RE: [Leaf-user] pppd timing out.
At 2002-01-15 15:59 -0600, Mark Lubratt wrote: >BTW, I also figured out that the configuration files from pppd.lrp were >conflicting with the configuration files from diald. When I extracted >only chat and pppd from the pppd.lrp file and then added them to the diald >package, everything started working. Mark, If you have time, please write up how you accomplished this. Then, submit it to us as a FAQ in the DocManager. I'm sure other people would benefit from your experience configuring diald. Thanks. https://sourceforge.net/docman/new.php?group_id=13751 -- Mike Noyes <[EMAIL PROTECTED]> http://leaf.sourceforge.net/ ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] pppd timing out.
> I want dial-on-demand during non-business hours, but I also > want the link > always up during business hours. I understand that pppd can now do on > demand dialing, but will it also do a scheduled link? With > diald I can > force the link up in the morning during the week and then let > it go back to > on-demand at the end of the business day. No, sorry, that is indeed the sort of thing diald is designed to do, although I suppose you could design cron jobs to do the same thing. > > Is this also possible in pppd? > > BTW, I also figured out that the configuration files from > pppd.lrp were > conflicting with the configuration files from diald. When I > extracted only > chat and pppd from the pppd.lrp file and then added them to the diald > package, everything started working. That was my experience, that dial-on-demand versions of ppp didn't play well with diald. When you are done, could you post a short writeup on what you did to get everything working? This seems to be a FAQ. > Mark -Richard ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] pppd timing out.
I want dial-on-demand during non-business hours, but I also want the link always up during business hours. I understand that pppd can now do on demand dialing, but will it also do a scheduled link? With diald I can force the link up in the morning during the week and then let it go back to on-demand at the end of the business day. Is this also possible in pppd? BTW, I also figured out that the configuration files from pppd.lrp were conflicting with the configuration files from diald. When I extracted only chat and pppd from the pppd.lrp file and then added them to the diald package, everything started working. Mark -Original Message- From: Richard Doyle [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 15, 2002 10:28 AM To: Mark Lubratt; [EMAIL PROTECTED] Subject: RE: [Leaf-user] pppd timing out. Why do you need diald? Recent versions of pppd support dial-on-demand. If my experience is any guide, get pppd working, then try diald if needed. -Richard > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of > Mark Lubratt > Sent: Monday, January 14, 2002 11:04 PM > To: [EMAIL PROTECTED] > Subject: [Leaf-user] pppd timing out. > > > Hi! > > I've been banging my head against a wall for about 3 days > now. I have a LRP > system running on a 486 (dachstein 1.02). > > The system is supposed to be a router/firewall for a small > home network. It > will serve DHCP as well. The eth0 interface is on the local network. > > I want to have diald working on it so that I can force a link > during the day > and make other times be on demand. I have the diald22.lrp > package as well > as the pppd.lrp package installed. I recompiled the kernel > (2.2.19-3-LEAF) > to incorporate the serial drivers directly into the kernel > (serial.o didn't > seem to work). I'm using the slip, slhc, ppp, ppp_deflate > and bsd_comp > modules. > > The system seems to be dialing and connecting to my ISP just > fine. I get a > message in syslog that ppp0 has been registered and then immediately a > message talking about initializing the modem. It would seem > that pppd is > hanging or dying early. > > If looked all throught the mail archives and deja.com. > People keep refering > to mail messages where this has been solved, but I can't seem > to find them. > Does anyone out there have a working diald/pppd LRP setup?? > > Any help here would be greatly appreciated! > > Mark > > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Confusing packet in firewall logs
