Re: Firewall/IP-masquerading

2000-09-06 Thread Willi Dyck 
 on Tue, Sep 05, 2000 at 12:59:25PM -0700, Nate Amsden sent 1.1K bytes on
 their merry way:
  not sure what kernels your using but:
 
I am using kernel 2.2.16.

 I'm using 2.2.17 (woody)
 
  - i've never gotten MASQ to work with DNS on 2.2 i've always had to
 put
  a DNS on the masq machine and point machines to it instead, this was
 not
  the case in 2.0 where it was able to masq without any trouble.
 
 DNS works fine fromt he other side of my MASQ router; Perhaps there is
 some difference between UDP dns requests and TCP? *shrug*
 
 I would suspect some stray ipchains rule is denying the DNS traffic.

No rules are denying DNS traffic.
I even can't ping any host from the firewalling box although a connection
to my ISP is established, surely.
 
 Dan
 -- 
 Spinfire Magenta  In Real Life: Dan Noe
 Freelance Hacker  http://www.isomerica.net/
31 5B 89 66 F7 E8 73 34 50 6A 79 C4 32 E1 0E 4A
 

-- 
Sent through GMX FreeMail - http://www.gmx.net

pgpRbAaaikfPU.pgp
Description: PGP signature

Re: Firewall/IP-masquerading

2000-09-06 Thread Willi Dyck 
 Nate Amsden [EMAIL PROTECTED] writes:
  not sure what kernels your using but:
  
  - i've never gotten MASQ to work with DNS on 2.2 i've always had to
 put
  a DNS on the masq machine and point machines to it instead, this was
 not
  the case in 2.0 where it was able to masq without any trouble.
 
 Hmm. I'm not sure what you mean here. I have a firewall/masq machine
 and I know for a fact that my main PC, which sits behind this
 firewall, has no problem reaching my remote DNS servers using
 masquerading (I don't currently run a DNS server myself).
 
  try putting a DNS on yer masq box and point everything to it.
 
 Yikes! That's not a trivial task and it's of questionable value given
 what I'm able to do, as stated above.
 
  Willi Dyck wrote:
   
   Hi.
   
   I don't understand the world (Debian)anymore.
   As soon as I compile things like
   - ip firewalling
   - ip masquerading
   - ip forwarding into the kernel, I can't ping any host by it's name.
   I am able to ping IP's. Seems like a DNS Lookup failure. But why??
   I didn't changed any file I only compiled the features listed above.
   When I boot the old kernel again the problem seems to be gone.
   WHY??? What is the logical thing here???
   Thanx for your help.
 
 My guess is that you've got a chain in the default rules that's
 blocking DNS access. DNS access isn't a simple one to block/unblock,
 if I remember correctly. Just look at the logs (/var/log/syslog) and
 see if any of the output rules, with a source inside your LAN, is
 being denied. Personally, if I were you I'd get PMFirewall,

I have no chains blocking DNS access, I'm only blocking telnet and
netbios.
And /var/log/syslog isn't saying a word about ipchains. I wonder if my
firewall script was started at startup/links are set. How to check it?
 
 http://www.pmfirewall.com/PMFirewall/
 
 And start with the rules they insert and build on that.
 
 It's quick, asks simple questions and gets you going quickly.
 
 Gary
 
 
 -- 
 Unsubscribe?  mail -s unsubscribe [EMAIL PROTECTED] 
 /dev/null
 

-- 
Sent through GMX FreeMail - http://www.gmx.net

Re: Firewall/IP-masquerading

2000-09-06 Thread Gary Hennigan 
Willi Dyck [EMAIL PROTECTED] writes:
   Willi Dyck wrote:

Hi.

I don't understand the world (Debian)anymore.
As soon as I compile things like
- ip firewalling
- ip masquerading
- ip forwarding into the kernel, I can't ping any host by it's name.
I am able to ping IP's. Seems like a DNS Lookup failure. But why??
I didn't changed any file I only compiled the features listed above.
When I boot the old kernel again the problem seems to be gone.
WHY??? What is the logical thing here???
Thanx for your help.
 
