ipchains
Dear All, I need Your's help :) I using ipchains, it works fine etc. but I see that he have some problem with cut off some host. I using exmp: - ipchains -A input -s xxx.xxx.xxx.xxx -j DENY -l, - ipchains -A input -s xxx.xxx.xxx.xxx -i eth0 -j DENY -l for this. When I connect from PC with Win98, no problem, I cannot connect. When I connect from PC with W2K, I have access for services? ? Any sugestions... Thanks for the help. Wojtek -- Chcialbys zarobic lub "dorobic" naprawde dobre pieniadze? Otrzymasz do 300zl za kazda firme ktora wprowadzisz do Centrum e-biznesu Poszukaj wsrod znajomych, znajdz firme i wypelnij z nia prosty formularz Aby rozpoczac wejdz do http://praca.getin.pl i zostan Partnerem Getin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: compile libc5 ...
Jau, The compile of a "libc5 program" in "libc6" must be a simple work. You have to modify all the functions that have been changed from libc5 to libc6. I don't know what functions have been changed but I think that they are small changes like "an argument in a function", "the name of one function", ... I hope you could compile it... ( Sorry for my English ) -- yoros pgpdqgJJK9oS8.pgp Description: PGP signature
Re: compile libc5 ...
On Thu, Jun 28, 2001 at 07:22:44PM +0200, Marc-Christian Petersen wrote: > > Hi all, > > maybe or sure a little bit offtopic, but i don't know where to ask to get a > REAL helpfull answer for my question. > > How can i compile a program with libc5 on a libc6 2.2 (glibc 2.2) system > correctly ? > > Hope any one in here can help me out!! libc5-altdev, search for other altdev packages... the you'll get some i486-linuxlibc1-gcc/g++, might need some gcc=altdev package too for that. -- ,---. > Name: Alson van der Meulen < > Personal:[EMAIL PROTECTED]< > School: [EMAIL PROTECTED]< `---' Yes, I chowned all the files to belong to pvcs. Is that a problem to you? -
compile libc5 ...
Hi all, maybe or sure a little bit offtopic, but i don't know where to ask to get a REAL helpfull answer for my question. How can i compile a program with libc5 on a libc6 2.2 (glibc 2.2) system correctly ? Hope any one in here can help me out!! Thanks a lot! Kind regards, Marc
Re: How to route
Marco Tassinari writes: > > > > Good idea! But is it a Good Thing? mhhh... yes, it seems! > > > Ok, as a definitive solution I'll do it and update to > > You definitly don't have to update to iptables and 2.4 kernels > > to NAT. > Yes, but in the future... Your right but some admin would say 'never change things that are working well' ... Your router manager by example (sorry it was a too simple joke to do ;-) > Last mounth I enabled bridge within a 2.2.19 (tar.gz) kernel and there was > no 'bridge' chain in ipchains. The chain appared magically applying a > linux_brfw_2.2.17.diff to the kernel and recompiling it... > pheraphs I was wrong and that was not the point, I don't remember. Sorry i didn't understood the fact you wanted to configure the firewall with bridge. I've only noticed the fact you wanted to do an ethernet bridge with your box (witch is possible without patch). > > Last thing, i'm wondering why you need bridging ? I presume you are > > making a mismatch between NAT and Ethernet-Bridging, which are > > significantly > > different ... > > Well... a bridge is a /---\ on a river beetwen two networks... it has a > learning algoritm to know who can traverse it. Howto said. Yes it is. With a bridge, you can say two physically different networks are the same network. The learning algorithm as far as i know is that the bridge maintain a list of all the node he can see from his different interfaces (switches (and stack of switches) do so but are the same physical network), if you've got a lot of machines and physically separated networks, it's usefull. However if you want to NAT, you don't need bridge : you want a single public address to serve for your entire private network (and services with port forwarding). > A Nat is a way to redirect a packet to or from somewhere... Also right. > They can both solve my problem, but pheraps Nat was designed for me. > When I say Nat i mean "iptables nat" because is the only Nat I know under > linux. Yes, what I'm going to do with a bridge could be seen as a Nat. > Oo. I think so. I think you don't need a bridge and you can simply configure a firewall / gateway for your private network. > And why I need bridging...? because I don't want to modify the router as > my old good poor manager asked to me...! As someaone already said : it's another level of security to modify your router. Bye. -- Davy Gigan System & Network Administration University Of Caen (France)
Re: compile libc5 ...
Jau, The compile of a "libc5 program" in "libc6" must be a simple work. You have to modify all the functions that have been changed from libc5 to libc6. I don't know what functions have been changed but I think that they are small changes like "an argument in a function", "the name of one function", ... I hope you could compile it... ( Sorry for my English ) -- yoros PGP signature
Re: compile libc5 ...