Julian Church wrote: > > Sorry for replying to myself, but although I don't fully understand what > was going on I seem to have made the problem stop. > > At 11:44 15/01/02 +, Julian Church wrote: > >I'm getting a few of these in /var/log/messages per minute. > > > >Jan 15 10:40:14 firewall kernel: Packet log: input DENY eth0 PROTO=6 > >192.168.254 > >.254:80 217.149.96.2:61797 L=44 S=0x00 I=23250 F=0x T=60 (#42) > > I switched the ADSL router's power off then on about an hour ago, and > haven't had any of these packets since. I was getting several of these > packets per minute so I think it's fair to conclude that the problem has > been solved. So it seems pretty certain that the fault was with the router > somehow. My guess is that the router started sporadically NAT-ing packets > again, giving them it's old/default NAT'd internal IP address 192.168.254.254. Have you tried typing "192.168.254.254" in a web browser? Since it's using the http port you just may have some sort of configuration manager installed that comes along with the router, sort of like weblet on Eigerstein and Dachstein. I have a Motorola Surfboard SB4100 which has 192.168.100.1 configured for the browser -- Patrick Benson Stockholm, Sweden ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] LRP and a Laptop HELP
Hi: I downloaded the dach software "dachstein-v1.0.2-1680" based on the linux kernel 2.2.19. I want to use my laptop (Dell machine) as a router. My questions are the following: 1) If i dont need the firewall option but just the router am using the right download? 2) I am using 2 different pcmcia cards one is 3com 10/100 base TX and the other one is the Linksys 10/100 etherfast pc cards. Does anyone know where i can find the modules for both cards and if/how I can make them? 3) I saw a diald for kernel version 2.9.4. Can I use it with the 2.2.19 version that I downloaded? where can I find the right dialup set up for modem? Any guidance will be greatly appreciated. -M _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Confusing packet in firewall logs
Julian: Heya. I'm going to go with what fwlog.pl is telling you on this one. :) The reply does indeed look to be from the "NAT router" you had previously at 192.168.254.254. There's no SYN flag set, so it's not a Code-Red packet, and it's coming at you at a very high port number (61000+) which is where LEAF boxes do their IP-masquerading. So...somewhere external to your LAN, a packet from 192.168.254.254 is finding its way to you. Perhaps...when you changed your ADSL service, your ISP gave your old router to someone else who is using it misconfigured? As to why your firewall is logging these at all...the stock ruleset on Dachstein logs anything that comes from a source IP of 192.168.x.y. Unless you changed that as part of your new setup, it's still in there. Hope this helps! -Scott > From: Julian Church <[EMAIL PROTECTED]> > Subject: [Leaf-user] Confusing packet in firewall logs > > I know "What's this in my logs" is a common query, but I really am confused > this time. > I'm getting a few of these in /var/log/messages per minute. > > Jan 15 10:40:14 firewall kernel: Packet log: input DENY eth0 PROTO=6 > 192.168.254 > .254:80 217.149.96.2:61797 L=44 S=0x00 I=23250 F=0x T=60 (#42) > Jan 15 10:40:29 firewall kernel: Packet log: input DENY eth0 PROTO=6 > 192.168.254 > .254:80 217.149.96.2:61795 L=44 S=0x00 I=23251 F=0x T=60 (#42) > > I'm confused because eth0 is my external interface. 217.149.96.2 is the > ext IP of the firewall. 192.168.254.254 doesn't appear anywhere on the LAN. > > The log analyser at http://www.echogent.com/cgi-bin/fwlog.pl tells me it's > a return packet from a website someone on my network is trying to view, but > given the 192.168.x.x source address I'm not sure that's correct. > > One more thing that may be significant (or just simple coincidence), I had > our ADSL service changed from NAT to no-NAT in December, and the NAT > router's internal address was 192.168.254.254. I changed over from > Eigerstein to Dachstein at the same time though (effectively starting from > scratch), so I don't think it's possible I've got some old setting in the > firewall still hidden somewhere. > > Does anyone have any ideas? > > thanks > > Julian > > -- > [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Message log Overflow crashes EigerStein
Greg: Heya. I know how you feel about being reluctant to touch your firewall now that it's running. Fortunately...it's not as bad as you might remember -- I had to get Dachstein up and running so that I could get echoWall debugged on it. Since Charles did both distro's, they look&feel very similar. Just start with the /etc/modules file, make the new one look like your old one where the interfaces are concerned. Then touch up the network.conf file, make it look like your old one, also in regards to interface definition. Backup, reboot, and you'll be a lot closer than you think. :) -Scott On Mon, 14 Jan 2002, Greg Orne wrote: > Scott, > > thank you for the advice. > > I read that DachStein was the LRP of choice now. > Not to hot on switching but will if I must. > > I spent many hours getting the router to pass my VPN so I can plug in for > work at home. > > Got it to work and when I ran one of those external firewall testers it > still showed me as secure. > > I did it so long ago I forgot what I did. > > I am not looking forward to the work getting Dachstein working also. > > Thank you again. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] DCD, ipsec and 50/51 protocols ???
