 (woody) - i've never gotten MASQ to work with DNS on 2.2 i've always had to put a DNS on the masq machine and point machines to it instead, this was not the case in 2.0 where it was able to masq without any trouble. DNS works fine fromt he other side of my MASQ router; Perhaps there is some difference between UDP dns requests and TCP? *shrug* I would suspect some stray ipchains rule is denying the DNS traffic. Dan -- Spinfire MagentaIn Real Life: Dan Noe Freelance Hackerhttp://www.isomerica.net/ 31 5B 89 66 F7 E8 73 34 50 6A 79 C4 32 E1 0E 4A pgprYhfW3voJj.pgp Description: PGP signature
Re: Firewall/IP-masquerading
Nate Amsden [EMAIL PROTECTED] writes: not sure what kernels your using but: - i've never gotten MASQ to work with DNS on 2.2 i've always had to put a DNS on the masq machine and point machines to it instead, this was not the case in 2.0 where it was able to masq without any trouble. Hmm. I'm not sure what you mean here. I have a firewall/masq machine and I know for a fact that my main PC, which sits behind this firewall, has no problem reaching my remote DNS servers using masquerading (I don't currently run a DNS server myself). try putting a DNS on yer masq box and point everything to it. Yikes! That's not a trivial task and it's of questionable value given what I'm able to do, as stated above. Willi Dyck wrote: Hi. I don't understand the world (Debian)anymore. As soon as I compile things like - ip firewalling - ip masquerading - ip forwarding into the kernel, I can't ping any host by it's name. I am able to ping IP's. Seems like a DNS Lookup failure. But why?? I didn't changed any file I only compiled the features listed above. When I boot the old kernel again the problem seems to be gone. WHY??? What is the logical thing here??? Thanx for your help. My guess is that you've got a chain in the default rules that's blocking DNS access. DNS access isn't a simple one to block/unblock, if I remember correctly. Just look at the logs (/var/log/syslog) and see if any of the output rules, with a source inside your LAN, is being denied. Personally, if I were you I'd get PMFirewall, http://www.pmfirewall.com/PMFirewall/ And start with the rules they insert and build on that. It's quick, asks simple questions and gets you going quickly. Gary
Re: Firewall/IP-masquerading
hi ya.. what flags do you have set in your linux-2.2.*/.config file ??? what is the generic rules you have in your /etc/rc.firewall have fun linuxing alvin On Tue, 5 Sep 2000, Nate Amsden wrote: not sure what kernels your using but: - i've never gotten MASQ to work with DNS on 2.2 i've always had to put a DNS on the masq machine and point machines to it instead, this was not the case in 2.0 where it was able to masq without any trouble. try putting a DNS on yer masq box and point everything to it. nate Willi Dyck wrote: Hi. I don't understand the world (Debian)anymore. As soon as I compile things like - ip firewalling - ip masquerading - ip forwarding into the kernel, I can't ping any host by it's name. I am able to ping IP's. Seems like a DNS Lookup failure. But why?? I didn't changed any file I only compiled the features listed above. When I boot the old kernel again the problem seems to be gone. WHY??? What is the logical thing here??? Thanx for your help. -- Sent through GMX FreeMail - http://www.gmx.net -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null -- ::: ICQ: 75132336 http://www.aphroland.org/ http://www.linuxpowered.net/ [EMAIL PROTECTED] -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: Firewall/IP-masquerading
Alvin Oga wrote: hi ya.. what flags do you have set in your linux-2.2.*/.config file ??? the ones that apply to firewalls/networking: CONFIG_PACKET=y CONFIG_FIREWALL=y CONFIG_FILTER=y CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_FIREWALL=y CONFIG_IP_MASQUERADE=y CONFIG_IP_MASQUERADE_ICMP=y CONFIG_IP_MASQUERADE_MOD=y CONFIG_IP_MASQUERADE_IPAUTOFW=y CONFIG_IP_MASQUERADE_IPPORTFW=y CONFIG_IP_MASQUERADE_MFW=y CONFIG_IP_ALIAS=y CONFIG_SYN_COOKIES=y CONFIG_SKB_LARGE=y everything that is not shown is not set. what is the generic rules you have in your /etc/rc.firewall i don't have a rc.firewall, but i do use a script in /etc/init.d the rules for masq are echo -n Enabling IP Masqing for 10.10.10.0 Network .. ipchains -P forward DENY ipchains -A forward -j MASQ -s 10.10.10.0/24 -d 0.0.0.0/0 echo .done echo Enabling Port forwarding for Unreal Tournament to 10.10.10.10.. ipmasqadm autofw -A -r udp -h 10.10.10.10 -v ipmasqadm autofw -A -r udp 7778 7778 -h 10.10.10.10 -v ipmasqadm autofw -A -r udp 7779 7779 -h 10.10.10.10 -v ipmasqadm autofw -A -r udp 27900 27900 -h 10.10.10.10 -v i have about 70 other rules but those don't have anything to do with the masq just a bunch of accept/rejects for various services on the main box. the network im on now is just 2 physical machines and usually a couple of virtual(vmware) machines. nate -- ::: ICQ: 75132336 http://www.aphroland.org/ http://www.linuxpowered.net/ [EMAIL PROTECTED]