Regra de ipfwadm para iptables
Ola meus caros colegas... eu tenho uma configuração antiga de um software aki na empresa que precisa disso pra rodar... alguem saberia me dizer como isso ficaria no iptables? ipfwadm -F -i accept -m -P tcp -S 10.0.0.0/8 1024:65535 -D 200.201.174.0/24) 80 se puder dar uma explicadinha eu tb agradeceria...
RES: Regra de ipfwadm para iptables
Ficaria assim: iptables -A FORWARD -p tcp -s 10.0.0.0/8 --sport 1024:65535 -d 200.201.174.0/24 --dport 80 -j ACCEPT FORWARD - tipo de regra, significa todo trafego que estiver passando pelo firewall (trocando de interfaces). Poderia ser INPUT (trafego com destino ao FW) e OUTPUT (trafego que sai do firewall, onde a origem eh o fw) -p - especifica o protocolo (tcp/udp/gre) -s - host de origem (podendo ser ip ou rede) -d - host de destino (podento ser ip ou rede) --sport / --dport - porta de origem (sport) porta de destino (dport) -j acao - acao para a regra, podendo ser ACCEPT, DROP, etc... Acho que eh so isso... De: Carlos Fernando Ferreira Junior [mailto:[EMAIL PROTECTED] Enviada em: terça-feira, 30 de agosto de 2005 10:35 Para: Debian List Assunto: Regra de ipfwadm para iptables Ola meus caros colegas... eu tenho uma configuração antiga de um software aki na empresa que precisa disso pra rodar... alguem saberia me dizer como isso ficaria no iptables? ipfwadm -F -i accept -m -P tcp -S 10.0.0.0/8 1024:65535 -D 200.201.174.0/24) 80 se puder dar uma explicadinha eu tb agradeceria... smime.p7s Description: S/MIME cryptographic signature
ipfwadm ftp
Czegoś być może nie doczytałem, a problem wygląda tak: jest firewall z debianem+ipfwadm (P133/16ram; kernel 2.0.36) i z niego można ftp'ować w dowolne miejsce. Natomiast z sieci za firewall'em ftp'owanie nie działa. POzdrawiam /Alt_F4 Kate Hudson w najnowszej komedii romantycznej twórców Pretty Woman i Uciekającej Panny Młodej. -- MAMA NA OBCASACH w kinach od 27 sierpnia! http://klik.wp.pl/?adr=http%3A%2F%2Ffilm.wp.pl%2Fp%2Ffilm.html%3Fid%3D24805sid=230
2 questions: 1., ipfwadm, 2., local net with rtl8139
hi! 1., I' d like to use ipmasquerading to share the internet, but i have problem with it. I have installed the following modules into the kernel IP: Netfilter Configuration --- M Connection tracking (required for masq/NAT) M FTP protocol support M IRC protocol support M IP tables support (required for filtering/masq/NAT) M Packet filtering M Full NAT M MASQUERADE target support M Packet mangling M ipchains (2.2-style) support M ipfwadm (2.0-style) support (certainly i don' t use the last two). All other modules can be loaded with success. I use 2.4.26 kernel, and if i load all modules, i got this: router:~# lsmod Module Size Used byNot tainted iptable_mangle 2208 0 (unused) ipt_MASQUERADE 1952 0 (unused) ip_nat_irc 2752 0 (unused) ip_nat_ftp 3616 0 (unused) ip_conntrack_irc3296 1 [ip_nat_irc] ip_conntrack_ftp4128 1 [ip_nat_ftp] iptable_nat22516 2 (autoclean) [ipt_MASQUERADE ip_nat_irc ip_nat_ftp] ip_conntrack 30452 2 (autoclean) [ipt_MASQUERADE ip_nat_irc ip_nat_ftp ip_conntrack_irc ip_conntrack_ftp iptable_nat] iptable_filter 1728 0 (autoclean) (unused) ip_tables 14560 6 [iptable_mangle ipt_MASQUERADE iptable_nat iptable_filter] 8139too13376 1 ne2k-pci4416 1 router:~# eth0 is the interface to the internet, and eth1 is for the local net. The problem come, if i try to use the following command: router:~# iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT then i got this error message (error code: 1): iptables: No chain/target/match by that name I tried to loose the problem with google, but nothing could help. Certainly i made these: echo 1 /proc/sys/net/ipv4/ip_forward echo 1 /proc/sys/net/ipv4/ip_dynaddr Distro: debian --- 2., the second problem is, that i have in this router machine two ethernetcard (rtl8029, and 8139). the 8029 works fine, but i use 8139too driver for the other one. If i try to copy(ftp) _to_ the router, everything works fine with about 2MByte/s (the router is a PI 100MHZ, so it' s good for it), but in the other direction (from the router to another machine) i can copy only with 2-300KByte/s. In the kernel (2.4.26) i compiled this as modules: M RealTek RTL-8139 PCI Fast Ethernet Adapter support , and compiled these into the kernel: Use PIO instead of MMIO Support for uncommon RTL-8139 rev. K (automatic channel equ... I tryed all combination of the last two. The cabel length is about 20m. Both of the Distros are Debian; Thans very much for your help. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
ipfwadm (2.)
Hmmm, gerade etwas gefunden: ipportfw -A -t 0.0.0.0/80 -R 192.168.1.67/80 Die frage ist nur, ist die 0.0.0.0 richtig ??? Alle fünf subnetzwerke, darunter auch 192.168.1.64/27, sind IP-Maskiert, da ich die sechste NIC gegen ein Modem (ppp0) ausgetauscht habe... Danke für eingebungen wenn ich irgendwie falsch liege... Michelle -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Ipfwadm e IPTables
¿Existe alguna manera de migrar todas las reglas que tengo en mi antiguo proxy con Ipfwadm a IPTables? Gracias de antemano
Re: Ipfwadm e IPTables
On Wed, Feb 19, 2003 at 01:11:55PM +0100, Iñako wrote: ¿Existe alguna manera de migrar todas las reglas que tengo en mi antiguo proxy con Ipfwadm a IPTables? Creo que si. Mientras tanto en kernels 2.4.x puedes compilar soporte para ipfwadm como módulo y seguir utilizando el mismo archivo de configuración. Eso si, sólo podrás activar uno de ellos a la vez, o utilizas ipfwadm o iptables. -- Roberto
ipfwadm (freesco)
Hej :) Czy ktos moglby poradzic jak powinna wygladac regulka we freesco ( ipfwadm ) dotyczaca blokowania ping-ow przychodzacych? Bo od pewnego czasu komus bardzo zalezy na przeciazeniu mojego serwerka. Wiem mozna by sprawdzic kto ale serwer pracuje na FDD 1,44MB na ktorej aktualnie wolnego miejsca jest ze 150 KB wiec odpada instalacja dodatkowych pakietow...a na HDD no coz - brak kasy. Chodzi o CALKOWITE (lub nie) zablokowanie pingow :) Pozdrowionka ;] siwy -- NEWSY. Minuta po minucie. http://link.interia.pl/f168a
Re: Re: Ayuda con ipfwadm
Beto: Disculpame, yo te dije que te fijaras en lredir y en realidad, el paquete es redir. Si tenes debian, podes hacer simplemente: # apt-get install redir En otro caso, bajate el source y compilalo, lo podes encontrar en : ftp://sunsite.unc.edu/pub/historic-linux/ftp-archives/sunsite.unc.edu/Sep-29 -1996/system/Network/daemons/ Suerte!!! (te tiene que funcionar sin problemas con los kernel 2.0.x ya que es un paquete bastante viejo) Saludos Fernando ---o-- Redir v.0.7 redir is a tcp port redirector for unix. It can run under inetd or stand alone (in which case it handles multiple connections). Its 8 bit clean, not limited to line mode, is small and light. If you want access control run it under xinetd, or inetd with tcp wrappers. Or you could use the tcp wrapper library to extend it and do fancy access control - if so please let me know. redir is released under GPL. Nigel Metheringham [EMAIL PROTECTED] 30 June, 1996 === [Original readme from version 0.5] If you liked daemon, you'll LOVE redir! Redir, the fully functional (but only in line mode) port redirector for unix! (yeah! W!). Basically, it's like tredir. But hacked from daemon. And poorly written. But, hey, it dodges firewalls, and THAT's the important part. I think. Oh, fuck it. Look, it's useful. Good for dynamic IP, too. Trust me, it is. usage: redir [remote-host] listen_port connect_port The syntax is a little clumsy, but it works. compile with make redir or gcc redir.c -o redir comments/bugs/flames to [EMAIL PROTECTED] (please, write if you use the program!) ---o--
Re: Re: Ayuda con ipfwadm
Hola! Esta pidiendo para redireccionar al puerto de otra PC, con iptables seria algo asi iptables -t nat -A PREROUTING -p tcp --dport 80 -i ethx \-j DNAT --to 1.2.3.4:8080 donde ethx es la ethernet que recibe la peticion original y 1.2.3.4 es la IP de la PC a donde hay que redireccionar el paquete! Esto es con iptables en kernels 2.4.x con ipfwadm no se como se haria! SALU2 Dario -- Mensaje original -- redireccion las peticiones al puerto 80 de la maquina con ipfwadm a el 8080 de otra maquina. con iptables se hace de esta manera iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 Con ipfwadm creo que no se puede pero nunca lo he probado. Saludos -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] --- Dario Hernan Jolodovsky Powered by Slackware Linux 8.1 Debian SID with Kernel 2.4.18 Linux registered user: #250543 --- FiberTel, el nombre de la banda ancha http://www.fibertel.com.ar
Re: Re: Ayuda con ipfwadm
Te agradezco, pero lo necesito hacer con ipfwadm, es que tengo una mini distribucion con el kernel 2.0.* Gracias
Ayuda con ipfwadm
Hola, ya se que es algo antiguo, pero necesito redireccion las peticiones al puerto 80 de la maquina con ipfwadm a el 8080 de otra maquina. Se puede hacer??? Gracias
Re: Ayuda con ipfwadm
El Jueves 22 Agosto 2002 18:40, beto escribió: Hola, ya se que es algo antiguo, pero necesito redireccion las peticiones al puerto 80 de la maquina con ipfwadm a el 8080 de otra maquina. Se puede hacer??? Gracias con iptables se hace de esta manera iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 Con ipfwadm creo que no se puede pero nunca lo he probado. Saludos
Re: Ayuda con ipfwadm
Beto: Podes probar usando lredir (o ldir?), bueno, eso, es una aplicacion que corre a nivel de usuario y debe funcionar con la serie 2.0 del kernel (que debes estar utilizando). Saludos Fernando - Original Message - From: Antonio Angel [EMAIL PROTECTED] To: beto [EMAIL PROTECTED] Cc: debian-user-spanish@lists.debian.org Sent: Thursday, August 22, 2002 9:06 PM Subject: Re: Ayuda con ipfwadm El Jueves 22 Agosto 2002 18:40, beto escribió: Hola, ya se que es algo antiguo, pero necesito redireccion las peticiones al puerto 80 de la maquina con ipfwadm a el 8080 de otra maquina. Se puede hacer??? Gracias con iptables se hace de esta manera iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 Con ipfwadm creo que no se puede pero nunca lo he probado. Saludos -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ipfwadm + mac address
Le Mon, Feb 04, 2002 at 08:26:45PM +, François Boisson a écrit:
| ipfwadm -O -a deny -P tcp -S `arp -n | grep 00:00:B4:5B:CF:09 | awk
| '{print $1}'` -D 209.247.228.201 80 -b
|
| doit marcher non?