On Thu, Jun 28, 2001 at 07:22:44PM +0200, Marc-Christian Petersen wrote: > > Hi all, > > maybe or sure a little bit offtopic, but i don't know where to ask to get a > REAL helpfull answer for my question. > > How can i compile a program with libc5 on a libc6 2.2 (glibc 2.2) system > correctly ? > > Hope any one in here can help me out!! libc5-altdev, search for other altdev packages... the you'll get some i486-linuxlibc1-gcc/g++, might need some gcc=altdev package too for that. -- ,---. > Name: Alson van der Meulen < > Personal:[EMAIL PROTECTED]< > School: [EMAIL PROTECTED]< `---' Yes, I chowned all the files to belong to pvcs. Is that a problem to you? - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
compile libc5 ...
Hi all, maybe or sure a little bit offtopic, but i don't know where to ask to get a REAL helpfull answer for my question. How can i compile a program with libc5 on a libc6 2.2 (glibc 2.2) system correctly ? Hope any one in here can help me out!! Thanks a lot! Kind regards, Marc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How to route
Marco Tassinari writes: > > > > Good idea! But is it a Good Thing? mhhh... yes, it seems! > > > Ok, as a definitive solution I'll do it and update to > > You definitly don't have to update to iptables and 2.4 kernels > > to NAT. > Yes, but in the future... Your right but some admin would say 'never change things that are working well' ... Your router manager by example (sorry it was a too simple joke to do ;-) > Last mounth I enabled bridge within a 2.2.19 (tar.gz) kernel and there was > no 'bridge' chain in ipchains. The chain appared magically applying a > linux_brfw_2.2.17.diff to the kernel and recompiling it... > pheraphs I was wrong and that was not the point, I don't remember. Sorry i didn't understood the fact you wanted to configure the firewall with bridge. I've only noticed the fact you wanted to do an ethernet bridge with your box (witch is possible without patch). > > Last thing, i'm wondering why you need bridging ? I presume you are > > making a mismatch between NAT and Ethernet-Bridging, which are significantly > > different ... > > Well... a bridge is a /---\ on a river beetwen two networks... it has a > learning algoritm to know who can traverse it. Howto said. Yes it is. With a bridge, you can say two physically different networks are the same network. The learning algorithm as far as i know is that the bridge maintain a list of all the node he can see from his different interfaces (switches (and stack of switches) do so but are the same physical network), if you've got a lot of machines and physically separated networks, it's usefull. However if you want to NAT, you don't need bridge : you want a single public address to serve for your entire private network (and services with port forwarding). > A Nat is a way to redirect a packet to or from somewhere... Also right. > They can both solve my problem, but pheraps Nat was designed for me. > When I say Nat i mean "iptables nat" because is the only Nat I know under > linux. Yes, what I'm going to do with a bridge could be seen as a Nat. > Oo. I think so. I think you don't need a bridge and you can simply configure a firewall / gateway for your private network. > And why I need bridging...? because I don't want to modify the router as > my old good poor manager asked to me...! As someaone already said : it's another level of security to modify your router. Bye. -- Davy Gigan System & Network Administration University Of Caen (France) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: What about closed ports?
On Jun 28, 2001 09:28 -0300 Pedro Zorzenon Neto wrote to [EMAIL PROTECTED]: |Is there any way of getting some exploit in a CLOSED port? Some kernel, |ipchains or other bug that allows someone explore closed ports? |What about ports that are opened to 192.168.1.x but are REJECTed by |ipchains to the internet. Are they explorable by internet? |If the port is CLOSED, than it's safe? | There is always a way to exploit closed port by generating some clever overflow in program which sits on port and listens. If one finds way to crash your ipchains remotely, it will be possible to run illegal code on your box. Other hand i guess, that crashing ipchains will be last thing a hacker tries to do. Much easier is to find some daemon on opened port (sendmail or bind i.e.) and exploit it. If you have more than one NIC and service runs only on local network adapter, there will be no way to exploit it from internet side. Kalev
What about closed ports?
Hi folks, Suppose I trust ultimately in my 192.168.1.x users. To the outside world the only service 'nmap' shows opened is tcp port 22 -> ssh. So, if 'ssh' has some security bug, people can use this bug to explore my system. That I know is true. Now, what I'd like to know... Is there any way of getting some exploit in a CLOSED port? Some kernel, ipchains or other bug that allows someone explore closed ports? What about ports that are opened to 192.168.1.x but are REJECTed by ipchains to the internet. Are they explorable by internet? If the port is CLOSED, than it's safe? Thanks in advance, Pedro --- My ipchains rules are: Chain input (policy REJECT): target prot opt source destination ports ACCEPT all -- 127.0.0.1 0.0.0.0/0n/a ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0* -> * ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0* -> * ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0* -> * ACCEPT tcp -y--l- 0.0.0.0/0 0.0.0.0/0* -> 22 ACCEPT udp l- 0.0.0.0/0 0.0.0.0/0* -> 1024:65535 ACCEPT tcp !y 0.0.0.0/0 0.0.0.0/0* -> 1024:65535 REJECT all l- 0.0.0.0/0 0.0.0.0/0n/a Chain forward (policy MASQ): Chain output (policy ACCEPT): pgpTF5kvCN6QH.pgp Description: PGP signature
Re: What about closed ports?
