Re: [Cooker-firewall] Why are update questions not being answered?
On Thursday 26 July 2001 20:12, you wrote : Why does it seem like every question regarding the failure of updating is ignored? Hi, I think the problem is worked on (as many have guessed this might be as simple as ftp not forced to passive mode or high ports not opened properly). I don't know what's the current status of this bug, nor what has changed between the beta versions (when it worked) and the final release, but we'll let you know when everything's OK with snf updates, and give the proper fix. Regards, Renaud
Re: [Cooker-firewall] Re: Why are update questions not being answered?
On Friday 27 July 2001 12:27, you wrote : I think we can rule out the active/passive ftp. I opened up the bastille script to allow active ftp and the update still didn't work :-( I have also throu tcpdump noticed that I do get a response from the selected ftp-server so the error is probably later in the parsing of the data. I can send you a transcript from tcpdump of a session if it helps you (I doubt it thou) I've taken a look and found the problem. This has nothing to do with the network configuration, but is due to changes made in the update policy at the final stage of the product : snf has now its own directory for updates, but since it's a 7.2 at its core, the updated packages are the same and so are simple _links_ to the 7.2 updated packages. Being a link simply breaks a regular expression in the scripts that handle the packages list, packages_to_update.pl, download_packages.pl and show_description.pl. I think this had been tested only with real files :-( Since they're small, I attach the modified files to this mail, tell me if this fixes the problem. They must be placed in /usr/share/naat/scripts/ Regards, Renaud packages_to_update.pl download_packages.pl show_description.pl
Re: [Cooker-firewall] Re: Why are update questions not being answered?
On Friday 27 July 2001 14:14, you wrote : I have just tested this, and I still got empty list . I then restarted the httpd-naat process seeing if that would help, and the same thing occured. I would like to help as much as I can to assist in fixing this problem. I am ready to test any updates you would like. Or if you like, you can have access directly to my system if it will help. Can you try this on a console: config-wrapper.pl test --get CurrentMirror config-wrapper.pl test --get PackagesToUpdate and give me the results ? Thank you for your help ! If this is needed I'll accept your offer to access your system :-) Renaud
Re: [Cooker-firewall] Initial configuration troubles
On Friday 29 June 2001 02:01, you wrote : I'm experiencing a problem that I hope is a quite simple one: I can't get an installation of the cooker-firewall to pass packets to the internal network it is firewalling. I've installed numerous times on completely different known-good hardware and connected to different external networks. In fact I have had no trouble making this work using at least two of the pre-release versions of the cooker. But everything I try with the current release version leads to frustration. Installation and setup goes without problem. After rebooting into the firewall I am able to logon from a machine connected to eth0 (internal interface) and make configurations via the browser interface. DHCP setup is flawless; all connected computers are leasing addresses correctly. I am able to ping internal network machines and likewise from the cooker box I am able to ping the outside world - but I can't reach the outside world from the internal network in any way at all. The firewall rules are on (but turning them off makes no difference) although I have done no particular configuration there since it appears to be pre-configured for normal internet access. I've run through every page of the administration interface and the documentation looking for the piece of the puzzle that is missing in the final release and I am ready to admit that I am stumped. Has anyone else had this experience? I'm assuming I must not be alone in this since I'm not exactly new to networking/firewalling/NAT. Can someone _please_ point out the bonehead mistake I'm making here? Did I forget some magic step I must have done with the pre-release versions to make this work? Thanks, Todd Hi, (trying again, I had a problem with my previous e-mail). Here are a few hints to try and find what's going wrong: - activate the logging of rejected packets (System/Alert), try to connect to the Internet from a client computer and then read the appropriate logs (Monitoring menu) - have you tried firewall rules on with all connections allowed ? - do your client computer set their default gateway correctly ? - if none of the above gives anything useful, then I have no clue for now; try to stop the bastille-firewall script manually and set the forwarding and masquerading by hand with minimal security (echo 1 /proc/sys/net/ipv4/ip_forward; ipchains -A forward -s internal network address -j MASQ) and then investigate; since you seem to know a bit about networks and nat you may find something on your clients or the firewall. In any case, give us feedback so that we can further help you and maybe fix a bug in the product. Regards, Renaud
Re: [Cooker-firewall] Mandrake Firewall and other distribs
On Thursday 21 June 2001 22:40, you wrote : Hi guys, is there a way to install the naat stuff on another distribution like Redhat 6.2 ? I am asking that because I need to add firewall function to a machine already in production and used for specific applications. Thanks. Jerome Well, we have never tested this kind of situation obviously, and I expect a lot of troubles by trying that. Except for the adsl stuff, this could work though, but you'll need at least to know a bit about rpm packaging, and adapt the spec file of naat-frontend-www, naat-backend, naat-monitoring and httpd-naat to rebuild them for your distro. You'll need to manually edit the interfaces configuration, too, except if you also want to install drakxtools on your distro. If you really want to do that, you should of course test it on a test machine and not the production one ! Regards, Renaud
Re: [Cooker-firewall] i386 build please?
