Re: [gentoo-user] [OT] Routing advice requested

2005-07-18 Thread David Mallwitz 

George Garvey wrote:

   I just installed a T1 to a new ISP using a Sangoma CSU/DSU card.
   I thought I could use aliased IPs on existing gigE NICS on our LAN
to set up the hosts that need an internet routable presence.
   Maybe that can be done, but not by me. I don't understand enough. I
can get it to work on the system with the T1. But not on another
computer over the LAN.

   On the system with the T1, I have a gigE to the LAN, and one of the
ISP's IPs for asterisk (as an alias to the T1). That works okay. It
worked okay with the ISP's IP as an alias to eth0, too.
   Edited output from ifconfig:
  (this is the gigE NIC connected to a switch for our LAN)
eth0  Link encap:Ethernet  HWaddr 00:07:E9:19:F3:F5  
  inet addr:192.168.1.17  Bcast:192.168.1.255  Mask:255.255.255.0


loLink encap:Local Loopback  
  inet addr:127.0.0.1  Mask:255.0.0.0


   (this is the T1. with the internet IP as an alias)
w1g1  Link encap:Point-to-Point Protocol  
  UP POINTOPOINT RUNNING NOARP  MTU:1532  Metric:1
w1g1ppp   Link encap:Point-to-Point Protocol  
  inet addr:209.101.232.82  P-t-P:209.101.232.81  Mask:255.255.255.252

  UP POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
w1g1ppp:0 Link encap:Point-to-Point Protocol  
  inet addr:216.132.251.226  P-t-P:216.132.251.226  Mask:255.255.255.224

  UP POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

   (this is the routing table [route -n])
Destination Gateway Genmask Flags Metric RefUse Iface
216.132.251.227 0.0.0.0 255.255.255.255 UH0  00 eth0
209.101.232.80  0.0.0.0 255.255.255.252 U 0  00 w1g1ppp
216.132.251.224 0.0.0.0 255.255.255.224 U 0  00 w1g1ppp
192.168.2.0 192.168.1.12255.255.255.0   UG0  00 eth0
192.168.1.0 0.0.0.0 255.255.255.0   U 0  00 eth0
127.0.0.0   127.0.0.1   255.0.0.0   UG0  00 lo
0.0.0.0 209.101.232.81  0.0.0.0 UG0  00 w1g1ppp

   The problem I'm having is with an alias on another computer that
needs to be on the internet. It is the IP 216.132.251.227. Traffic
internal to our LAN is routed to the computer that has that alias
(192.168.1.6). But, traffic coming from the internet gets to 209.101.232.82
and stops according to traceroute.
   I'm too ignorant to understand why the host route doesn't work for
packets coming from the T1 (from the internet), and get sent to the
computer that handles that IP. This is the latest in a series of
attempts. I've also tried putting the 216.132.251.224 network on the
LAN. I've tried using the 216.132.251.227's LAN address (192.168.1.6)
as a gateway for the host route. I've tried removing the
216.132.251.224 network route entirely, and just having host routes.

   What I was hoping to do was have one computer (192.168.1.17)
connected to the ISP with a T1, and serve as a router for the ISP's
IPs. That would also be connected to the internet with one of the ISP's
IPs for use by asterisk (216.132.251.226). This seems to be working
okay.
   I wanted another computer (192.168.1.6) to have an aliased ISP IP
(216.132.251.227) that would let that computer also have an internet
routable address. This is what I don't seem to be able to do. The
computer with the T1 doesn't seem to route packets from the internet
to the other computer over our LAN. It does for packets originating
from our LAN. But not for packets from the internet.
   I know my error is going to be obvious to everyone who actually
understands this stuff ;) I hope I've given the info to make things
clear.
   I can set up a small Fast enet switch for the ISP's network, I
guess. But I was hoping not to need to do that, and add more NICs to
the computers that eventually need to be on the internet. But maybe
that is what I need to do.
   Any and all advice (including things to read to decrease my
ignorance) appreciated.


First, a little terminology hygiene - IP aliasing refers having multiple 
addresses on a single physical interface, masquerading is the Linux 
terminology for Network Address Translation, which is what I think you want.


Look at your routing table. 216.132.251.224/27 is being routed back out 
over the interface it is coming in on, w1g1ppp. You are only able to 
access 216.132.251.227 from the internet because it is located on the 
same physical interface that is doing your routing.


My advice is to purchase another ethernet card, so you can physically 
separate the 216.132.251.224/27 and 192.168.1.0/24 networks. If asterisk 
has to exist on the router, then bind it to the 209.101.232.82 address. 
You'll also need to set up the iptables rules for NAT'ing your 
192.168.1.0/24 network.


Best,
Dave

--
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] [OT] What about a new file system subtree?

2006-02-20 Thread David Mallwitz 

On Feb 18, 2006, at 10:52 AM, Rafael Fernández López wrote:


Hi,

	Since I have started a project that needs to be redistributed  
(it'll be GPL)

I've started to deeply read Autoconf and Automake manuals.

	Well, I had read some of FHS too, to know what I should do and  
what I should

not do with my file hierarchy.

	But, what came to my mind (maybe it's possible today) is that we  
could make a
new "file system" subtree in every ~. For example, a user will be  
able to do
a "./configure ; make" but if the system is well-administrated a  
user won't
be able to run a "make install", since it can cause problems to the  
system.
(I know we, Gentoo users, don't care about that). But what I wanted  
to say is
that if we are not root (typical case) we could do a "./configure ;  
make ;
make install" (in an app called 'whatever') and it could create for  
example

"/home/me/bin/whatever" and "/home/me/share/doc/whatever" or
"/home/me/doc/whatever", and so on.

	That would be great since a normal user won't infect any root  
filesystem, and

an administrator can fix any tricky problem deleting "/home/me".

Bye and thanks !,
Rafael Fernández López.


	You might want to check out Gobolinux, it's an unusual distro that  
make the breaks the FHS by making the file system into a version  
control system for installed packages. Gobolinux has a "rootless"  
option that lets an unprivileged user install software into their  
home directory using their package system. It can work in conjunction  
with any other distro, Gentoo included.

http://www.gobolinux.org/?page=rootless

Dave
--
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] OT - SSL certificate authorities

2005-11-15 Thread David Mallwitz 

Antoine wrote:

Hi,
We are going to set up ssl on a webserver at work and I guess that means 
we need a certificate... does anyone have any useful alternatives to 
Verisign? Are they really worth the name?
We are not going to be doing any monetary transactions but our clients 
are very security conscious (who isn't!) and I have no experience in 
these matters. I am certain the boss will want verisign, as he buys a 
lot of stuff just for the name but if I can offer him a comparable 
alternative at a fraction of the cost he may go for it.

Cheers
Antoine


I prefer Geotrust (http://www.geotrust.com/) to Verisign for third party 
signed certificates. Remember that your web server must be properly 
configured (http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html) in 
order to offer any real security.


Best,
Dave

--
gentoo-user@gentoo.org mailing list