Gary Hennigan writes: 
  My guess is that you've got a chain in the default rules that's
  blocking DNS access. DNS access isn't a simple one to block/unblock,
  if I remember correctly. Just look at the logs (/var/log/syslog) and
  see if any of the output rules, with a source inside your LAN, is
  being denied. Personally, if I were you I'd get PMFirewall,
 
 I have no chains blocking DNS access, I'm only blocking telnet and
 netbios.
 And /var/log/syslog isn't saying a word about ipchains. I wonder if my
 firewall script was started at startup/links are set. How to check it?

ipchains -L 

will show you all the chains you have installed. Also, in Debian
potato, there's ipchains-save which prints out all the installed chains
in a format that can be restored via ipchains-restore.

Gary

Firewall/IP-masquerading

2000-09-05 Thread Willi Dyck 
Hi.

I don't understand the world (Debian)anymore.
As soon as I compile things like 
- ip firewalling
- ip masquerading
- ip forwarding into the kernel, I can't ping any host by it's name.
I am able to ping IP's. Seems like a DNS Lookup failure. But why??
I didn't changed any file I only compiled the features listed above.
When I boot the old kernel again the problem seems to be gone.
WHY??? What is the logical thing here??? 
Thanx for your help.

-- 
Sent through GMX FreeMail - http://www.gmx.net

Re: Firewall/IP-masquerading

2000-09-05 Thread Nate Amsden 
not sure what kernels your using but:

- i've never gotten MASQ to work with DNS on 2.2 i've always had to put
a DNS on the masq machine and point machines to it instead, this was not
the case in 2.0 where it was able to masq without any trouble.

try putting a DNS on yer masq box and point everything to it.

nate

Willi Dyck wrote:
 
 Hi.
 
 I don't understand the world (Debian)anymore.
 As soon as I compile things like
 - ip firewalling
 - ip masquerading
 - ip forwarding into the kernel, I can't ping any host by it's name.
 I am able to ping IP's. Seems like a DNS Lookup failure. But why??
 I didn't changed any file I only compiled the features listed above.
 When I boot the old kernel again the problem seems to be gone.
 WHY??? What is the logical thing here???
 Thanx for your help.
 
 --
 Sent through GMX FreeMail - http://www.gmx.net
 
 --
 Unsubscribe?  mail -s unsubscribe [EMAIL PROTECTED]  /dev/null

-- 
:::
ICQ: 75132336
http://www.aphroland.org/
http://www.linuxpowered.net/
[EMAIL PROTECTED]

Re: Firewall/IP-masquerading

2000-09-05 Thread Spinfire Magenta 
on Tue, Sep 05, 2000 at 12:59:25PM -0700, Nate Amsden sent 1.1K bytes on their 
merry way:
 not sure what kernels your using but:

I'm using 2.2.17 (woody)

 - i've never gotten MASQ to work with DNS on 2.2 i've always had to put
 a DNS on the masq machine and point machines to it instead, this was not
 the case in 2.0 where it was able to masq without any trouble.

DNS works fine fromt he other side of my MASQ router; Perhaps there is
some difference between UDP dns requests and TCP? *shrug*

I would suspect some stray ipchains rule is denying the DNS traffic.

Dan
-- 
Spinfire MagentaIn Real Life: Dan Noe
Freelance Hackerhttp://www.isomerica.net/
   31 5B 89 66 F7 E8 73 34 50 6A 79 C4 32 E1 0E 4A


pgprYhfW3voJj.pgp
Description: PGP signature

Re: Firewall/IP-masquerading

2000-09-05 Thread Gary Hennigan 
Nate Amsden [EMAIL PROTECTED] writes:
 not sure what kernels your using but:
 
 - i've never gotten MASQ to work with DNS on 2.2 i've always had to put
 a DNS on the masq machine and point machines to it instead, this was not
 the case in 2.0 where it was able to masq without any trouble.

Hmm. I'm not sure what you mean here. I have a firewall/masq machine
and I know for a fact that my main PC, which sits behind this
firewall, has no problem reaching my remote DNS servers using
masquerading (I don't currently run a DNS server myself).

 try putting a DNS on yer masq box and point everything to it.

Yikes! That's not a trivial task and it's of questionable value given
what I'm able to do, as stated above.

 Willi Dyck wrote:
  
  Hi.
  
  I don't understand the world (Debian)anymore.
  As soon as I compile things like
  - ip firewalling
  - ip masquerading
  - ip forwarding into the kernel, I can't ping any host by it's name.
  I am able to ping IP's. Seems like a DNS Lookup failure. But why??
  I didn't changed any file I only compiled the features listed above.
  When I boot the old kernel again the problem seems to be gone.
  WHY??? What is the logical thing here???
  Thanx for your help.