Il n'y a pas un probleme soit au moment ou la machine démarre soit si la
machine qui porte l'adrese recherchée n'a pas communique depuis un
certain temps ? Enfin, il doit faloir lancer regulierement cette
commande pour etre sur qu'elle passera effectivement à un moment.
Vincent.
--
.~. Vincent Haverlant -- Galadril -- #ICQ: 35695155
/V\ MUD -- FranDUMII (telnet:frandum.enst.fr:2001)
/( )\ Parinux (www.parinux.org)
^^-^^ There is no system but GNU, and Linux is one of its kernels
Re: ipfwadm + mac address
Le Tue, 5 Feb 2002 10:39:19 +0100
Vincent Haverlant [EMAIL PROTECTED] a dit:
Le Mon, Feb 04, 2002 at 08:26:45PM +, François Boisson a écrit:
| ipfwadm -O -a deny -P tcp -S `arp -n | grep 00:00:B4:5B:CF:09 | awk
| '{print $1}'` -D 209.247.228.201 80 -b
|
| doit marcher non?
Il n'y a pas un probleme soit au moment ou la machine démarre soit si la
machine qui porte l'adrese recherchée n'a pas communique depuis un
certain temps ? Enfin, il doit faloir lancer regulierement cette
commande pour etre sur qu'elle passera effectivement à un moment.
Zut, c'est vrai que arp ne manipule que le cache, donc au lancement de la
machine, il n'est pas évident que ce cache contienne l'adresse, peut être
avec un requête type broadcast avant pour forcer les machines à se faire
connaître mais il faut y aller doucement. Le problème se résume alors à
Comment reconnaitre une machine connaissance son numéro Ethernet, lorsque
l'on se branche physiquement sur le réseau?. A part un système à base de
broadcast, je ne vois pas...
F.B
Re: ipfwadm + mac address
Le Sun, 3 Feb 2002 18:36:57 -0500
Yanick Lefebvre [EMAIL PROTECTED] a dit:
Salut tous le monde,
J'aimerais savoir si il y a quelqu'un qui sait si il est possible
de
données de règles de firewall avec ipfwadm et la mac address d'une carte
réseau au lieu d'un IP Address fixe.
ex.: ipfwadm -O -a deny -P tcp -S 192.168.1.1 -D 209.247.228.201 80
-b
ipfwadm -O -a deny -P tcp -S `arp -n | grep 00:00:B4:5B:CF:09 | awk
'{print $1}'` -D 209.247.228.201 80 -b
doit marcher non?
François Boisson
J'aimerais savoir si il est possible de remplacer 192.168.1.1 par
00:00:B4:5B:CF:09
ipfwadm
Quiero impedir lo siguiente que se pueda realizar ping a la dirección de broadcast de nuestra red, hay que tener en cuenta que la dirección que pongo es una pública, a lo mejor no funciona por eso. La regla que he puesto es la siguiente, pero no funciona. /sbin/ipfwadm -F -a deny -P icmp -S xxx.xxx.xxx.255 -D 0.0.0.0/0 Gracias y Saludos.
RE: ipfwadm
- Original Message - From: Dpto. de Sistemas [EMAIL PROTECTED] [EMAIL PROTECTED] To: debian-user-spanish@lists.debian.org Sent: Friday, October 19, 2001 8:59 AM Subject: ipfwadm Quiero impedir lo siguiente que se pueda realizar ping a la dirección de broadcast de nuestra red, hay que tener en cuenta que la dirección que pongo es una pública, a lo mejor no funciona por eso. La regla que he puesto es la siguiente, pero no funciona. /sbin/ipfwadm -F -a deny -P icmp -S xxx.xxx.xxx.255 -D 0.0.0.0/0 Gracias y Saludos. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] Perdona mi pregunta... pero no has puesto la dirección origen y la dirección destino justo al reves??? Un saludo Pedro
Re: ipfwadm
I no expert but don't you have to enable ip forwarding in the kernel first by executing the following: # echo 1 /proc/sys/net/ipv4/ip_forward I assume of course that you are trying to set up ip masquerading. There a good article on this in the linux journal issue 43, available on line at http://www2.linuxjournal.com go to the frame on the left click magazine ... Also take look through the debian mailing list archives. There seems to be lots on ip masquerading there. At 18:34 24.5.2000 -0700, you wrote: i am doing the following: /sbin/ipfwadm -F -p deny /sbin/ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0 and get the following error: ipfwadm: setsockopt failed: protocol not availablei need to compile my kernel? thankx
Re: ipfwadm
hey thankx fo all the replies, i tried the following in order echo 1 /proc/sys/net/ipv4/ip_forward /sbin/ipfwadm -F -p deny i get the following error: ipfwadm: setsockopt failed: Protocol not available. just so you have some background, i am running debian 2.1 w/ 2.0.38 kernel, never recompiled since install. running dhcp service and have my route table setup as follows: 255.255.255.255 * 255.255.255.255 eth1 localnet* 255.255.255.0 eth0 192.168.1.0 * 255.255.255.0 eth1 127.0.0.0 * 255.0.0.0 lo defaultadsl 0.0.0.0eth0 i have done this before w/ ipchians on a 2.2 kernel, but just want to remember how to do it w/ 2.0 thankx foe your help - Original Message - From: [EMAIL PROTECTED] To: Nick [EMAIL PROTECTED] Sent: Wednesday, May 24, 2000 9:21 PM Subject: Re: ipfwadm Sorry I answered your question but not as clearly as I could have. You should execute the command I mentionned before the others (that you mentionned). Maybe you want to put them all in a script. You don't need to recompile the kernel. At least, not inorder to use ip masquerading.
ipfwadm
i am doing the following: /sbin/ipfwadm -F -p deny/sbin/ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0 and get the following error: ipfwadm: setsockopt failed: protocol not available doi need to compile my kernel? thankx
from ipchains to ipfwadm
Can anyone revert this from ipchains to ipfwadm ? : ipmasqadm autofw -A -u -r udp 51200 51201 -c 7175 ipmasqadm autofw -A -u -r tcp 51210 51210 -c 7175 Thanks
ipfwadm testing
Hi i am trying to open up the firewall to allow ftp for a particular server... if not all servers/pc's. currently i am typing in the ipfwadm commands on the command line but i am unsure whether it becomes active straight away... should i put the test rules in the ipfw file that is loaded via booting or will typing them in via command line work straightaway? Below is what i am trying out but it is not working. We use masquerading and the ip address i am putting as variable $MYSERVER is the real ip address. Perhaps i need to use the command $IPFWMSQ instead of $IPFWACC. Is there a way to log what is happening... it is hard to know what the hell is going on when you type in anther rule and it does nothing :) IPFWACC=/sbin/ipfwadm -F -b -a accept IPFWMSQ=/sbin/ipfwadm -F -b -a masquerade ANYHOST=0.0.0.0/0 ANYPORT=0:65535 USERPORT=1024:65535 $IPFWACC -P tcp -S $MYSERVER ftp ftp-data -D $ANYHOST $ANYPORT $IPFWACC -P tcp -S $MYSERVER $USERPORT-D $ANYHOST ftp ftp-data Thanx Zane
Re: IPFWADM Problems
What does your routing table look like? If the default route is not set, that could explain your problem. Ernest Johanson Web Systems Administrator Fuller Theological Seminary On Fri, 3 Mar 2000, Chris Brown wrote: Date: Fri, 3 Mar 2000 18:09:29 -0500 From: Chris Brown [EMAIL PROTECTED] To: debian-user@lists.debian.org Subject: IPFWADM Problems Hello all, I have a Debian system running kernel 2.0.38 that is supposed to be acting as a router between two networks. For the past many months, we've had our nameserver doing the routing because it was far less flaky. We've fixed the problems in the hardware, finally, and would like to go back to using the first box. However, now we have some problems. Enabling IP Forwarding in the kernel does not allow packets to be routed between interfaces. I don't have any more information on this, that's all there is. From net-0 I can ping the net-0 side of the router, but I can't ping the net-1 side of the router. Both network cards are hooked up and configured correctly. Enabling IP Firewalling, flushing all the rules, and setting default policy to accept also has no setting. Once again, no error messages anywhere - the box obviously thinks this is right. I must have missed something. To make matters a bit weirder, IPX route happily between the interfaces. It's only IP that is causeing problems. Any help would be appreciated. CBrown * Chris Brown [EMAIL PROTECTED] !!! HELP FIGHT SPAM !!! Join; www.cauce.org See; spam.abuse.net, spamsucks.com, www.cm.org
IPFWADM Problems
Hello all, I have a Debian system running kernel 2.0.38 that is supposed to be acting as a router between two networks. For the past many months, we've had our nameserver doing the routing because it was far less flaky. We've fixed the problems in the hardware, finally, and would like to go back to using the first box. However, now we have some problems. Enabling IP Forwarding in the kernel does not allow packets to be routed between interfaces. I don't have any more information on this, that's all there is. From net-0 I can ping the net-0 side of the router, but I can't ping the net-1 side of the router. Both network cards are hooked up and configured correctly. Enabling IP Firewalling, flushing all the rules, and setting default policy to accept also has no setting. Once again, no error messages anywhere - the box obviously thinks this is right. I must have missed something. To make matters a bit weirder, IPX route happily between the interfaces. It's only IP that is causeing problems. Any help would be appreciated. CBrown * Chris Brown [EMAIL PROTECTED] !!! HELP FIGHT SPAM !!! Join; www.cauce.org See; spam.abuse.net, spamsucks.com, www.cm.org
Re: ipfwadm question.