> > If I add this to /etc/network.conf: > > > > EXTERN_PROTO0="50 0/0" > > EXTERN_PROTO1="51 0/0" > > > > then, do I still need these ??? > > > > leftfirewall=yes > > rightfirewall=yes > > Not if you also allow UDP port 500... Oh...you also need to make sure you create forward rules allowing the VPN traffic. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] DCD, ipsec and 50/51 protocols ???
> If I add this to /etc/network.conf: > > EXTERN_PROTO0="50 0/0" > EXTERN_PROTO1="51 0/0" > > then, do I still need these ??? > > leftfirewall=yes > rightfirewall=yes Not if you also allow UDP port 500... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] DCD, ipsec and 50/51 protocols ???
If I add this to /etc/network.conf: EXTERN_PROTO0="50 0/0" EXTERN_PROTO1="51 0/0" then, do I still need these ??? leftfirewall=yes rightfirewall=yes What do you think? -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] no ppp support in kernel (DCD 1.0.2)?
> Minimum set of modules for ppp seems to be: > > slhc > ppp Yes, i can validate that. I think Jim is asking because of his PPTP setup. I'm running PPTPD with only these two modules and it's working great. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] pppd timing out.
Why do you need diald? Recent versions of pppd support dial-on-demand. If my experience is any guide, get pppd working, then try diald if needed. -Richard > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of > Mark Lubratt > Sent: Monday, January 14, 2002 11:04 PM > To: [EMAIL PROTECTED] > Subject: [Leaf-user] pppd timing out. > > > Hi! > > I've been banging my head against a wall for about 3 days > now. I have a LRP > system running on a 486 (dachstein 1.02). > > The system is supposed to be a router/firewall for a small > home network. It > will serve DHCP as well. The eth0 interface is on the local network. > > I want to have diald working on it so that I can force a link > during the day > and make other times be on demand. I have the diald22.lrp > package as well > as the pppd.lrp package installed. I recompiled the kernel > (2.2.19-3-LEAF) > to incorporate the serial drivers directly into the kernel > (serial.o didn't > seem to work). I'm using the slip, slhc, ppp, ppp_deflate > and bsd_comp > modules. > > The system seems to be dialing and connecting to my ISP just > fine. I get a > message in syslog that ppp0 has been registered and then immediately a > message talking about initializing the modem. It would seem > that pppd is > hanging or dying early. > > If looked all throught the mail archives and deja.com. > People keep refering > to mail messages where this has been solved, but I can't seem > to find them. > Does anyone out there have a working diald/pppd LRP setup?? > > Any help here would be greatly appreciated! > > Mark > > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Confusing packet in firewall logs
Sorry for replying to myself, but although I don't fully understand what was going on I seem to have made the problem stop. At 11:44 15/01/02 +, Julian Church wrote: >I'm getting a few of these in /var/log/messages per minute. > >Jan 15 10:40:14 firewall kernel: Packet log: input DENY eth0 PROTO=6 >192.168.254 >.254:80 217.149.96.2:61797 L=44 S=0x00 I=23250 F=0x T=60 (#42) I switched the ADSL router's power off then on about an hour ago, and haven't had any of these packets since. I was getting several of these packets per minute so I think it's fair to conclude that the problem has been solved. So it seems pretty certain that the fault was with the router somehow. My guess is that the router started sporadically NAT-ing packets again, giving them it's old/default NAT'd internal IP address 192.168.254.254. I suppose it's worth noting (for the benefit of others who might experience similar problems) that the Model 5861 BT-branded ADSL routers that British Telecom install when you subscribe to their ADSL service can go spontaneously wonky in this particular way. cheers Julian -- [EMAIL PROTECTED] www.ljchurch.co.uk ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Message log Overflow crashes EigerStein