On Jeudi 14 Juin 2001 13:33, you wrote : My wife and I are going to be setting up our firewall in the next week for connecting to Road Runner and I would be extremely grateful if either a) someone at Mdk built an i386 ISO image, or b) someone pointed me to a resource explaining the steps involved in turning the /i386/ directory into an ISO image (do I just have to copy them out to CD?). Thanks in advance :) (and yes, if I get this working, I'll make a nice-sized donation in the fall when my college loans come in) Well, if you have a 486 DX you can use the i586 version. If this is a i386 or i486 SX (no arithmetic coprocessor), then I don't know when we will support it by releasing the appropriate i386 iso. Regards, Renaud
Re: [Cooker-firewall] i386 build please?
On Jeudi 14 Juin 2001 14:19, you wrote : Is there an i586 ISO of the final version yet? The only ones I have been able to find (still) are the ones dated May 5th 2001. Thanks. This is strange, the mirrors problem shoud be over. Could you try on another ftp mirror ? Regards, Renaud
Re: [Cooker-firewall] ADSL Problems and RC2(SNF?)
On Mercredi 30 Mai 2001 00:24, you wrote : disappears and I have to reconfigure the ADSL connection. You shouldn't need to. When you click on the Internet Access menu, you have the possibility to stop and start the connection (stop it first even if it is down, to kill processes if needed). 'ifconfig ppp0' says the interface doesn't exist. With ADSL, you can lose the ppp0 interface while a process like pptp manager will stay in memory. Using the start and stop buttons in the interface will trigger the appropriate init script that will take care of cleaning and starting the connection in a proper manner. If you want to do it manually, you can use the init script directly : /etc/init.d/adsl stop /etc/init.d/adsl start Renaud
Re: [Cooker-firewall] ADSL Problems and RC2 (SNF ?)
On Mardi 29 Mai 2001 01:15, you wrote : Hi, After successfully setting up my ADSL connection I find that if I set it to automatically reconnect when the link dies, it reconnects every couple of hours. (I check this by looking for the IP address on ppp0.) Hi, The reconnection script might be a little too much aggressive in your case, you can check adsl-reconnect.sh and tweak the ping command to wait a little more or try more than once. If I disable reconnection the link stays up for 3 days then the ppp0 interface disappears and I have to reconfigure the ADSL connection. You shouldn't need to. When you click on the Internet Access menu, you have the possibility to stop and start the connection (stop it first even if it is down, to kill processes if needed). I'm using RC1 and that leads me to my next problem. I have downloaded the SNF iso from about 4 different sites and when I burn the CD there is no directory on the CD. The iso returns the wrong md5sum. I have tried using different browsers and also command line ftp (using binary transfer ) without success. The md5sum is always the same. (wrong). I'm not aware of a problem with the ISOs, I'll ask. Renaud
Re: [Cooker-firewall] ip_masq_pptp
On Lundi 28 Mai 2001 23:39, you wrote : Renaud, I have been down for a while, but do I understand correctly that there will be no pptp support at all in Mandrake Firewall? Or at least in the current version with kernel 2.2.19? Will it come back in later kernels (2.4 and up)? Do we now forward the port straight to the IP address behind the firewall? I do need the pptp stuff to be able to work from home. Hi, There is support for pptp as a client, but not for a masqueraded tunnel. So you can connect with adsl, but you can't make a vpn with pptp. You can still patch and recompile the kernel, if you need, but we don't support it since the kernel becomes vulnerable. Of course when we'll make the advanced firewall based on a 2.4 kernel, vpns will be a main feature so we'll take a close look at this, as well as IPSec. Renaud
Re: [Cooker-firewall] ip_masq_pptp
On Mardi 29 Mai 2001 09:45, you wrote : hi! i also need pptp masquerade feature. pleas do not forgot about it in future releases! :) at this moment i was applied vpn patch and recompiled kernel by myself and live in dangerous way... :-) Could you check that the modules you compiled work with our kernel ? I think you could help Dallas and maybe others that really need ip_masq_pptp. I don't know if the module alone will work but that's worth a try. Regards, Renaud
Re: [Cooker-firewall] Query on Mandrake Security