Hi there, Just a thought. Do you other machines have 192.168.20.254 shown as your gateway? Yes they were coming. I've realised my problem and solved it anyhow. Quick rundown: : eth0 Link encap:Ethernet HWaddr 00:00:E8:74:32:FD : inet addr:192.168.20.254 Bcast:192.168.20.255 Mask:255.255.255.0 : UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 : RX packets:3042 errors:0 dropped:0 overruns:0 : TX packets:1038 errors:0 dropped:0 overruns:0 : Interrupt:10 Base address:0xfca0 : eth1 Link encap:Ethernet HWaddr 00:00:E8:D6:D5:21 : inet addr:203.17.240.6 Bcast:203.17.240.255 Mask:255.255.255.224 : UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 : RX packets:14850 errors:0 dropped:0 overruns:0 : TX packets:1203 errors:0 dropped:0 overruns:0 : Interrupt:11 Base address:0xfcc0 I assumed from the following that the masquerading rule needs to be applied to eth0. But i was wrong, it needed to be applied to eth1. ie. ipfwadm -F -a masquerade -W eth0 -S 192.168.20.0/24 -D 0.0.0.0/0 needed to be changed to: ipfwadm -F -a masquerade -W eth1 -S 192.168.20.0/24 -D 0.0.0.0/0 and it was all good. I would have thought that the masquerading would need to be applied to the internal interface? Regards, Marc-Adrian Napoli Connect Infobahn Australia +61 2 92811750
ipfwadm question.
hi all, quick ipfwadm question. ethernet cards are as so: eth0 Link encap:Ethernet HWaddr 00:00:E8:74:32:FD inet addr:192.168.20.254 Bcast:192.168.20.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3042 errors:0 dropped:0 overruns:0 TX packets:1038 errors:0 dropped:0 overruns:0 Interrupt:10 Base address:0xfca0 eth1 Link encap:Ethernet HWaddr 00:00:E8:D6:D5:21 inet addr:203.17.240.6 Bcast:203.17.240.255 Mask:255.255.255.224 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:14850 errors:0 dropped:0 overruns:0 TX packets:1203 errors:0 dropped:0 overruns:0 Interrupt:11 Base address:0xfcc0 machine running IP masquerading for a 192.168.20 network. Through eth0 i can ping all internal machines (who are getting IP's off dhcp running off the eth0 of this machine). Through eth1 i can ping sites outside on the net. [EMAIL PROTECTED] init.d]# ipfwadm -I -l IP firewall input rules, default policy: accept [EMAIL PROTECTED] init.d]# ipfwadm -O -l IP firewall output rules, default policy: accept [EMAIL PROTECTED] init.d]# ipfwadm -F -l IP firewall forward rules, default policy: accept type prot source destination ports acc/m all 192.168.20.0/24 anywhere n/a None of the 192.168.20 machines can get anything out on the web. (nor any other sort of traffic for that matter). I'm assuming there is a problem with the masquerading. Am i missing anything here? Regards, Marc-Adrian Napoli Connect Infobahn Australia +61 2 92811750
Re: ipfwadm question.
Just a thought. Do you other machines have 192.168.20.254 shown as your gateway? Marc-Adrian Napoli [EMAIL PROTECTED] wrote: : hi all, : quick ipfwadm question. : ethernet cards are as so: : eth0 Link encap:Ethernet HWaddr 00:00:E8:74:32:FD : inet addr:192.168.20.254 Bcast:192.168.20.255 Mask:255.255.255.0 : UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 : RX packets:3042 errors:0 dropped:0 overruns:0 : TX packets:1038 errors:0 dropped:0 overruns:0 : Interrupt:10 Base address:0xfca0 : eth1 Link encap:Ethernet HWaddr 00:00:E8:D6:D5:21 : inet addr:203.17.240.6 Bcast:203.17.240.255 Mask:255.255.255.224 : UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 : RX packets:14850 errors:0 dropped:0 overruns:0 : TX packets:1203 errors:0 dropped:0 overruns:0 : Interrupt:11 Base address:0xfcc0 : machine running IP masquerading for a 192.168.20 network. Through eth0 i can : ping all internal machines (who are getting IP's off dhcp running off the : eth0 of this machine). Through eth1 i can ping sites outside on the net. : [EMAIL PROTECTED] init.d]# ipfwadm -I -l : IP firewall input rules, default policy: accept : [EMAIL PROTECTED] init.d]# ipfwadm -O -l : IP firewall output rules, default policy: accept : [EMAIL PROTECTED] init.d]# ipfwadm -F -l : IP firewall forward rules, default policy: accept : type prot source destination ports : acc/m all 192.168.20.0/24 anywhere n/a : None of the 192.168.20 machines can get anything out on the web. (nor any : other sort of traffic for that matter). I'm assuming there is a problem with : the masquerading. : Am i missing anything here? : Regards, : Marc-Adrian Napoli : Connect Infobahn Australia : +61 2 92811750 : -- : Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null -- *** Running Debian Linux *** * For God so loved the world that He gave his only begotten Son, * * that whoever believes in Him should not perish...John 3:16 * * W. Paul Mills * Topeka, Kansas, U.S.A. * * EMAIL= [EMAIL PROTECTED] * WWW= http://Mills-USA.com/ * * Bill, I was there several years ago, why would I want to go back? * * pgp public key on keyservers everywhere? */ --
Ipfwadm - ipchains conversion syntax help 2.0.x - 2.2.x
Hello ..
Im about to go from kernel 2.0.38 to 2.2.x
I have some syntax questions with regards to ipchains .. and have
included below my existing IP setup in init.d/network and some
local settings ..
If someone could let me know the ipchains syntax .. that'd be great.
Current net config .. with ipfwadm setup .. simple enough setup,
linux box in 10.1.1.1 with win box on 10.1.1.2 .. linux acting
as gateway with static IP, and masq'ing for the win box.
[EMAIL PROTECTED]:/local/etc/init.d# cat network
#! /bin/sh
ifconfig lo 127.0.0.1
route add -net 127.0.0.0
IPADDR=10.1.1.1
NETMASK=255.255.255.0
NETWORK=10.1.1.0
BROADCAST=10.1.1.255
GATEWAY=
ifconfig eth0 ${IPADDR} netmask ${NETMASK} broadcast ${BROADCAST}
ifconfig ppp0 203.12.80.117 netmask 255.255.255.0 mtu 576
#ipfwadm stuff
ipfwadm -F -p deny
ipfwadm -F -a m -S 10.1.1.2/32 -D 0.0.0.0/0 -W eth0
ipfwadm -A -a -S 10.1.1.2/32 -D 0.0.0.0/0 -W eth0
ipfwadm -F -a m -S 10.1.1.0/24 -D 0.0.0.0/0 -W ppp0
# end ipfwadm
route add -net ${NETWORK}
[ ${GATEWAY} ] route add default gw ${GATEWAY} metric 1
I am after the equiv. ipchains syntax for the above ipfwadm statements.
Also .. I use ipautofw port bouncer to bounce a port for battle.net etc,
im sure some ipchains syntax can do the same?
[EMAIL PROTECTED]:/etc/init.d# cat local
#rc.local
#Battle.net fix
echo Adding Battle.net port bouncer
ipautofw -A -r udp 6112 6112 -h 10.1.1.2
ipautofw -A -r tcp 6112 6112 -h 10.1.1.2
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_quake
/sbin/modprobe ip_masq_raudio
Ive read the rls notes and other docs on the 2.2.x series .. there
doesnt look to be anything else major I need to be aware of ? What
has other peoples experience been?
Thanks in advance.