> I'm running Eigerstein. I want to switch over to Dachstein at some point. > I want to have a firewall that Masquerades public IPS but does not Masquerade > IPSec (VPN). > I thought this couldn't be done based on previous postings. > This posting implies (I think) that the restrictionis apply only within IPSec > (VPN). > Is this true? > > 192.168.2.0\24 -- LRP -- Pub IPs --- Pub IPs - LRP - 192.168.3.0\24 > Pub IPs - LRP - 192.168.4.0\24 > > Can Dachstein route between the 192.168.*.* and masquerade for everything else? > I actually want to have four separate sites use LRP, all having VPN access > to/from 192.168.2.0\24. Two sites also need to provide server port forwarding. You can setup a network like the above using IPSec running on the firewalls...that's kind of the whole concept of a VPN. The one thing to watch when setting up your network, is to make sure your private network is routable (ie don't overlap IP space...you've got a seperate /24 network for each endpoint, which *is* routable, so you're OK). If you want to set this up, I recommend using Pentium class machines (you'll need a bit of extra CPU for encryption) with 32 Meg, and the CD-ROM version of Dachstein...I've got a whole network of these systems (P133's with SDRAM and PCI NIC's) linking various remote sites to the 'net via masquerading, and to each other via VPN. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Message log Overflow crashes EigerStein
Charles: I'm running Eigerstein. I want to switch over to Dachstein at some point. I want to have a firewall that Masquerades public IPS but does not Masquerade IPSec (VPN). I thought this couldn't be done based on previous postings. This posting implies (I think) that the restrictionis apply only within IPSec (VPN). Is this true? 192.168.2.0\24 -- LRP -- Pub IPs --- Pub IPs - LRP - 192.168.3.0\24 Pub IPs - LRP - 192.168.4.0\24 Can Dachstein route between the 192.168.*.* and masquerade for everything else? I actually want to have four separate sites use LRP, all having VPN access to/from 192.168.2.0\24. Two sites also need to provide server port forwarding. Thanks, Glenn Charles Steinkuehler wrote: > > I had your Eiger Stein & IPSEC running great for some time now it looks > like > > I need Dachstein. > > > > Do you have an image that is setup to pass IPSEC or do I have to patch in > > those modules and rules again. > > You're in luck. The Dachstein kernels come pre-patched for VPN-Masquerade, > so all you have to do is load the modules, and open a couple ports to get > IPSec masquerading working. > > > Also Is my work with EigerStein to get this to work fully transprotable to > > DachStein? > > Yes. While the firewall scripts have been updated, and extensively modified > (mainly to support new DMZ features), the new scripts are extensions of the > previous ones. I usually merge previous network.conf settings manually. > NOTE: I typically mount my old floppy (or config disk) once I've booted a > fresh Dachstein disk, and uncompress the old filesystem into /tmp, so I can > copy/edit/compare files. Just "gunzip > WARNING: If you want to use the bootable CD version, it contains a kernel > that supports IPSec running on the firewall...this kernel will *NOT* > masquerade IPSec VPN connections (saddly, you can either masqerade IPSec, or > run IPSec on the firewall, but the same kernel won't support both). If you > want, I can make an ISO with a kernel that will masquerade IPSec > connecctions...let me know. > > Final note: You don't really have to upgrade, if you don't want to. You > can add some custom forwarding rules to /etc/ipfilter.conf to block the > traffic filling up your logs, or merge in a few features from the newer > scripts, like support for SILENT_DENY, or support for the > /etc/ipchains.forward file (where you can specify your own forward rules). > > Charles Steinkuehler > http://lrp.steinkuehler.net > http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Re: DCD package request for inclusion in next CD image