On Mercredi 23 Mai 2001 09:42, you wrote : Hi, I hope this is the right mailing list but anyway, I was wondering if it is is possible to setup the following configuration on Mandrake security. Connecting an ADSL router to the Mandrake Security box and have all incoming traffic on one NIC card and all outgoing traffic on another NIC card the two NIC cards would have to have separte IP ranges because the ADSL router has its IP hard code into it and our LAN is on a diffrent range. Im guessing its possible todo but if you have any tips on setting up this configaration I would be very grateful. Currantly Im running a smoothwall box which does this job but doesnt have the logging and restrictions i need. I think you can do this with the Lan/Cable configuration in our Internet Access menu : this will set a firewall between your local network, and the ADSL router (the local network on your side of the adsl router, connected to the external interface of your firewall). Regards, Renaud
Re: [Cooker-firewall] Internet Configs - Remote Test Host
On Lundi 21 Mai 2001 23:51, you wrote : Hi, I've installed RC1 and after fixing the problem with dhcpd.conf, I have a dhcp server and an ADSL connection. All in just over one hour! On the management screen there is a remote test host ip address that is used to determine if the adsl link is up or down. I changed this to my ISP's 3rd DNS and the link is always shown as down. Unfortunately the help button on that screen doesn't work. Can someone tell me what this remote host is, how I should configure it and how it works? Dallas The default IP address for testing connection is the internic IP. You can change this to any IP you want (an IP number is recommended; putting a dns name might not work if your dns is not configured correctly, even if your connection itself works). The test is only a ping, performed by a script called pingtest.sh, which uses pingtest.conf (containing the host defined in the web interface). Regards, Renaud
Re: [Cooker-firewall] UDP Ports for StarCraft
On Lundi 28 Mai 2001 20:15, Florin Grad wrote : Stephen Thomas [EMAIL PROTECTED] writes: Does enyone know what I ahve to do to get StartCraft working through the Firewall? When I try to get on to Battle net it comes back with the error that it can't process UDP packets through port 6112. I went into the firewall settings page and opened up UDP port 6112 but it still isn't working. Any ideas? Hi there, as usual in such cases, you should activate the log of the rejected packets in System properties-Alert and the allow what the blocked ones. So, you should get the error messages from the firewall and not from the game. I would add that ports are often negociated and so do not have a fixed value. Sometimes one must open all high ports ( 1024: ) to have an online game work. Sometimes a range of ports is enough (say 6000:7000 for instance). cheers, regards, :-) Renaud
Re: [Cooker-firewall] Some strange things with SNF (RC2?) Part II
On Vendredi 18 Mai 2001 14:57, you wrote : Here it comes: The installation was as usual to the point of network settings. Then: 1) A list of NICs was presented were I have chosen 3C905. 2) On the next window it asked me if I want to autoprobe. I've selected yes 3) A message appeared: Found 3C905 interfaces. Do you have another one? I've selected NO. 4) Next window with local network settings on interface eth0 with default settings. I've selected all default. 5) The a list appeared where I've selected cable network configuration 7) List with the cards again as in step 1, step 2, step 3. 6) IP/DNS/Gateway configuration for eth0 appeared again. Don't know why? I didn't change anything 7) IP/DNS/Gateway configuration for eth1 appeared. Configured eth1 to be the internet device. Actually, after 2-3 installs and some poking around, I've managed to get the right installation. the difference was that I've selected YES in the step 3. Then the window with default settings for eth0 did not appear and I was prompted to enter the values myself. Hi, I think the problem is related with dns or gateway configuration: after network configuration, I think the install program is trying to guess what is the external interface by looking at additional informations like gateway. You should only put IP address for the local interface (i.e. remove additional default informations which shouldn't be proposed there). Local network / Cable network configurations overlap a little as they were designed initially for a single network card on a home computer. Adsl, isdn and analog modem cases are easier to configure currently than the cable network access. As I said in the previous message the interface for the network devices configuration is very confusing. I've spoken to two friends of mine and they also have found it confusing. Bear in mind that we are not that much Linux gurus. Although I was on and off Linux field since 1997. So, may be it's just us... No, you're right. There are discussions currently to redesign this part of the installation (on the main distribution, which is the basis of any other product), so that it will be more user friendly and present informations in a less confusing way. Unfortunately we couldn't do it earlier. Regards, Renaud