--
[EMAIL PROTECTED]
Anthony Green
Re: ipfwadm
non - Original Message - From: George Bonser [EMAIL PROTECTED] To: didier ayllon [EMAIL PROTECTED] Cc: Debian-User debian-user@lists.debian.org Sent: Sunday, January 16, 2000 10:31 PM Subject: Re: ipfwadm On Sun, 16 Jan 2000, didier ayllon wrote: when i try to do : ipfwadm -A -f The answer is : ipfwadm : setsockopt failed: Protocol not available Does anyone can help me ? Do you have ip accounting turned on in the kernel configuration? -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
ipfwadm
when i try to do : ipfwadm -A -f The answer is : ipfwadm : setsockopt failed: Protocol not available Does anyone can help me ? Thank didier
ipfwadm
Hi. I have a linux box connected to internet thru ethernet..and my winbox connected thru that to internet using ipmasq. Now ive been trying to run a quake2 server..or any games server for that matter, not the point, on the winbox and letting ppl externally connect to it. linuxbox has 10.1.1.1 ip on internal eth card, and winbox has 10.1.1.2. I set up ipfwadm -F with these options.. hopefully to forward connection to port 27910 to my winbox. ipfwadm -F -a accept -b -P tcp -S 0/0 1024:65535 -D 10.1.1.2/32 27910 ipfwadm -F -a accept -b -P udp -S 0/0 1024:65535 -D 10.1.1.2/32 27910 So q2,uses tcp and udp..it should accept all conections from *.*.*.* with most ports and forward to 10.1.1.2 port 27910. Except it doesnt work. Could someone please let me know what obvious error I might have made. Thanx Richard Clarke
Re: ipfwadm
Further to the below problem. If i try to flush the ipautofw table, I get.. ipautofw -F setsockopt: Protocol not available Does this mean i dont have the necessary kernel support to forward connections? - Original Message - From: Richard Clarke [EMAIL PROTECTED] To: Debian User List debian-user@lists.debian.org Sent: Thursday, November 25, 1999 8:02 PM Subject: ipfwadm Hi. I have a linux box connected to internet thru ethernet..and my winbox connected thru that to internet using ipmasq. Now ive been trying to run a quake2 server..or any games server for that matter, not the point, on the winbox and letting ppl externally connect to it. linuxbox has 10.1.1.1 ip on internal eth card, and winbox has 10.1.1.2. I set up ipfwadm -F with these options.. hopefully to forward connection to port 27910 to my winbox. ipfwadm -F -a accept -b -P tcp -S 0/0 1024:65535 -D 10.1.1.2/32 27910 ipfwadm -F -a accept -b -P udp -S 0/0 1024:65535 -D 10.1.1.2/32 27910 So q2,uses tcp and udp..it should accept all conections from *.*.*.* with most ports and forward to 10.1.1.2 port 27910. Except it doesnt work. Could someone please let me know what obvious error I might have made. Thanx Richard Clarke -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: ipfwadm rule
Hi, There is a modular firewall shell-script called gmmf that should do what you are after. It's pretty simple to set up, and denies all ports by default, and requires you to open any specific ports you want to use. Have a search on http://freshmeat.net for gmmf to find it. Cheers, damon On Fri, Oct 29, 1999 at 08:41:37PM +0200, Pere Camps was heard to state: Hi! set your default policies to DENY (instead of ACCEPT) and try again ..everything will be blocked except what you specifically state should be allowed in (dont try this from remote! you may lose access to the machine) I've already tried that way, but it doesn't work out the way I like it. -- p. -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null -- Damon Muller ([EMAIL PROTECTED]) / It's not a sense of humor. * Criminologist / It's a sense of irony * Webmeister / disguised as one. * Linux Geek / - Bruce Sterling
ipfwadm rule
Hi! I'm trying to set up my home box (connected via PPP to the internet to do the following): a) Deny everything incoming (tcp,udp,icmp) b) Accept only DNS udp connections c) Accept incoming tcp data for only the connections that I have initiated. So far I've got this working: a) no problem b) I accept udp connections from the domain port to the 1024:65535 c) I accept tcp connections from any port that's below 1024 Problems: c) They can still telnet me if doin'g it as root. The same for b). Does anybody know the right ipfwadm rule for what I want and even if this setup is possible? TIA! -- p.
Re: ipfwadm rule
set your default policies to DENY (instead of ACCEPT) and try again ..everything will be blocked except what you specifically state should be allowed in (dont try this from remote! you may lose access to the machine) (use ipfwadm -p DENY) nate [mailto:[EMAIL PROTECTED] ]-- Vice President Network Operations http://www.firetrail.com/ Firetrail Internet Services Limited http://www.aphroland.org/ Everett, WA 425-348-7336http://www.linuxpowered.net/ Powered By:http://comedy.aphroland.org/ Debian 2.1 Linux 2.0.36 SMPhttp://yahoo.aphroland.org/ -[mailto:[EMAIL PROTECTED] ]-- On Fri, 29 Oct 1999, Pere Camps wrote: Hi! I'm trying to set up my home box (connected via PPP to the internet to do the following): a) Deny everything incoming (tcp,udp,icmp) b) Accept only DNS udp connections c) Accept incoming tcp data for only the connections that I have initiated. So far I've got this working: a) no problem b) I accept udp connections from the domain port to the 1024:65535 c) I accept tcp connections from any port that's below 1024 Problems: c) They can still telnet me if doin'g it as root. The same for b). Does anybody know the right ipfwadm rule for what I want and even if this setup is possible? TIA! -- p. -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: ipfwadm rule
Hi! set your default policies to DENY (instead of ACCEPT) and try again ..everything will be blocked except what you specifically state should be allowed in (dont try this from remote! you may lose access to the machine) I've already tried that way, but it doesn't work out the way I like it. -- p.
ipfwadm rule
Hi! Finally I got the question from my previous message working. I had to deny only the packets with the SYN set. -- p.
Duda ipfwadm
mi duda es la siguiente tengo un linux con 1 interfaz de red 1 modem con linea dedicada 1 modem con diald para llamar a internet /c enmascaramiento no se como tengo que definir las reglas para que solo enmascare lo que sale a internet, ya que entre la tarjeta de red y el modem dedicado deseo que se rutee normalmente si alguien me puede ayudar se lo agradecere desde ya gracias __ FREE Email for ALL! Sign up at http://www.mail.com
Robert Boyd's Email and Ipfwadm
Be aware all ppl on this list, One of the emails from Robert Boyd in the emails from the last 24 hrs, contained the Happy99 virus. And with regards to Ipfwadm and dcc send on the slave machine, I find it works perfectly now if i connect to port 6667 of the irc server, and no other. I think you can add the ports, ie 7000, 6669, but i haven't looked into it yet
Virus Alert and Ipfwadm Dcc Send
Be aware all ppl on this list, One of the emails from Robert Boyd in the emails from the last 24 hrs, contained the Happy99 virus. And with regards to Ipfwadm and dcc send on the slave machine, I find it works perfectly now if i connect to port 6667 of the irc server, and no other. I think you can add the ports, ie 7000, 6669, but i haven't looked into it yet
Ipfwadm
Hi, I have a 2 computer setup, runnin Debian 2.0.36 as the server, I am having a problem with dcc send on the windows computer, receive works fine. I feel it must be in the ipfwadm somewhere but i can't find where. I have the ip_masq_irc module loaded btw, Thanks in advance.
Easy Interface for IPFWADM
Greetings, I have a small ipfw set up. While I don't mind doing the work in VI to set the rules, some of the people I work with who will be managing the box want something a little easier to work with, a web based system would be great. Anyway, I don't have perl installed, and probably will not install it, lack of room. I was wondering if anyone out there has seen and/or developed either a shell or java driven script that will allow a normal user to easily add or remove IPFWADM rules via a web interface. Thank you for your time, Anthony Anthony Landreneau DoD Network Security Administrator Infinity Data Systems New Orleans Louisiana (504)455-8973
Re: ipchains vs. ipfwadm (fwd)
El Wed, Jun 23, 1999 at 02:36:28PM -0400, Ely J. Alvarado dijo: Acabo de hacer un upgrade a mi kernel de 2.0.34 a 2.2.39, pero todavia tengo que bootear usando mi viejo kernel, debido a que no se como usar ipchains para habilitar ip masquerade, la instruccion anterior decia: ipfwadm -F -a m -S 192.168.2.0/24 -D 0.0.0.0/0 Podrías reemplazar ipfwadm por 'ipfwadm-wrapper' y dejarlo tal cual. El se encarga de convertirlo todo a un formato que ipchains maneje. -- Ugo Enrico Albarello López de Mesa| POWERED BY | www.debian.org [EMAIL PROTECTED] | DEBIAN GNU/LINUX 2.1 | www.gnu.org - Always Free, Always Cool, Always Linux
Re: ipchains vs. ipfwadm (fwd)
On Wed, Jun 23, 1999 at 02:36:28PM -0400, Ely J. Alvarado wrote: Acabo de hacer un upgrade a mi kernel de 2.0.34 a 2.2.39, pero todavia tengo que bootear usando mi viejo kernel, debido a que no se como usar ipchains para habilitar ip masquerade, la instruccion anterior decia: ipfwadm -F -a m -S 192.168.2.0/24 -D 0.0.0.0/0 podria alguien ayudarme? La solución más fácil es la siguiente: ipfwadm-wrapper -F -a m -S 192.168.2.0/24 -D 0.0.0.0/0 Si sólo vas a hacer uso del firewall para enmascarar ip's, creo que puedes ahorrarte la lectura del ipchains-HOWTO-spanish. Salu2, Netman. Ely Alvarado -- Tal vez no estemos aquí para alabar a dios, sino para crearlo A. C. Clarke Powered by Debian/GNU Linux 2.2 - Kernel 2.2.10 pgplSLZO9bVNf.pgp Description: PGP signature
Re: ipchains vs. ipfwadm (fwd)
On Thu, 24 Jun 1999, Ugo Enrico Albarello wrote: ipfwadm -F -a m -S 192.168.2.0/24 -D 0.0.0.0/0 Podrías reemplazar ipfwadm por 'ipfwadm-wrapper' y dejarlo tal cual. El se encarga de convertirlo todo a un formato que ipchains maneje. No lo recomiendo, yo confie en ipfwadm-wrapper y sin darme cuenta tuve abierto el sistema por lo menos un mes. Parece que no funciona bien del todo... Paco Brufal [EMAIL PROTECTED] Fidonet 2:346/3.68 Si quieres saber cómo pertenecer a Fidonet, la red de correo con más CALIDAD del Mundo y SIN SPAM, preguntame como. ...Drop It (Original Mix). 3 Steps Ahead. 1995 --- Pine 4.10 + Sendmail 8.9.3 * Origin: FAQ de R34.LINUX: http://www.linuxfreak.com/~r34_linux (2:346/3.68)
Re: ipchains vs. ipfwadm (fwd)
On Wed, 23 Jun 1999, Ely J. Alvarado wrote: ipchains para habilitar ip masquerade, la instruccion anterior decia: ipfwadm -F -a m -S 192.168.2.0/24 -D 0.0.0.0/0 ipchains -I forward -j MASQ -s 192.168.1.0/24 -d 0.0.0.0/0 Paco Brufal [EMAIL PROTECTED] Fidonet 2:346/3.68 Si quieres saber cómo pertenecer a Fidonet, la red de correo con más CALIDAD del Mundo y SIN SPAM, preguntame como. ...Feelings. Re-Charge. 1995 --- Pine 4.10 + Sendmail 8.9.3 * Origin: FAQ de R34.LINUX: http://www.linuxfreak.com/~r34_linux (2:346/3.68)
ipchains vs. ipfwadm (fwd)
Acabo de hacer un upgrade a mi kernel de 2.0.34 a 2.2.39, pero todavia tengo que bootear usando mi viejo kernel, debido a que no se como usar ipchains para habilitar ip masquerade, la instruccion anterior decia: ipfwadm -F -a m -S 192.168.2.0/24 -D 0.0.0.0/0 podria alguien ayudarme? Ely Alvarado
SLink ipfwadm or ipchains?