- Original Message - From: "Charles Steinkuehler" <[EMAIL PROTECTED]> To: "LRPLEAF" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, January 15, 2002 5:53 AM Subject: [Leaf-user] Re: DCD package request for inclusion in next CD image > > I may open a floodgate by making this request, as other requests > > may follow from others, but here goes: > > > > please include the latest bind package in the next CD image of > > Dachstein. > > The 9.x versions of Bind don't really like compiling on a glibc as old as > that used for LEAF, or I would have done this already... > > Charles Steinkuehler > http://lrp.steinkuehler.net > http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) Same problem with 3.x series of the Roaring Penguin PPPoE client ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] multi ip port forwarding
It's also possible to use static-NAT, or proxy-arp in this environment. While only two of the 3 IP's can be used directly on DMZ machines, you can still port-forward services from the router's public IP to machines on the DMZ. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) - Original Message - From: "Ed Tetz" <[EMAIL PROTECTED]> To: "GREGOR" <[EMAIL PROTECTED]>; "linux-router" <[EMAIL PROTECTED]> Sent: Tuesday, January 15, 2002 6:47 AM Subject: Re: [Leaf-user] multi ip port forwarding > Hi Gregor, > > I know that I had some issues with this. I had 2 alias address bound to my > external interface. I was able to receive traffic on them and portfw them > correctly. But then I tried FTP and I found that all other outbound traffic > gets masq'd on the primary IP, not the alias. From what I read at the time, > that is just how it is, and you cannot masq out with the alias IP. That also > gave me a problem with my Dynamic DNS, as it would register the primary, and > not the alias address. > > This might give you a problem with SMTP, but I wouldn't think that it should > affect the Web, and Pop components. > > I hope that helps a bit. > > Cheers > - Original Message - > From: "GREGOR" <[EMAIL PROTECTED]> > To: "linux-router" <[EMAIL PROTECTED]> > Sent: Tuesday, January 15, 2002 1:18 AM > Subject: [Leaf-user] multi ip port forwarding > > > > I've been trying to install dachstein-cd-v1.0.2 but it doesn't seems to > > work. I wonder if any of you could help me to configure *network.conf* > file > > to fit my needs. > > Here's my situation : > > |internet (eth0) > > | ip_legal1 + ip_legal2 + ip_legal3 > > - > > | | > > | dachstein cd | > > | | DMZ (eth2) > > | | > > - > > | > > | > > internal network (eth1) > > > > ip_legal1,ip_legal2,ip_legal3 are running services on port 25,80,110 and > > will be forwarded to the DMZ. like this: > > > > ip_legal1 (port 25,80,110) port forwarded to 192.168.15.200 > > ip_legal2 (port 25,80,110) port forwarded to 192.168.15.201 > > ip_legal3 (port 25,80,110) port forwarded to 192.168.15.202 > > > > All clients will use *internal network (eth1)* as their gateway to browse > > the internet. > > > > please help and thanks in advance. > > > > > > regards, > > Gregor > > > > > > +Gregor Gede W. > > +CENTER FOR INFORMATION SYSTEM > > +ATMA JAYA YOGYAKARTA UNIVERSITY > > [EMAIL PROTECTED] > > +62 81 2271 0583 > > +62 81 7467 518 > > > > WATCHOUT! 3RD INTERNATIONAL SEMINAR ON SUSTAINABLE ENVIRONTMENTAL > > ARCHITECTURE + DIGITAL ARCHITECTURE, 9-10 MARCH 2002, YOGYAKARTA > > http://senvar.virtue.nu or http://senvar.uajy.web.id ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Message log Overflow crashes EigerStein