Re: [Cooker-firewall] webmin
On Mardi 15 Mai 2001 18:50, you wrote : thanks renaud, i did this and now it works, i am confused however by the interface to this configuration since i also opened a port for a certain file sharing activity and only one is listed at a time, thus it is not clear how to 'close' a port afterwards, is this a design feature or because it is still only rc1 level release? At first I didn't understand your question, now I think I know : port should be read as ports in the interface... So you have to list all the ports you want to open (by default only 'ssh' is listed). Renaud
Re: [Cooker-firewall] Printing to the outside printer
On Mardi 15 Mai 2001 20:09, you wrote : I have tried to open ports. I did something like 6:62000 but I could still see rejected packets. BTW is it safe to open these ports? You did not say if it worked with all high ports open (1024:); there may not be a restricted range of negociated ports with jetdirect, so you may need to live with all high ports open. Btw to answer your last question, it's always safer to open the fewest possible number of ports, but opening hight ports is safer than opening low ports. So obviously this is not such a good idea to print to an outside printer, but if you need to... :-) Renaud
Re: [Cooker-firewall] webmin
On Mercredi 16 Mai 2001 14:33, you wrote : I dealt with a similar issue while installing SAMBA. The NAAT server web tool allows configuration of the firewall rules from the server to the outside (INET) and from the INET to the server but not the configuration of on the LOCAL network (AFAIK). So what I did was to open up the ssh client (I use putty) and edit the file /etc/bastille-firewall.conf and under the section TCP_INTERNAL_SERVICES= I put all the services that I wanted access to. ( ie. 8443 is there by default). I added ports 137 - 139 for SMB, ports 20 - 22 for ftp and ssh and port 80 for web. Then execute bastille-firewall-reset and the firewall is modified and ready to go. Look at my previous answer about webmin : what you look for is in Restrict Access / Firewall Services. Now if someone would just help me set up a regular web server for LAN and INET use I'd be truly grateful. Configure a normal apache as Philippe described in a previous e-mail, and open www in Restrict Access / Internet Traffic and Restrict Access / Firewall Services. Regards, Renaud
Re: [Cooker-firewall] webmin
On Mardi 15 Mai 2001 03:17, you wrote : hi, i have just managed to get my cable modem up and running with cooker firewall rc1, i am having trouble getting webmin to work, i have installed webmin plus perl_SS thingy but doing https://192.166.0.1:1 from my other machine gets nowhere, however https://192.168.0.1:8443 gets me to the naat server so i can't see what i am doing wrong, is there some sort of allow/deny file for webmin? i have allowed webmin in the 'restrict accessinternet traffic' configuration in naat even though i only want to use webmin from a local network box - is this correct? all the docs i can find for configuring webmin all assume that you can log on via https in the first place! The problem is with port 1, and you try to connect *to* the firewall from the internal network. Go to Restrict Access / Firewall Services and add this port, this should work. Renaud
Re: [Cooker-firewall] problems with 2 nics
On Mardi 15 Mai 2001 06:15, you wrote : 8139too sorry this is not an smc card it is just a generic realtek card. You're right, my mistake. In fact I have both a realtek and an smc card here and everything works all right (with modules 8139too and smc_ultra) yes i've already been able to do this but no matte what i do with the web interface it still refuses to see the 3com card. If I run ifconfig eth1 up it starts the 3com card. ifconfig then lists The web interface should definitely see eth1, at least when it is active (and moreover your modules.conf seems perfectly right so it should activate it when it's not). What version of MandrakeSecurity do you use ? Have you done anything special after the installation ? Regards, Renaud
Re: [Cooker-firewall] problems with 2 nics