On Jun 28, 2001 09:28 -0300 Pedro Zorzenon Neto wrote to [EMAIL PROTECTED]: |Is there any way of getting some exploit in a CLOSED port? Some kernel, |ipchains or other bug that allows someone explore closed ports? |What about ports that are opened to 192.168.1.x but are REJECTed by |ipchains to the internet. Are they explorable by internet? |If the port is CLOSED, than it's safe? | There is always a way to exploit closed port by generating some clever overflow in program which sits on port and listens. If one finds way to crash your ipchains remotely, it will be possible to run illegal code on your box. Other hand i guess, that crashing ipchains will be last thing a hacker tries to do. Much easier is to find some daemon on opened port (sendmail or bind i.e.) and exploit it. If you have more than one NIC and service runs only on local network adapter, there will be no way to exploit it from internet side. Kalev -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ProFtpd question
On Wed, 27 Jun 2001, Jean-Marc Boursot wrote: > Yep but "false" (or "true") is NOT a shell. So they won't be able to > execute chsh and change their login shell to a real one. What about procmail, for example? If it is an mail-only account, it may have procmail, and if you have procmail, you can execute anything, that is not a shell-script or does not need a shell. And I'd say to chsh you do not need a shell. Hochachtungsvoll, Bernhard R. Link
What about closed ports?
Hi folks, Suppose I trust ultimately in my 192.168.1.x users. To the outside world the only service 'nmap' shows opened is tcp port 22 -> ssh. So, if 'ssh' has some security bug, people can use this bug to explore my system. That I know is true. Now, what I'd like to know... Is there any way of getting some exploit in a CLOSED port? Some kernel, ipchains or other bug that allows someone explore closed ports? What about ports that are opened to 192.168.1.x but are REJECTed by ipchains to the internet. Are they explorable by internet? If the port is CLOSED, than it's safe? Thanks in advance, Pedro --- My ipchains rules are: Chain input (policy REJECT): target prot opt source destination ports ACCEPT all -- 127.0.0.1 0.0.0.0/0n/a ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0* -> * ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0* -> * ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0* -> * ACCEPT tcp -y--l- 0.0.0.0/0 0.0.0.0/0* -> 22 ACCEPT udp l- 0.0.0.0/0 0.0.0.0/0* -> 1024:65535 ACCEPT tcp !y 0.0.0.0/0 0.0.0.0/0* -> 1024:65535 REJECT all l- 0.0.0.0/0 0.0.0.0/0n/a Chain forward (policy MASQ): Chain output (policy ACCEPT): PGP signature
Re: ProFtpd question
On Jun 27, 2001 13:07 -0400 [EMAIL PROTECTED] wrote to...: |> You add /bin/ftponly in /etc/shells. | |And if I'm not mistaken, if they are somehow now able to execute the |chsh command, then they have a valid shell account they can log in to. :-( | |While they shouldn't be able to run chsh, or the equivalent, putting their |shell in /etc/shells puts them that much closer to an account. | chroot will help to prevent this kind of attempts if you consider /bin/false not so safe. User will be chrooted to allowed ground and there will be no way back. Or is there?. Watch out for links. They may get broken. Kalev
Re: ProFtpd question
On Wed, 27 Jun 2001, Jean-Marc Boursot wrote: > Yep but "false" (or "true") is NOT a shell. So they won't be able to > execute chsh and change their login shell to a real one. What about procmail, for example? If it is an mail-only account, it may have procmail, and if you have procmail, you can execute anything, that is not a shell-script or does not need a shell. And I'd say to chsh you do not need a shell. Hochachtungsvoll, Bernhard R. Link -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ProFtpd question
On Jun 27, 2001 13:07 -0400 [EMAIL PROTECTED] wrote to...: |> You add /bin/ftponly in /etc/shells. | |And if I'm not mistaken, if they are somehow now able to execute the |chsh command, then they have a valid shell account they can log in to. :-( | |While they shouldn't be able to run chsh, or the equivalent, putting their |shell in /etc/shells puts them that much closer to an account. | chroot will help to prevent this kind of attempts if you consider /bin/false not so safe. User will be chrooted to allowed ground and there will be no way back. Or is there?. Watch out for links. They may get broken. Kalev -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]