Does SLink use ipfwadm or ipchains for firewalling and NAT? Thanks, Wayne
Re: SLink ipfwadm or ipchains?
On Wed, Mar 17, 1999 at 11:50:06AM -0500, Wayne Cuddy wrote: Does SLink use ipfwadm or ipchains for firewalling and NAT? It's enabled for both. If you run a 2.0.x kernel (the default on slink) then you will need to use ipfwadm. If you upgrade to a 2.2.x kernel, then you will need to use ipchains (or the ipfwadmwrapper included with ipchains). -- --- - - --- - - - --- Ben Collins [EMAIL PROTECTED] Debian GNU/Linux OpenLDAP Core - [EMAIL PROTECTED] [EMAIL PROTECTED] UnixGroup Admin - Jordan Systems The Choice of the GNU Generation -- -- - - - --- --- -- - - --- - --
Re: where is the ipfwadm stuff by default?
Subject: where is the ipfwadm stuff by default? Date: Fri, Feb 19, 1999 at 11:26:07PM - In reply to:Pollywog Quoting Pollywog([EMAIL PROTECTED]): I have a couple of ipfwadm rules in effect that I did not add. That means that the default installation has rules someplace. Does anyone know where I can find them? Perhaps I should put all my rules in the same place. thanks rgrep ipfwadm /mnt/etc/* -- To the systems programmer, users and applications serve only to provide a test load. ___ Wayne T. Topa [EMAIL PROTECTED]
Re: where is the ipfwadm stuff by default?
Subject: Re: where is the ipfwadm stuff by default? Date: Sat, Feb 20, 1999 at 10:53:30AM + In reply to:[EMAIL PROTECTED] Quoting [EMAIL PROTECTED]([EMAIL PROTECTED]): Subject: where is the ipfwadm stuff by default? Date: Fri, Feb 19, 1999 at 11:26:07PM - In reply to:Pollywog Quoting Pollywog([EMAIL PROTECTED]): I have a couple of ipfwadm rules in effect that I did not add. That means that the default installation has rules someplace. Does anyone know where I can find them? Perhaps I should put all my rules in the same place. thanks rgrep ipfwadm /mnt/etc/* Woops, I was on slackware when I did that, sorry rgrep ipfwadm /etc/* But you knew that, didn't you? -- Man is the best computer we can put aboard a spacecraft ... and the only one that can be mass produced with unskilled labor. -- Wernher von Braun ___ Wayne T. Topa [EMAIL PROTECTED]
Re: where is the ipfwadm stuff by default?
On 20-Feb-99 [EMAIL PROTECTED] wrote: Woops, I was on slackware when I did that, sorry rgrep ipfwadm /etc/* oic Thanks. -- Andrew
Re: where is the ipfwadm stuff by default?
On 20-Feb-99 [EMAIL PROTECTED] wrote: Subject: where is the ipfwadm stuff by default? Date: Fri, Feb 19, 1999 at 11:26:07PM - In reply to:Pollywog Quoting Pollywog([EMAIL PROTECTED]): I have a couple of ipfwadm rules in effect that I did not add. That means that the default installation has rules someplace. Does anyone know where I can find them? Perhaps I should put all my rules in the same place. thanks rgrep ipfwadm /mnt/etc/* u What will that do? -- Andrew
Re: where is the ipfwadm stuff by default?
Subject: Re: where is the ipfwadm stuff by default? Date: Sat, Feb 20, 1999 at 05:44:56PM - In reply to:Pollywog Quoting Pollywog([EMAIL PROTECTED]): On 20-Feb-99 [EMAIL PROTECTED] wrote: Subject: where is the ipfwadm stuff by default? Date: Fri, Feb 19, 1999 at 11:26:07PM - In reply to:Pollywog Quoting Pollywog([EMAIL PROTECTED]): I have a couple of ipfwadm rules in effect that I did not add. That means that the default installation has rules someplace. Does anyone know where I can find them? Perhaps I should put all my rules in the same place. thanks rgrep ipfwadm /mnt/etc/* u What will that do? -- Andrew It would show what files contain ipfwadm on the distribution you had mounted the root partition on /mnt. Which is what I had done to answer your question. I had mounted slink / on /mnt. I had hoped you could figure that one out. Sorry to have further confused you. -- This sentence contradicts itself -- no actually it doesn't. -- Hofstadter ___ Wayne T. Topa [EMAIL PROTECTED]
ipfwadm / ipchains: can't enable ssh !
192.168.100.108 is the local machine - 192.168.100.* is outside.
I can telnet and ping outside - no problem. But I can't ssh to
192.168.100.102,
telnet on 192.168.100.108 doesn't work either and somehow printer jobs
aren't send until I disable the firewall
:-/
FW=/sbin/ipchains
case $1 in
start)
# default policy
${FW} -P forward DENY
${FW} -P input DENY
${FW} -P output DENY
# loopback
${FW} -A input -j ACCEPT -i lo
${FW} -A output -j ACCEPT -i lo
${FW} -A output -j ACCEPT -i eth0 -p tcp -s 192.168.100.108
${FW} -A output -j ACCEPT -i eth0 -p udp -s 192.168.100.108
${FW} -A input -j ACCEPT -i eth0 -p tcp \
-d 192.168.100.108 1024: ! -y
${FW} -A input -j ACCEPT -i eth0 -p udp \
-d 192.168.100.108 1024:
${FW} -A input -j ACCEPT -i eth0 -p tcp -d 192.168.100.108 25
${FW} -A input -j ACCEPT -i eth0 -p icmp
${FW} -A output -j ACCEPT -i eth0 -p icmp
# masquerade
${FW} -A forward -j MASQ -i ppp0
;;
stop)
${FW} -F
;;
esac
where is the ipfwadm stuff by default?
I have a couple of ipfwadm rules in effect that I did not add. That means that the default installation has rules someplace. Does anyone know where I can find them? Perhaps I should put all my rules in the same place. thanks -- Andrew
ipfwadm x ipchains
Hi, I'm in the way of doing a upgrade to the 2.1.125 kernel. I noticed that the ipfirewall/ipmasquerade options are quite different from 2.0.3x. Is there some handy howto/recipe to migrate from ipfwadm to ipchains rules? I compiled the kernel with the following options: # Networking options # CONFIG_PACKET=y CONFIG_NETLINK=y CONFIG_RTNETLINK=y CONFIG_NETLINK_DEV=y CONFIG_FIREWALL=y CONFIG_NET_ALIAS=y # CONFIG_FILTER is not set CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_MULTICAST=y # CONFIG_IP_ADVANCED_ROUTER is not set # CONFIG_IP_PNP is not set CONFIG_IP_FIREWALL=y # CONFIG_IP_FIREWALL_NETLINK is not set CONFIG_IP_TRANSPARENT_PROXY=y CONFIG_IP_ALWAYS_DEFRAG=y CONFIG_IP_MASQUERADE=y CONFIG_IP_MASQUERADE_ICMP=y # CONFIG_IP_MASQUERADE_MOD is not set CONFIG_IP_ROUTER=y And when booting the new kernel (2.1.125) it can't set the firewalling/masquerading rules; something as socket failed operation not permitted Any help? []s, Mario O.de Menezes | Many are the plans in a man's heart, but IPEN-CNEN/SP | is the Lord's purpose that prevails Prov. 19.21
Squid/ipfwadm interrelated problem.
Hello. Sorry for a rather vague subject, but it's pretty tough to describe the problem in just a couple of words... Anyway, I have the Linux box doing the IP Masquerading, using ipfwadm. It works. Whenever a Windows 98 machine tries to connect to the net, without using a proxy server ( i.e. Squid ), I can see that the DNS works correctly, since all the addresses resolve, however, all of the outside connections, using either IP addresses, or names time out. I tried pinging www.yahoo.com from the 98 machine, and after a successful DNS lookup, ping gets 'Timed Out' ( or something to that extend ). However, if I use Squid as a proxy for the http/ftp traffic ( pings still don't work, obviously ), the names resolve correctly, and the data is returned properly ( as it should. ) Seems like I overshot ipfwadm's while configuring allow/deny rules, however, I didn't touch the in the last 6 months, honest. Here they are anyhow: ipfwadm -F -p deny ipfwadm -F -a m -S 192.168.0.0/24 -D 0.0.0.0/0 Any Ideas? Thank you, Nikita Imennov.
