[EMAIL PROTECTED] wrote:
>
> While sifting through docs I found this error which I have been receiving, while
>trying to
> ping any internet IP from the LRP box:
> sendto(): operation not permitted
It's either your network or your firewall rules or some permissions
on some files got messed up. Quick fix is download LEAF version
called Dachstein 1.0.2. It's well written, and is a complete
firewall, once you get your nic modules and your network.conf straight.
For a home setup, that goes quickly when you read the readme.
I.) Your network isn't functioning.
Network nic modules may not be on diskette.
Network nic modules may be on diskette but are commented in modules.conf.
Network nic modules may be on disk and uncommented but helper modules
may be commented and aren't being loaded before nic modules.
Syntax errors may be in /etc/network.conf.
Ways to check:
ifconfig -a
netstat -rn
or ip addr show
ip route show
and more /var/log/syslog
and dmesg | more
stuff like that, ok.
> It says that this is the result of incorrect setup of the Firewall rules. Where can
>I find some
> documentation on setting up a set of Firewall rules that will give me at least
>minimal access
> to the net (www & email for now). At least if I can get that working I can slowly
>work
> through the rest.
II) It's your firewall rules. Strange. I've written a firewall or
two, and I don't remember this error. But then again, I don't go looking
to stop ping. From my memory, when ping can't get out, it simply sits
there, waiting, as versus giving you a lower level driver error.
You don't have any rules.
The ones you have are wrong.
You made your own.
You are using an old LEAF version.
You are using the newest and best LEAF, but you have syntax
errors in network.conf or you deleted some other files.
You are cobbleing a LEAF together out of parts and pieces
you've found on the net, due to rational exuberance, but
you lack the hindsight to know what you really wanted.
something like that.
Ways to fix:
Well, you asked for some rules, so what you do is this:
1) List you rules with
/sbin/ipchains -L -v -n > /tmp/rules
/usr/sbin/ipmasqamd portfw -ln >> /tmp/rules
cat /proc/net/ip_masq/autofw >> /tmp/rules
more /tmp/rules
something like that gets you all the rules that maybe
in effect.
2) To get rid of all the current rules is to flush
them out, using:
/sbin/ipchains -F
/usr/sbin/ipmasqadm portfw -f
/usr/sbin/ipmasqadm autofw -F
3) To set the global policy to ACCEPT for the input
and output chains on all nics, you would do:
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -P forward ACCEPT
4) Some rules for a system that uses one IP addresses
from an ISP on eth0 as the external nic, and one
private LAN that uses NAT to hide it that is called
the 192.168.1.0 network connected to eth1, could use
the following after flushing and setting the policies:
--------------------------------------------------------------------
/sbin/ipchains -A foward -j MASQ -p all -s 192.168.1.0/24
--------------------------------------------------------------------
It doesn't take much, does it :-o
What this does is allow all traffic in and out of both
nics, and masq's the internal network. It leaves you
open to connection attempts to services like telnet
running on the LEAF. Even though the LEAF is open to
the connection attempts, the internal network is unreachable
because it is masq'd and there is no route to it.
It leaves you open to spoofed and stuffed attacks, which
are very rare. So do use this forever. You're fine with
it while you configure your system if you don't have any
services running, like telnet or ssh on the LEAF.
This mini ruleset will work if your default gateway and
the rest of your routing table is correct.
However, like I said, the simple answer is Dachstein on floppy only.
If you want to doink around with the CD version, that different.
Good Luck,
Matthew
> My main problem is right now, to test out the router I have to switch my cable modem
>to it.
> Once that is done, it makes it difficult (currently impossible) to do any research on
> problems as they come up.
>
> Again, your help is greatly appreciated.
> Sincerely,
>
> Justin Pease
> N u a n c e N i n e
> Web Usability, Development and Design
> www.nuance9.com
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