On Lundi 14 Mai 2001 17:07, you wrote : ppp slhc 8139too This one is for the smc isa card - use ifconfig to see if any card is up eth0 on irq9 ( this has to be the realtek card) OK, so at least you should be able to connect to this interface from a client computer with a web browser, to connect to the web tool. Use https://eth0 IP:8443/ from a computer on the same network as your eth0 smc card. If I run ifconfig eth1 up it starts the 3com card. ifconfig then lists the 3com card as active. Also even though it is shown as active I can't ping anything outside of the box, even using ip addresses. Use the web tool from a client browser, and go in Internet Access, Cable/LAN configuration. It should list your 3com as eth1, and then you can configure it to access the external network. You can also comment out every info about network modules and eth* aliases in /etc/modules.conf, and use config-wrapper.pl $$ -g EthernetInterfacesList to try and detect your PCI cards. When issuing this command I get: !!! Parameter EthernetinterfacesList does not exist !!! Beware of the capital I for Interfaces. Anyway, since you have at least the smc card ok on eth0, use the web tool, it is the way the product is meant to be used. Other than this the install is nice One last thing would it be posible to put mc in there by default it makes it allot eisier to get around. I installed it from mandrake 8.0 and it sure helps allot when your at the prompt. For mc I think this is too late. For installation with more than one card, I would recommend configuring only the single card you'll use to administer the firewall from your internal network, and then configure the internet access and everything else with the web tool. Regards, Renaud
Re: [Cooker-firewall] Can't Access Site
On Mercredi 02 Mai 2001 19:54, you wrote : My local machine is the Web Server. I am running LM 8.0 on my local computer and it is running my home web site. I can get to it if I type http://localhost; or if I type the internal IP address. I can't get to it if I type http://www.mydomain.org; from my computer. However, if I go out to the local library and use their computer to type http://www.mydomain.org; I can get my website up. If I'm on a computer on the internal network I should be able to use the registered domain name of the Firewall. It should send my internal requests out to the DNS server on the internet which then turns the packets around to the firewall destined on port 80. Port 80 on the firewall then should forward the packets to my web server behind it. It does this if I'm logged on to a computer outside the firewall on the internet. It does not do this if I try to call up the web server useing it's url or the firewalls IP address from an internal computer. We've got the exact same problem here: forwarding from the outside works, but forwarding from the masqueraded network does not work (I can imagine this to be very tricky in ip frames handling code !). Internally you should use the local ip address of your web server, or set up an internal dns for your internal hosts only, to avoid going through the firewall and back (masquerading a local connexion to port-forward it back might be a bit too much). Regards, Your faithful firewall team :-)
Re: [Cooker-firewall] Can't Access Site
On Mardi 01 Mai 2001 22:24, you wrote : OK, I setup port forwarding so I can get to my internal site from outside the firewall. The problem is I can't access it using the URL from inside the firewall. If my system is outside the firewall and I type the url it works fine. Any of the systems inside the firewall get an error when they type the url. Is this a bug or a feature? Could you give us your exact configuration (what services do you forward for instance ?). Is this an updated version of a beta or a plain RC1 ? We (the team) have set up different configurations for our personal use at home (ftp forwarding to an internal ftp server for instance, as well as opening ssh and 8443 from the outside on the firewall) and we can still access the web frontend from the inside (which is mandatory, obviously) and from the outside when 8443 is open. So if this is a bug it is quite critical. Regards, Renaud
Re: [Cooker-firewall] Certificates, third NIC
On Mercredi 02 Mai 2001 14:04, Eric Howland wrote : I recently downloaded RC1 and set it up in two situations. I posted a long message to this list last Sat night. I have not seen any response so I thought I would re-edit, in case the post was too confusing, simplify my question so the folks who are pushing to get out the next release don't feel they have to give a long response and only re-post the two parts that concern me the most. Sorry that we did not reply earlier. 2. From all browsers, I get a message saying that the security certificate has expired. This is more persistent from some browsers/platforms than others. I wonder if I am doing something wrong as I see no mention of this in the mailing list archives (thanks for posting the link). I also had this with the last beta version. That's normal. 