Re: ipfwadm
Take a look at http://www.xos.nl/linux/ipfwadm/paper/ Subject: re: ipfwadm Date: Mon, Dec 21, 1998 at 09:17:15AM +1100 In reply to:Michael Fox Quoting Michael Fox([EMAIL PROTECTED]): Anyone care to show me a quick and dirty ipfwadm script to allow ftp/http/irc/mail/dns in/out from linux machine.. I'd like to enable ipfw filters.. but stuck on the writing of the ipfw.sh script I would run.. examples would be great.. -- Michael Administrator maf networking services [EMAIL PROTECTED] http://www.mafnet.com/ -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null -- Real programmers disdain structured programming. Structured programming is for compulsive neurotics who were prematurely toilet-trained. They wear neckties and carefully line up pencils on otherwise qclear desks. ___ Wayne T. Topa [EMAIL PROTECTED]
ipfwadm icmp (aka ping reply deny)
I am still getting use to this ipfwadm.. guess it is a better time then any to learn some more... Anyway already have a real to block icmp pings.. I want my machine to not reply to these.. so anyone willing to paste me a example. Basically I don't my machine to ping reply.. I think it uses icmp, so that would be part of the rule. Would this example work.. or could someone recommend something better that will just stop ping replys.. ipfwadm -I -a reject -P icmp -S 0.0.0.0/0.0.0.0 -D 0.0.0.0/0.0.0.0 Thanks Michael
ipfwadm, win95 and dhcp
Hi. I have a nicely functioning masquerading Debian 2.0 (2.0.34) box with the following exception: when the win95 machines (connected to a winnt4.0sp3 network) get their ip's by way of the nt dhcp service, ip_masquerading doesn't work. When I assign the ip to their respective machines the masqing works fine. Is there a way to make this work with the computers on the nt network using dhcp to get the ip addresses? Have I overlooked something? thanks, tony mollica [EMAIL PROTECTED]
ipfwadm ip packet filtering
Ok cool.. The script I got works ok.. few problems.. one of which I want to solve ASAP is that snmpd doesn't work.. I run mrtg on the linux machine that the packet filtering runs on.. I tried several commands that deal with ports 161, 162. But still not managed to get snmpd to work. Anyone care to help me... Regards, Michael
Re: ipfwadm ip packet filtering
Ideally.. I'd like to allow snmpd to work on my whole 203.41.122.128/26 subnet.. so that I can monitor a few other pcs... Thanks Michael Ok cool.. The script I got works ok.. few problems.. one of which I want to solve ASAP is that snmpd doesn't work.. I run mrtg on the linux machine that the packet filtering runs on.. I tried several commands that deal with ports 161, 162. But still not managed to get snmpd to work. Anyone care to help me... Regards, Michael -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
re: ipfwadm
Anyone care to show me a quick and dirty ipfwadm script to allow ftp/http/irc/mail/dns in/out from linux machine.. I'd like to enable ipfw filters.. but stuck on the writing of the ipfw.sh script I would run.. examples would be great.. -- Michael Administrator maf networking services [EMAIL PROTECTED] http://www.mafnet.com/
re: ipfwadm
On Mon, 21 Dec 1998, Michael Fox wrote:
Anyone care to show me a quick and dirty ipfwadm script to allow
ftp/http/irc/mail/dns in/out from linux machine..
I'd like to enable ipfw filters.. but stuck on the writing of the ipfw.sh
script I would run.. examples would be great..
I'm using that one in attachment. It was made by a nice person I'd found
on #debian channel.
I just added the last line of script about not let outgoing packets.
Hope that help.
Best regards,
Nuno Carvalho
??
Nuno Emanuel F. Carvalho
Dep. Informatics Engineering
University of Coimbra
PGP key available at finger
??
#! /bin/sh
echo -n Installing firewall :
ports=telnet discard domain www ssh
udps=domain
act=reject# deny (waiting.. waiting..)
# or reject (connection refused)
my_ip=your ip
mymask=
ipfwadm -If # Flush rules
ipfwadm -I -p accept# accept by default
# accept anything from this machine and its network
ipfwadm -I -a accept -S 127.0.0.1/255.255.255.0 -D 0.0.0.0/0.0.0.0
ipfwadm -I -a accept -S ${my_ip}${mymask} -D 0.0.0.0/0.0.0.0
# allow all ICMP packets to go through.
ipfwadm -I -a accept -P icmp -S 0.0.0.0/0.0.0.0 -D 0.0.0.0/0.0.0.0
# allow anyone to connect to these TCP ports..
for port in $ports ; do
ipfwadm -I -a accept -P tcp -S 0.0.0.0/0.0.0.0 -D ${my_ip}${mymask} $port
done
ipfwadm -I -a accept -P tcp -S ${my_ip} -D ${my_ip}${mymask} smtp
# ..and these UDP ports
for port in $udps ; do
ipfwadm -I -a accept -P udp -S 0.0.0.0/0.0.0.0 -D ${my_ip}${mymask} $port
done
# deny all other Well-Known Services
ipfwadm -I -a ${act} -P tcp -S 0.0.0.0 -D ${my_ip}${mymask} 1:1023
ipfwadm -I -a ${act} -P udp -S 0.0.0.0 -D ${my_ip}${mymask} 1:1023
#done
###
## don't allow outgoing packets on such ports
###
ipfwadm -Of
ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} domain
ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} discard
ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} daytime
ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} time
ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} sunrpc
ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} exec
ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} login
ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} cmd
ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} shell
ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} printer
ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} 6000 # xterm
ipfwadm -O -a deny -P tcp -D 0/0 -S ${my_ip} finger
echo done.
Re: Ipfwadm/ipchains admin
On Tue, 15 Dec 1998, Robert Claeson wrote: Some time ago, I happened to find a web-based admin utility for ipfwadm and ipchains. Now that I need it, I can't seem to find it anymore. Perhaps somebody out there can help me out? You can check it on their official site: http://www.xos.nl/linux/ipfwadm/paper/ and http://www.rustcorp.com/linux/ipchains/ Best regards, Nuno Carvalho ¨ Nuno Emanuel F. Carvalho Dep. Informatics Engineering University of Coimbra PGP key available at finger ¨
Re: Ipfwadm/ipchains admin
Nuno Carvalho wrote: Some time ago, I happened to find a web-based admin utility for ipfwadm and ipchains. Now that I need it, I can't seem to find it anymore. Perhaps somebody out there can help me out? You can check it on their official site: http://www.xos.nl/linux/ipfwadm/paper/ Nope, not quite the stuff that I saw some time ago.
re: ipfwadm
I have my linux machine routing my packets from my lans 64 ip subnet.. Anyone tell me if I can compile kernel with ipfw support and setup some ip firewall rules using ipfwadm.. and do some packet filtering.. the machine with the link does.. www/mail/ftp/http/dns/irc so the firewall should allow all this. Any help appreciated. Regards, Michael
Ipfwadm/ipchains admin
Some time ago, I happened to find a web-based admin utility for ipfwadm and ipchains. Now that I need it, I can't seem to find it anymore. Perhaps somebody out there can help me out? Thank's, Robert
Re: Blocking an arbitrary port with ipfwadm
Damon Muller [EMAIL PROTECTED] writes: What I want to do is use ipfwadm to block a single port - namely 31337 (UDP). For anyone who has had their head in the sand for the last few months, that's the port that Back Orrifice listens on by default. ipfwadm -I -a reject -P udp -D 192.168.20.0/24 31337 -o That's: -I = check incoming packets. -a reject = Let the sender know we're rejecting them. You can use -a deny instead to drop them silently. -P udp = UDP packets only. -D 192.168.20.0/24 31337 = destination anywhere on your network (fix this) on port 31337. Maybe 0.0.0.0/0 31337 to stop *your* users connecting to another BO server. -o = Log the address of the offender, so you can complain to their ISP. This will also drop some legitimate UDP comms, if something happens to grab port 31337 itself. I could live with this. -- Carey Evans http://home.clear.net.nz/pages/c.evans/ Is there anyone who actually believes that USAicans are so modest or intellectually honest as to be unable to find someone to sue? - Cameron Laird
Blocking an arbitrary port with ipfwadm
Hi Folks, Not sure if this has been covered before, and it isn't 100% debian-specific, but I thought some ipfwadm guru out there might be able to help a poor clueless idiot such as myself. What I want to do is use ipfwadm to block a single port - namely 31337 (UDP). For anyone who has had their head in the sand for the last few months, that's the port that Back Orrifice listens on by default. This isn't meant to be a full-on firewall at the moment, but I'd specifically like to block that port so someone doesn't hijack the Windoze machines of some of our more clueless ppp users. Any pointers would be very helpful (please don't just say RTFM - I did, but it didn't make too much sense to me). Thanks, damon -- Damon Muller | Did a large procession wave their torches ([EMAIL PROTECTED]) | As my head fell in the basket, Network Administrator | And was everyone dancing on the casket... EmpireNET | - TBMG, Dead
Re: ipfwadm/ipchains
Michael Laing napisal(a): [...] : It's not totally clear to me how to use ipfwadm to do this... : : Also, I am considering moving to slink and kernel 2.1.125 and using : ipchains instead. It looks simpler and I would like to learn just one : tool, if possible. Use ipfwadm-wrapper, not ipfwadm. For example: ipfwadm-wrapper -F -p deny (set default police to deny) ipfwadm-wrapper -F -a accept -P tcp -S 192.168.0.0/24 -D 195.117.237.131 80 (allow to connection from your local network (192.168.0.0/24 - it's example) to WWW server at 195.117.237.131) -- Daniel Podlejski [EMAIL PROTECTED] http://underley.zakopane.top.pl/ ... I, hate the rain and sunny weather, and I, hate the beach and moutains too ...