My guess is that you've got a chain in the default rules that's
blocking DNS access. DNS access isn't a simple one to block/unblock,
if I remember correctly. Just look at the logs (/var/log/syslog) and
see if any of the output rules, with a source inside your LAN, is
being denied. Personally, if I were you I'd get PMFirewall,

http://www.pmfirewall.com/PMFirewall/

And start with the rules they insert and build on that.

It's quick, asks simple questions and gets you going quickly.

Gary

Re: Firewall/IP-masquerading

2000-09-05 Thread Alvin Oga 

hi ya..

what flags do you have set in your linux-2.2.*/.config file ???

what is the generic rules you have in your /etc/rc.firewall

have fun linuxing
alvin

On Tue, 5 Sep 2000, Nate Amsden wrote:

 not sure what kernels your using but:
 
 - i've never gotten MASQ to work with DNS on 2.2 i've always had to put
 a DNS on the masq machine and point machines to it instead, this was not
 the case in 2.0 where it was able to masq without any trouble.
 
 try putting a DNS on yer masq box and point everything to it.
 
 nate
 
 Willi Dyck wrote:
  
  Hi.
  
  I don't understand the world (Debian)anymore.
  As soon as I compile things like
  - ip firewalling
  - ip masquerading
  - ip forwarding into the kernel, I can't ping any host by it's name.
  I am able to ping IP's. Seems like a DNS Lookup failure. But why??
  I didn't changed any file I only compiled the features listed above.
  When I boot the old kernel again the problem seems to be gone.
  WHY??? What is the logical thing here???
  Thanx for your help.
  
  --
  Sent through GMX FreeMail - http://www.gmx.net
  
  --
  Unsubscribe?  mail -s unsubscribe [EMAIL PROTECTED]  /dev/null
 
 -- 
 :::
 ICQ: 75132336
 http://www.aphroland.org/
 http://www.linuxpowered.net/
 [EMAIL PROTECTED]
 
 
 -- 
 Unsubscribe?  mail -s unsubscribe [EMAIL PROTECTED]  /dev/null

Re: Firewall/IP-masquerading

2000-09-05 Thread Nate Amsden 
Alvin Oga wrote:
 
 hi ya..
 
 what flags do you have set in your linux-2.2.*/.config file ???

the ones that apply to firewalls/networking:

CONFIG_PACKET=y
CONFIG_FIREWALL=y
CONFIG_FILTER=y
CONFIG_UNIX=y
CONFIG_INET=y
CONFIG_IP_FIREWALL=y
CONFIG_IP_MASQUERADE=y
CONFIG_IP_MASQUERADE_ICMP=y
CONFIG_IP_MASQUERADE_MOD=y
CONFIG_IP_MASQUERADE_IPAUTOFW=y
CONFIG_IP_MASQUERADE_IPPORTFW=y
CONFIG_IP_MASQUERADE_MFW=y
CONFIG_IP_ALIAS=y
CONFIG_SYN_COOKIES=y
CONFIG_SKB_LARGE=y

everything that is not shown is not set.



 what is the generic rules you have in your /etc/rc.firewall

i don't have a rc.firewall, but i do use a script in /etc/init.d the
rules for masq are


echo -n Enabling IP Masqing for 10.10.10.0 Network ..
ipchains -P forward DENY
ipchains -A forward -j MASQ -s 10.10.10.0/24 -d 0.0.0.0/0
echo .done
echo Enabling Port forwarding for Unreal Tournament to 10.10.10.10..
ipmasqadm autofw -A -r udp   -h 10.10.10.10 -v
ipmasqadm autofw -A -r udp 7778 7778 -h 10.10.10.10 -v
ipmasqadm autofw -A -r udp 7779 7779 -h 10.10.10.10 -v
ipmasqadm autofw -A -r udp 27900 27900 -h 10.10.10.10 -v

i have about 70 other rules but those don't have anything to do with the
masq just a bunch of accept/rejects for various services on the main
box. the network im on now is just 2 physical machines and usually a
couple of virtual(vmware) machines.

nate


-- 
:::
ICQ: 75132336
http://www.aphroland.org/
http://www.linuxpowered.net/
[EMAIL PROTECTED]