> I had your Eiger Stein & IPSEC running great for some time now it looks like > I need Dachstein. > > Do you have an image that is setup to pass IPSEC or do I have to patch in > those modules and rules again. You're in luck. The Dachstein kernels come pre-patched for VPN-Masquerade, so all you have to do is load the modules, and open a couple ports to get IPSec masquerading working. > Also Is my work with EigerStein to get this to work fully transprotable to > DachStein? Yes. While the firewall scripts have been updated, and extensively modified (mainly to support new DMZ features), the new scripts are extensions of the previous ones. I usually merge previous network.conf settings manually. NOTE: I typically mount my old floppy (or config disk) once I've booted a fresh Dachstein disk, and uncompress the old filesystem into /tmp, so I can copy/edit/compare files. Just "gunzip http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Re: DCD package request for inclusion in next CD image
> I may open a floodgate by making this request, as other requests > may follow from others, but here goes: > > please include the latest bind package in the next CD image of > Dachstein. The 9.x versions of Bind don't really like compiling on a glibc as old as that used for LEAF, or I would have done this already... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] need help with port forwarding
Maybe u can help me out here... I have the same problem as you had, whereas the Bride was inside waiting while the groom stood outside behind the lockdoor.. I tried all options that u were told to try, but still my portforwarding is giving problems.. can u probably be so kind as to send me a copy of your network.conf.. i'm using dachstein cd v1.02 here's my loaded modules: ip_masq_autofw ip_masq_ftp ip_masq_icq ip_masq_mfw ip_masq_mms ip_masq_portfw ip_masq_pptp ip_masq_raudio ip_masq_user ip_gre This is where i think i open the door for the grooom: # TCP services open to outside world # Space seperated list: srcip/mask_dstport EXTERN_TCP_PORTS="0/0_1723 0/0_smtp 0/0_pop-3" And this is where i enable the portforwarding: # #INTERN_SERVERS="tcp_${EXTERN_IP}_ftp_192.168.1.1_ftp tcp_${EXTERN_IP}_smtp_192.168.1.1_smtp" # These lines use the primary external IP address...if you need to port-forward # an aliased IP address, use the INTERN_SERVERS setting above #INTERN_FTP_SERVER=192.168.1.1 # Internal FTP server to make available #INTERN_WWW_SERVER=192.168.10.5 # Internal WWW server to make available INTERN_SMTP_SERVER=192.168.10.1 # Internal SMTP server to make available INTERN_POP3_SERVER=192.168.10.1 # Internal POP3 server to make available #INTERN_IMAP_SERVER=192.168.1.1 # Internal IMAP server to make available #INTERN_SSH_SERVER=192.168.1.1 # Internal SSH server to make available #EXTERN_SSH_PORT=24 # External port to use for internal SSH access when i send a test e-mail to my e-mail server behind the firewall, and i use TCPDUMP to check, i can see the smtp packet arriving, but when i check the Mail Server SMTP log, i see no incoming connections... thnks for your help... On Thu, 3 Jan 2002 00:25:26 -0800, Peter Jay Salzman wrote: >dan, you hit the nail on the head. the bride was definitely locked >out >of the church. > >once the lock was opened, she came screaming down the isle, rushed >the >altar and now the deed is done. i'm running a fully operational >dachstein cd firewall. > >thank you! > >pete > >begin [EMAIL PROTECTED] <[EMAIL PROTECTED]> >> Do you have the corresponding ports *open* in the EXTERN_TCP_PORTS >>section? If >> not, the