ipfwadm/ipchains
-BEGIN PGP SIGNED MESSAGE- I am helping our local school district set up linux servers as POPS so people can dial in using PPP and access some specific servers in our WAN. I've got PPP working fine and now need to add firewall rules to limit access to only a short list of servers. It's not totally clear to me how to use ipfwadm to do this... Also, I am considering moving to slink and kernel 2.1.125 and using ipchains instead. It looks simpler and I would like to learn just one tool, if possible. Anyone have any comments/help? Thanks, ml -BEGIN PGP SIGNATURE- Version: 2.6.3ia Charset: noconv iQCVAwUBNlq1INgnqhW4Cj7FAQFrkAP7B3RFdsxwOuKEEABmii+ze0M5yyd5Q0k9 lWjRhEV8Dn7gG9wBXtM3nF3tV4VtVF/zX+yHQ8VLbGDzuOzNuvgLWxLYnGqX44pw VyIeuC62qRTW1pb3orx4gjVY6df0n8XvrjbeoZCtveY7655io0cgbY4o/Ec7Q3oI EczK6B5ocQA= =qAyi -END PGP SIGNATURE-
Some help on ipfwadm
Hi, What I want !? Mainly it's: have incoming telnet session and since someone it's on my machine could not make outgoing telnet sessions ... As i'm using kernel 2.0.35, I think, I must be using ipfwadm instead of ipchains (for 2.1.xx series kernel). 1. It's out there any good ipfwadm tutorial without 'man ipfwadm' ? 2. When I've IP Firewall, IP Masquerable, IP Forwarding, etc I can't get my ISDN connection ! ;( - cut here -- Nov 8 12:08:08 cavern kernel: isdn_net: ippp0: dial suppressed: isdn stopped Nov 8 12:08:08 cavern kernel: isdn_net: local hangup ippp0 Nov 8 12:08:08 cavern kernel: fsm error: event 4 on state 0 Nov 8 12:08:08 cavern kernel: ippp0: Chargesum is 0 - cut here --- I'm using just my computer with an ISDN card and any kind of network card! How can I resolve that !? Thanks. Best regards, Nuno Carvalho P.S. Is there any other way to resolve this !? Change inetd.conf isn't enough ! There's a way . remove telnet package ! ?? Nuno Emanuel F. Carvalho Dep. Informatics Engineering University of Coimbra PGP key available at finger ??
Re: Some help on ipfwadm
NC == Nuno Carvalho [EMAIL PROTECTED] writes: NC 2. When I've IP Firewall, IP Masquerable, IP Forwarding, etc I can't get NC my ISDN connection ! ;( NC - cut here -- NC Nov 8 12:08:08 cavern kernel: isdn_net: ippp0: dial suppressed: isdn stopped NC Nov 8 12:08:08 cavern kernel: isdn_net: local hangup ippp0 NC Nov 8 12:08:08 cavern kernel: fsm error: event 4 on state 0 NC Nov 8 12:08:08 cavern kernel: ippp0: Chargesum is 0 NC - cut here --- You must be using CVS isdnutils and kerneldrivers? Add /usr/sbin/isdnctrl system on /usr/sbin/isdnctrl status ippp0 on to your /etc/isdn/device.ippp0 Only one of the lines is needed, but I don't remember which, so just add both :-) Ciao, Martin
Some help on ipfwadm
Sorry if this message is duplicated but i was *again* removed from this mailing list and needed to subscribe again ! -- Forwarded message -- Date: Sun, 8 Nov 1998 18:30:38 + (WET) From: Nuno Carvalho [EMAIL PROTECTED] To: debian-user@lists.debian.org Subject: Some help on ipfwadm Hi, What I want !? Mainly it's: have incoming telnet session and since someone it's on my machine could not make outgoing telnet sessions ... As i'm using kernel 2.0.35, I think, I must be using ipfwadm instead of ipchains (for 2.1.xx series kernel). 1. It's out there any good ipfwadm tutorial without 'man ipfwadm' ? 2. When I've IP Firewall, IP Masquerable, IP Forwarding, etc I can't get my ISDN connection ! ;( - cut here -- Nov 8 12:08:08 cavern kernel: isdn_net: ippp0: dial suppressed: isdn stopped Nov 8 12:08:08 cavern kernel: isdn_net: local hangup ippp0 Nov 8 12:08:08 cavern kernel: fsm error: event 4 on state 0 Nov 8 12:08:08 cavern kernel: ippp0: Chargesum is 0 - cut here --- I'm using just my computer with an ISDN card and any kind of network card! How can I resolve that !? Thanks. Best regards, Nuno Carvalho P.S. Is there any other way to resolve this !? Change inetd.conf isn't enough ! There's a way . remove telnet package ! ?? Nuno Emanuel F. Carvalho Dep. Informatics Engineering University of Coimbra PGP key available at finger ??
ipfwadm error
When I boot my system it says ipfwadm: setsockopt error protocol not available or something like that. What is the problem? cc replies to [EMAIL PROTECTED] please
Re: ipfwadm error
Hi, Collin == Collin Rose [EMAIL PROTECTED] writes: Collin When I boot my system it says Collin ipfwadm: setsockopt error protocol not available Collin or something like that. What is the problem? Chances are, you moved to a 2.1.1XX kernel. The never kernels reuire ipchains, not ipfwadm. manoj -- Lackland's Laws: Never be first. Never be last. Never volunteer for anything Manoj Srivastava [EMAIL PROTECTED] http://www.datasync.com/%7Esrivasta/ Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
How do I get FTP to work through ipfwadm
I need to be able to get both Netscape and regular command line ftp to
work.
Here is my script. I get the following error under Windows command
line FTP: PORT argument must be 1025 or greater. The following is my
script:
#!/bin/sh
ISP_IP=`ifconfig ppp0 | grep 'inet addr' | awk '{print $2}'| sed
-es/addr\://`
echo $ISP_IP
FIREWALL_SERVER=192.168.1.1
NETWORK=192.168.1.0/24
ALLIP=0.0.0.0/0
HIPORTS=1024:65535
#Flush out any existing rules
ipfwadm -I -f
ipfwadm -O -f
ipfwadm -F -f
#Start by denying everything
ipfwadm -I -p deny
ipfwadm -O -p deny
ipfwadm -F -p deny
#Deny Spoofed packets
#ipfwadm -I -a deny -V $ISP_IP -S $NETWORK -D $ALLIP
#ipfwadm -I -a deny -V $ISP_IP -S $ISP_IP -D $ALLIP
#Allow unlimited internal traffic
ipfwadm -I -a accept -V $FIREWALL_SERVER -S $ALLIP -D $ALLIP
ipfwadm -O -a accept -V $FIREWALL_SERVER -S $ALLIP -D $ALLIP
ipfwadm -F -a accept -V $FIREWALL_SERVER -S $ALLIP -D $ALLIP
#Allow outgoing tcp packets for www, smtp, nntp and dns
echo step 1
ipfwadm -O -a accept -P tcp -S $NETWORK $HIPORTS -D $ALLIP www smtp
pop-3 nntp domain
ipfwadm -O -a accept -P tcp -S $ISP_IP $HIPORTS -D $ALLIP www smtp pop-3
nntp domain
ipfwadm -O -a accept -P udp -S $NETWORK $HIPORTS -D $ALLIP domain
ipfwadm -O -a accept -P udp -S $ISP_IP $HIPORTS -D $ALLIP domain
#Allow incoming packets that have the ACK bit set (i.e. are responses)
echo step 2
ipfwadm -I -a accept -k -P tcp -S $ALLIP www smtp pop-3 nntp domain -D
$NETWORK $HIPORTS
ipfwadm -I -a accept -k -P tcp -S $ALLIP www smtp pop-3 nntp domain -D
$ISP_IP $HIPORTS
# This allows ftp servers to set up the second data channel, whatever
that
# means, basically you need it to use ftp
echo step 3
ipfwadm -O -a accept -P tcp -S $NETWORK $HIPORTS -D $ALLIP ftp ftp-data
ipfwadm -O -a accept -P tcp -S $ISP_IP $HIPORTS -D $ALLIP ftp ftp-data
ipfwadm -I -a accept -P tcp -S $ALLIP ftp ftp-data -D $NETWORK $HIPORTS
ipfwadm -I -a accept -P tcp -S $ALLIP ftp ftp-data -D $ISP_IP $HIPORTS
ipfwadm -I -a accept -P udp -S $ALLIP domain -D $NETWORK $HIPORTS
ipfwadm -I -a accept -P udp -S $ALLIP domain -D $ISP_IP $HIPORTS
#enable masquerading of packets
echo step 4
ipfwadm -F -a masquerade -S $NETWORK -D $ALLIP
echo step 5
Thanks in advance for any help.
Bruce Jackson
Linux: because reboots are for hardware upgrades!!
Re: IPPORTFW IPFWADM
Whenever I type an ipportfw command, I always get an error back: ipfwadm: setsockopt failed: Protocol not available. What does this mean? And how do I resolve this? I have the current kernal, installed IPchains successfully, but need to get this piece of the puzzle going :) 2.1 kernel ? Have you compiled the firewall and ipfwadm/ipchains support in the kernel ? Maybe you have them as modules, and they're not loaded. --j
IPPORTFW IPFWADM
Whenever I type an ipportfw command, I always get an error back: ipfwadm: setsockopt failed: Protocol not available. What does this mean? And how do I resolve this? I have the current kernal, installed IPchains successfully, but need to get this piece of the puzzle going :) Thanks in advance, Frederic Breitwieser Bridgeport, CT 06606 Homebrew Automotive Website: http://www.xephic.dynip.com/ Wanted - RWD Buick Flywheel that fits the 3.8L / 4.1L! -
where is ipfwadm in hamm?
Hi, I just upgraded to hamm and now need to setup my two privates networks again. Can I use the old ipfwadm? How to setup masquerade in hamm? The ipmasq(8) program doesn't have man page. Please I need urgent help, since my division is off. Thanks, []s, Mario O.de MenezesMany are the plans in a man's heart, but IPEN-CNEN/SP is the Lord's purpose that prevails http://curiango.ipen.br/~mario Prov. 19.21 -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
ipfwadm
i'm running Debian 1.3. i have 2 Windowz95 machines connecting to my Debian box across a LAN then out on the net using ipfwadm. IRC (except for DCC chat send) and web browsing works ok but usenet ,cuseeme, ICQ, real audio don't want to function at all. I've also got Squid running as a proxy server. It's got me stuffed! Any ideas would be much appreciated. thanx in advance To get started i type ipfwadm -F -a acc -m -b -S192.168.0.0/24 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ipfwadm
Load the ip_masq_* modules... That fixed my problem w/ sending DCC (I could receive, which is kinda odd). Look in /lib/modules/2.0.34/ipv4 for all the possible modules (assuming you compiled them) and run: insmod ip_masq_irc etc. -Paul On Tue, 16 Jun 1998, Ben Szyc wrote: i'm running Debian 1.3. i have 2 Windowz95 machines connecting to my Debian box across a LAN then out on the net using ipfwadm. IRC (except for DCC chat send) and web browsing works ok but usenet ,cuseeme, ICQ, real audio don't want to function at all. I've also got Squid running as a proxy server. It's got me stuffed! Any ideas would be much appreciated. thanx in advance To get started i type ipfwadm -F -a acc -m -b -S192.168.0.0/24 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
IP Masquerading - getting ipfwadm: setsockopt failed .... Is Debian 1.3 (bo) compiled with IP-masquerading?