4. Although I know that a DMZ is not explicitly supported I thought I might be able to do have some of that functionality by adding a third NIC. They are now : eth0 192.168.1.0/24 -- internal network eth1 now DHCP soon to be static external IP -- Internet connection eth2 192.168.2.0/24 - DMZ subnet route tells me this is all in place. I got RC1 to recognize all the cards and set up a Sparc on the DMZ subnet. The sparc can Ping the firewall machine, the firewall machine can ping the sparc. But if I redirect incoming HTTPD traffic to 198.168.2.56 I do not see any activity on the eth2 interface. Would people expect this to work at all? We haven't tested this situation at all, to be honnest. Nonetheless, it should work AFAIK; there may be a problem with iptoip or our ipchains rules, though. You may take a look at the logs after activating the logging of rejected packets (Alert menu) to see if any rule blocks the packets. You may also check that your eth2 interface is listed in INTERNAL_INTERFACES in /var/lib/configuration. If not, use naat-console to update it. You may also look at /etc/init.d/iptoip and /etc/init.d/bastille-firewall if you're curious enough :-) Hope this helps, Renaud
Re: [Cooker-firewall] Administering from and External Address
On Sunday 15 April 2001 00:16, you wrote: I showed Mandrake Security to my Boss and he loved it. He wants to look into installing it at our clients networks around the region. We would need to administer it from our main office. Which file would I need to modify to enter an IP address that's allowed to manage Mandrake Firewall from an external IP address? We need to be able to manage the system from over the internet but want to set it to only respond to a specific IP address. Hi, You need to open the port 8443 in "Internet Traffic" to allow the connection to your firewall from the outside. You can then connect using https://external_IP:8443/ Btw, thanks for your comments :-) Regards, Renaud -- "Every solution has its problems" - Pixel
Re: [Cooker-firewall] Administering from and External Address
On Tuesday 17 April 2001 10:11, you wrote: On Sunday 15 April 2001 00:16, you wrote: I showed Mandrake Security to my Boss and he loved it. He wants to look into installing it at our clients networks around the region. We would need to administer it from our main office. Which file would I need to modify to enter an IP address that's allowed to manage Mandrake Firewall from an external IP address? We need to be able to manage the system from over the internet but want to set it to only respond to a specific IP address. Hi, You need to open the port 8443 in "Internet Traffic" to allow the connection to your firewall from the outside. You can then connect using https://external_IP:8443/ And I should have read your mail more thouroughly... You need to look at /etc/bastille-firewall.conf and /etc/ini.d/bastille-firewall, and adapt it to specify a source IP to the rule allowing incoming public traffic (see the TCP_PUBLIC_SERVICES variable and the rule using it). You could even add this feature to the web frontend with a little more work, tell us if you're interested (the developer documentation is not finished yet, but we can help you: all that is required is a few lines of xml). The frontend writes in the variable TCP_PUBLIC_SERVICES in the naat tool configuration file (/var/lib/naat/configuration). This variable lists the allowed ports with the format: port1 (forward=xxx action=allow), port2 (forward=... action=...), and so on. For instance: ftp (forward=192.168.1.42 action=allow), 8443 (forward=--- action=allow) The TCP_PUBLIC_SERVICES variable in /etc/bastille-firewall.conf lists only the ports (extracted from above). You can look at the template /usr/share/naat/templates/etc/bastille-firewall.conf We could add a "from" parameter to restrict to a specific source IP: 8443 (forward=--- action=allow from=xxx.xxx.xxx.xxx) and adapt the template to bastille-firewall.conf and the bastille-firewall init script to use this "from" parameter. Hope this helps. Tell us if you need any more informations. Regards, Renaud
Re: [Cooker-firewall] Rules configuration
On Friday 16 March 2001 01:08, you wrote: Is there any GUI way of adding a rule in cookfire to allow internal users to connect via IPSec through thw firewall. I have to allow UDP 500 and UDP 1 (easily done), but I didnt see anyplace in the web admin tool to allow IP protocol 50. Is this documented anywhere? There's no way to do this with our GUI tool now, unfortunately. We may handle this in the future. You can take a look at /etc/bastille-firewall.conf (or preferably at the template /usr/share/naat/templates/etc/bastille-firewall.conf which is applied when you configure the rules with the GUI) and /etc/init.d/bastille-firewall, to let protocol 50 through. Regards, Renaud