forwarding rules are inside waiting for a bride that's >>locked out of >> the church ;) >> >> Also, since it looks like you have re-numbered your network from >>the default >> (changed 192.168.1 to 192.168.0) you should have a stroll back >>thru your >> configs, to make sure you have changed every instance of 192.168.1. >> >> Dan >> >> Quoting Peter Jay Salzman <[EMAIL PROTECTED]>: >> >> > i'm using dachstein 1.0.2 on a home network firewall. everything >> > seems >> > hunky dory: >> > >> > network cards are both recognized and configured correctly >> > masquerading works on the internal machines >> > everyone can ping everyone, both inside and out. >> > >> > the last hurdle is port forwarding -- it looks ok, but isn't >>working >> > (i'm not receiving mail, and i can't telnet to the smtp port >>from a >> > remote machine). note that the internal server that handles >>mail, ftp >> > and apache is satan.diablo.net (192.168.0.2). the firewall is >> > mephisto.diablo.net (eth0: 64.164.47.8 eth1: 192.168.0.1). >> > >> > modules: >> > ip_masq_user3708 0 (unused) >> > ip_masq_portfw 2416 4 >> > ip_masq_ftp 3576 0 (unused) >> > ip_masq_mfw 3196 0 (unused) >> > ip_masq_autofw 2476 0 (unused) >> > rtl813910856 1 >> > tulip 32424 1 >> > pci-scan2300 0 [rtl8139 tulip] >> > isofs 17692 0 >> > ide-cd 22672 0 >> > cdrom 26712 0 [ide-cd] >> > >> > forwarded ports: >> > # ipmasqadm portfw -l >> > prot localaddrrediraddr lport >>rport pcnt >> > pref >> > TCP adsl-64-164-47-8.dsl.scrm01.pacbell.net >>satan.diablo.localnet 24 >> > ssh 10 10 >> > TCP adsl-64-164-47-8.dsl.scrm01.pacbell.net >>satan.diablo.localnet smtp >> > smtp 10 10 >> > TCP adsl-64-164-47-8.dsl.scrm01.pacbell.net >>satan.diablo.localnet www >> > www 10 10 >> > TCP adsl-64-164-47-8.dsl.scrm01.pacbell.net >>satan.diablo.localnet ftp >> > ftp 10 10 >> > >> > here are the relevent variables i've set. i'm wondering what the >> > difference between them is. they look to do the same thing to >>me: >> >
Re: [Leaf-user] multi ip port forwarding
Hi Gregor, I know that I had some issues with this. I had 2 alias address bound to my external interface. I was able to receive traffic on them and portfw them correctly. But then I tried FTP and I found that all other outbound traffic gets masq'd on the primary IP, not the alias. From what I read at the time, that is just how it is, and you cannot masq out with the alias IP. That also gave me a problem with my Dynamic DNS, as it would register the primary, and not the alias address. This might give you a problem with SMTP, but I wouldn't think that it should affect the Web, and Pop components. I hope that helps a bit. Cheers - Original Message - From: "GREGOR" <[EMAIL PROTECTED]> To: "linux-router" <[EMAIL PROTECTED]> Sent: Tuesday, January 15, 2002 1:18 AM Subject: [Leaf-user] multi ip port forwarding > I've been trying to install dachstein-cd-v1.0.2 but it doesn't seems to > work. I wonder if any of you could help me to configure *network.conf* file > to fit my needs. > Here's my situation : > |internet (eth0) > | ip_legal1 + ip_legal2 + ip_legal3 > - > | | > | dachstein cd | > | | DMZ (eth2) > | | > - > | > | > internal network (eth1) > > ip_legal1,ip_legal2,ip_legal3 are running services on port 25,80,110 and > will be forwarded to the DMZ. like this: > > ip_legal1 (port 25,80,110) port forwarded to 192.168.15.200 > ip_legal2 (port 25,80,110) port forwarded to 192.168.15.201 > ip_legal3 (port 25,80,110) port forwarded to 192.168.15.202 > > All clients will use *internal network (eth1)* as their gateway to browse > the internet. > > please help and thanks in advance. > > > regards, > Gregor > > > +Gregor Gede W. > +CENTER FOR INFORMATION SYSTEM > +ATMA JAYA YOGYAKARTA UNIVERSITY > [EMAIL PROTECTED] > +62 81 2271 0583 > +62 81 7467 518 > > WATCHOUT! 3RD INTERNATIONAL SEMINAR ON SUSTAINABLE ENVIRONTMENTAL > ARCHITECTURE + DIGITAL ARCHITECTURE, 9-10 MARCH 2002, YOGYAKARTA > http://senvar.virtue.nu or http://senvar.uajy.web.id > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Confusing packet in firewall logs