I am wondering, is the default kernel from 386-binary(bo) compiled with Masquerading? I do not know if that is my problem, but whenever I try to use the ipfwadm command (with [hopefully] valid switches) I always get a message ipfwadm: setsockopt failed: Protocol not available Thanks, Milan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ipfwadm
Mark Stone [EMAIL PROTECTED] writes: In order to use the ipfwadm command set, what options and modules need to be selected in configuring the kernel? Under Networking options, I think you need to have IP: firewalling selected. You'll also need to select Network firewalls to be able to choose this option. -- Carey Evans * http://home.clear.net.nz/pages/c.evans/ gc Trust Ivanova. Trust yourself. Anybody else - shoot 'em. -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
ipfwadm
In order to use the ipfwadm command set, what options and modules need to be selected in configuring the kernel? I thought I had done this correctly, but keep getting an error message when I try to use ipfwadm. The error message is something like SOCKOPT error: protocol not available. Mark Stone | [EMAIL PROTECTED] | http://shell.nanospace.com/~markst __ Powered online by Debian/GNU __ o / / _ _ _ _ _ __ __ / /__ / / / \// //_// \ \/ / // /_/ /_/\/ /___/ /_/\_\ __ -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
xosview Re: IP address and ipfwadm
Lawrence [EMAIL PROTECTED] writes: [snip] xosview stalls once I execute either one of the above commands, it seems that xosview expects a non-anywhere source/destination. I expect this would be because it wants to track both incoming and outgoing packets separately. It shouldn't lock up though. xosview has other problems: it calls free() for the same memory twice when exiting, it displays shared memory wrong[1], and it needs to be setuid-root to display serial port info. Check whether procmeter does what you want, even if you use IP accounting with both directions specified. [1] xosview while :; do sleep 60 done ^C killall sleep -- Carey Evans * http://home.clear.net.nz/pages/c.evans/ gc kernel: Warning: possible SYN flooding. Sending cookies. kernel: validated probe(17f, 17f, 11557, 5010, -1645409555) -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: IP address and ipfwadm
Carey Evans wrote: Apart from looking at ip-up, I'd suggest you also think about other ways of doing this, like: # ipfwadm -A -a if you only have the dialup interface, or # ipfwadm -A -a -W ppp0 if you just want to do accounting on your PPP connections. xosview stalls once I execute either one of the above commands, it seems that xosview expects a non-anywhere source/destination. Lawrence -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: IP address and ipfwadm
Elie Rosenblum wrote: $IPADDR=`ifconfig ppp0|perl -ne 'print $1 if (/inet addr:(\S+)\s/);'` ipfwadm -A -a -P $IPADDR -D 0/0 It is what I want, thanks, though I found that I don't need '$' for the first line. Lawrence -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: IP address and ipfwadm
Lawrence [EMAIL PROTECTED] writes: I am using dialup PPP and need to run ipfwadm everytime I connect to my ISP. I know that I can put ipfwadm into /etc/rc file. What is the best/easy way to get the IP address other than using ifconfig or route (they are not good because the output is more than one line)? ipfwadm -A -a -P My IP address go here -D 0/0 Is that really what you want? # ipfwadm -A -a -P 192.168.117.2 -D 0/0 ipfwadm: invalid protocol 192.168.117.2 specified Try `ipfwadm -h' for more information. I'll assume that should be `-S'. Apart from looking at ip-up, I'd suggest you also think about other ways of doing this, like: # ipfwadm -A -a if you only have the dialup interface, or # ipfwadm -A -a -W ppp0 if you just want to do accounting on your PPP connections. -- Carey Evans * http://home.clear.net.nz/pages/c.evans/ gc kernel: Warning: possible SYN flooding. Sending cookies. kernel: validated probe(17f, 17f, 11557, 5010, -1645409555) -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
IP address and ipfwadm
I am using dialup PPP and need to run ipfwadm everytime I connect to my ISP. I know that I can put ipfwadm into /etc/rc file. What is the best/easy way to get the IP address other than using ifconfig or route (they are not good because the output is more than one line)? ipfwadm -A -a -P My IP address go here -D 0/0 Lawrence -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: IP address and ipfwadm
In article [EMAIL PROTECTED] Lawrence wrote: : I am using dialup PPP and need to run ipfwadm everytime I connect to my : ISP. I know that I can put ipfwadm into /etc/rc file. What is the : best/easy way to get the IP address other than using ifconfig or route : (they are not good because the output is more than one line)? : : ipfwadm -A -a -P My IP address go here -D 0/0 Look in /etc/ppp/ip-up! Right, MartinS -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: IP address and ipfwadm
On Mon, 22 Sep 1997, Lawrence wrote: I am using dialup PPP and need to run ipfwadm everytime I connect to my ISP. I know that I can put ipfwadm into /etc/rc file. What is the best/easy way to get the IP address other than using ifconfig or route (they are not good because the output is more than one line)? ipfwadm -A -a -P My IP address go here -D 0/0 $IPADDR=`ifconfig ppp0|perl -ne 'print $1 if (/inet addr:(\S+)\s/);'` ipfwadm -A -a -P $IPADDR -D 0/0 whatever --- Elie Rosenblum [EMAIL PROTECTED] That is not dead which can eternal lie, [EMAIL PROTECTED] And with strange aeons even death may die. Developer / Mercenary / System Administrator - _The Necromicon_ -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: ipfwadm question
On Tue, 26 Aug 1997, Mario Olimpio de Menezes wrote: My linux box acts as a ip-masq for the internal sub-net of Windows machines. It has 3 cards: one for output to Internet, with a valid IP address and 2 for the internal sub-net. IP-Masq is working OK; all machines can telnet, browse, ftp, etc to external servers on Internet, being masquerade with the Linux IP. I'm using this sintax: # ipfwadm -O -a deny -S 0.0.0.0/0 -D some.site.denied/0 but isn't working, since I can connect the denied site from a inside machine. What is wrong? Have you tried: # ipfwadm -F -p deny # ipfwadm -F -a masq -S internal_net -D 0.0.0.0/0 # ipfwadm -F -i deny -S internal_net -D some.site.denied/32 (that is adding a forwarding rule before masquerading) Ciao -- Dalla Silvestra Michele Other info: finger://[EMAIL PROTECTED] Key fingerprint = 68 02 A9 C7 FB 05 9E 9C C7 B6 4A 13 61 25 5B 43 -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
ipfwadm question
Hi, I'm trying to set some rules for an output firewall, denying access to some sites. My linux box acts as a ip-masq for the internal sub-net of Windows machines. It has 3 cards: one for output to Internet, with a valid IP address and 2 for the internal sub-net. IP-Masq is working OK; all machines can telnet, browse, ftp, etc to external servers on Internet, being masquerade with the Linux IP. I'm using this sintax: # ipfwadm -O -a deny -S 0.0.0.0/0 -D some.site.denied/0 but isn't working, since I can connect the denied site from a inside machine. What is wrong? Does I need some other software in order to have an Output Firewall? Thanks, []s, Mario O.de MenezesMany are the plans in a man's heart, but IPEN-CNEN/SP is the Lord's purpose that prevails http://curiango.ipen.br/~mario Prov. 19.21 -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Squid + ipfwadm redirect transparent problems
On Thu, 21 Aug 1997, Mike wrote: Jose Maria Omo Millan wrote: # Redirect to Squid proxy server /sbin/ipfwadm -I -a acc -P tcp -D default/0 80 -r 8080 ERROR: The requested URL could not be retrieved While trying to retrieve the URL: / The http 1.0 protocol does not send requested IP address in the request. If a client asks for http://www.playboy.com; then he opens a TCP connection to 205.216.146.202:80 and sends the text GET / HTTP/1.0. Your squid would need to ask the firewall what destination IP address was in the packet, and I guess it can't do that. You can't mix proxies and straight http, they are different protocols. Now I recall the trouble, you have to enable a Squid option for virtual hosting. It will take the address from the socket which is how Transparent Proxy communicates the address. Be very aware that this is not nearly as good as using squid as a proxy with a proxy protocol, your cache hits will go down because sites with multiple IP's for their servers will be cached multiple times. With the new http clients you might not have a problem, donno if squid supports it. Jason -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Squid + ipfwadm redirect transparent problems
Hello, I would like redirect all www traffic from my lan through Squid server transparently. I use IP masquerading and besides I do: # Redirect to Squid proxy server /sbin/ipfwadm -I -a acc -P tcp -D default/0 80 -r 8080 This rule really redirect http request of any PC to squid server, but I ever get the following error: ERROR: The requested URL could not be retrieved While trying to retrieve the URL: / The following error was encountered: Invalid URL syntax If I configure any browser to use proxy server directly all works fine. If I use IP masquerading without redirection to squid all works fine. I suppose that redirection or Squid configuration is bad. Any suggestion will be very pleased. Thanks in advance Best Regards José María Olmo Millán SMTP address: [EMAIL PROTECTED] Virtual Office, S.L.Phone: +34-1-6896120 Plaza de la Tahona, 2 2AFax: +34-1-6896121 Leganés - Madrid -Spain Mobile phone: +34-29-812825 E-28911 -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