I know "What's this in my logs" is a common query, but I really am confused this time. I'm getting a few of these in /var/log/messages per minute. Jan 15 10:40:14 firewall kernel: Packet log: input DENY eth0 PROTO=6 192.168.254 .254:80 217.149.96.2:61797 L=44 S=0x00 I=23250 F=0x T=60 (#42) Jan 15 10:40:29 firewall kernel: Packet log: input DENY eth0 PROTO=6 192.168.254 .254:80 217.149.96.2:61795 L=44 S=0x00 I=23251 F=0x T=60 (#42) I'm confused because eth0 is my external interface. 217.149.96.2 is the ext IP of the firewall. 192.168.254.254 doesn't appear anywhere on the LAN. The log analyser at http://www.echogent.com/cgi-bin/fwlog.pl tells me it's a return packet from a website someone on my network is trying to view, but given the 192.168.x.x source address I'm not sure that's correct. One more thing that may be significant (or just simple coincidence), I had our ADSL service changed from NAT to no-NAT in December, and the NAT router's internal address was 192.168.254.254. I changed over from Eigerstein to Dachstein at the same time though (effectively starting from scratch), so I don't think it's possible I've got some old setting in the firewall still hidden somewhere. Does anyone have any ideas? thanks Julian -- [EMAIL PROTECTED] www.ljchurch.co.uk ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] pppd timing out.
Did you activate the debug option ? This option is in the same file where you specify the demand, port and speed options. Then, call again and look in the messages for clues. My pppd works just fine. I only use slhc, ppp_deflate and ppp to make it work. But my setup is not based on diald, it's based on Trevor's dialout package. -Original Message- From: Mark Lubratt [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 15, 2002 7:04 AM To: [EMAIL PROTECTED] Subject: [Leaf-user] pppd timing out. Hi! I've been banging my head against a wall for about 3 days now. I have a LRP system running on a 486 (dachstein 1.02). The system is supposed to be a router/firewall for a small home network. It will serve DHCP as well. The eth0 interface is on the local network. I want to have diald working on it so that I can force a link during the day and make other times be on demand. I have the diald22.lrp package as well as the pppd.lrp package installed. I recompiled the kernel (2.2.19-3-LEAF) to incorporate the serial drivers directly into the kernel (serial.o didn't seem to work). I'm using the slip, slhc, ppp, ppp_deflate and bsd_comp modules. The system seems to be dialing and connecting to my ISP just fine. I get a message in syslog that ppp0 has been registered and then immediately a message talking about initializing the modem. It would seem that pppd is hanging or dying early. If looked all throught the mail archives and deja.com. People keep refering to mail messages where this has been solved, but I can't seem to find them. Does anyone out there have a working diald/pppd LRP setup?? Any help here would be greatly appreciated! Mark ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] questions regarding LRP
Hi everyone and thanks in advance for the help. I got three questions on using the Dachstein version of LRP based the linux 2.2.19 kernel. 1) is there any modules for dial ups available for that version or can I use the dialup modules based on another kernel (2.9.4)? 2)Is there a module for laptop pcmcia cards or do you know any sources of those modules/ how i can make them? thanks for the help- mlinux _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user