Re: [leaf-user] Routing to two servers
Yes, that is the entire block from the status option. Here is log message: Feb 25 08:06:47 vpnserver Shorewall:net2all:DROP: IN=eth0 OUT=eth1 MAC=00:20:af:9a:ef:f7:00:00:c5:97:bf:4c:08:00 SRC=66.41.184.127 DST=172.16.201.90 LEN=48 TOS=00 PREC=0x00 TTL=115 ID=8084 DF PROTO=TCP SPT=3155 DPT=80 SEQ=3326239879 ACK=0 WINDOW=16384 SYN URGP=0 JamesS At 01:35 PM 2/24/2004 -0800, Tom Eastep wrote: On Tue, 24 Feb 2004, JamesSturdevant wrote: I am trying to get two IPs on one interface to route to two different web servers. I am using Shorewall 1.4.2 on LEAF Bering. I have two IP addresses on my network interface: eth0 xx.yyy.zz.10 eth0:0 xx.yyy.zz.11 I am trying to route port 80 from each of them to different machines and changing the port on one. This is what I have in my rules file: DNATnet loc:172.16.201.90:8081 tcp 80- xx.yyy.zz.11 DNATnet loc:172.16.201.90 tcp 8081 - xx.yyy.zz.11 DNATnet loc:172.16.201.9tcp 80- xx.yyy.zz.10 I can get to my web server on xx.yyy.zz.10 and to my server on xx.yyy.zz.11 if is use port 8081 but not when I use port 80. The shorewall.log file show a DROP from net2all when port 80 is used. May we see one of these messages? Shorewall status shows this for net2loc: Chain net2loc (1 references) pkts bytes target prot opt in out source destination 4886 2563K ACCEPT all -- * *0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * *0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT tcp -- * *0.0.0.0/0 172.16.201.90 state NEW tcp dpt:8081 0 0 ACCEPT tcp -- * *0.0.0.0/0 172.16.201.90 state NEW tcp dpt:8081 20 960 ACCEPT tcp -- * *0.0.0.0/0 172.16.201.9 state NEW tcp dpt:80 5 328 net2allall -- * *0.0.0.0/0 0.0.0.0/0 Chain net_dnat (1 references) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * *0.0.0.0/0 0.0.0.0/0 tcp dpt:8081 to:172.16.201.90 0 0 DNAT tcp -- * *0.0.0.0/0 xx.yyy.zz.11 tcp dpt:80 to:172.16.201.90:8081 20 960 DNAT tcp -- * *0.0.0.0/0 xx.yyy.zz.10 tcp dpt:80 to:172.16.201.9 Does the above show the entire contents of each chain? -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Routing to two servers
On Wednesday 25 February 2004 06:13 am, JamesSturdevant wrote: Yes, that is the entire block from the status option. Here is log message: Feb 25 08:06:47 vpnserver Shorewall:net2all:DROP: IN=eth0 OUT=eth1 MAC=00:20:af:9a:ef:f7:00:00:c5:97:bf:4c:08:00 SRC=66.41.184.127 DST=172.16.201.90 LEN=48 TOS=00 PREC=0x00 TTL=115 ID=8084 DF PROTO=TCP SPT=3155 DPT=80 SEQ=3326239879 ACK=0 WINDOW=16384 SYN URGP=0 Please follow the instructions at http://www.shorewall.net/support.htm under the paragraph beginning THIS IS IMPORTANT! in bold type. Thanks, -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Tinydns to block adware/spyware
Has anyone tried using tinydns to block HTTP requests to ad-tracking sites, adware, and spyware? I had a play at using tinydns's private zone file to block domain names from a list of known trackers I have (I currently keep this list in /etc/hosts on various machines). I couldn't get it to work because (I think) I couldn't get tinydns to consider itself authorative for these domains in terms of DNS requests from my network clients. So, for example, I tried adding entries like this to the private zones file: =www2.doubleclick.com:127.0.0.1 That didn't stop tinydns resolving the name correctly so I trawled around and found DJB saying that you need to set up your DNS server as a SOA for other domains. That's where it gets a whole lot more complex! I did try: .doubleclick.com::localhost =www2.doubleclick.com:127.0.0.1 but that didn't work either. Anyone had a go at this? I'm happy to share my hosts file with anyone that wants it but it needs editing as it blocks a rnage of sites that some folks might not be bothered about. -- Lee Kimber Track what Linux users are saying about Microsoft http://www.kimberconsulting.com/linux_news.htm --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Tinydns and VHosts in DMZ
* Sak [EMAIL PROTECTED] [2004:02:24:23:48:22-0800] scribed: Hey everyone, I'm having a little trouble with accessing virtual hosts in my DMZ. I've setup tinydns and it handles the primary DNS stuff (requests for 102010.org) just fine. But when I try to access the other domain either inside, or outside the network, I get a ...could not be found. response. In my tinydns-private file, I've got the following for the DMZ, and the sites that I'm hosting... .2.168.192.in-addr.arpa::ns1.102010.org =demian.102010.org:192.168.2.2 +www.102010.org:192.168.2.2 +www.adreamcreation.org:192.168.2.2 My tinydns-public file looks like this... .102010.org::ns1.102010.org .38.231.216.in-addr.arpa::ns1.102010.org @102010.org::demian.102010.org =gw.102010.org:216.231.38.127 +ns1.102010.org:216.231.38.127 +ns2.102010.org:216.231.38.127 =demian.102010.org:216.231.38.127 +www.102010.org:216.231.38.127 +www.adreamcreation.org:216.231.38.127 snip / What does dnscache tell you? tail -f /var/log/dnscache/current | tai64nlocal One (1) name and two (2) addresses -- that is probably not what you want. Do these DMZ hosts have two (2) interfaces? If so, what is the domain of your private LAN? =demian.private.network:192.168.2.2 If not, then ditch the /etc/tinydns-private/root/data stuff, and access your DMZ hosts the same way I would: ssh -X demian.102010.org hth -- Best Regards, mds mds resource 877.596.8237 - Dare to fix things before they break . . . - Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . -- signature.asc Description: Digital signature
Re: [leaf-user] Tinydns to block adware/spyware
* Lee Kimber [EMAIL PROTECTED] [2004:02:25:09:21:18-0800] scribed: Has anyone tried using tinydns to block HTTP requests to ad-tracking sites, adware, and spyware? I had a play at using tinydns's private zone file to block domain names from a list of known trackers I have (I currently keep this list in /etc/hosts on various machines). I couldn't get it to work because (I think) I couldn't get tinydns to consider itself authorative for these domains in terms of DNS requests from my network clients. So, for example, I tried adding entries like this to the private zones file: =www2.doubleclick.com:127.0.0.1 That didn't stop tinydns resolving the name correctly so I trawled around and found DJB saying that you need to set up your DNS server as a SOA for other domains. That's where it gets a whole lot more complex! I did try: .doubleclick.com::localhost =www2.doubleclick.com:127.0.0.1 but that didn't work either. Anyone had a go at this? snip / Is this what you want? http://cr.yp.to/djbdns/dot-local.html hth -- Best Regards, mds mds resource 877.596.8237 - Dare to fix things before they break . . . - Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . -- signature.asc Description: Digital signature
Re: [leaf-user] Tinydns and VHosts in DMZ
On Wed, Feb 25, 2004 at 12:21:01PM -0600, Michael D Schleif wrote: What does dnscache tell you? tail -f /var/log/dnscache/current | tai64nlocal Here's the output... gw: -root- # tail -f /var/log/dnscache/current | tai64nlocal 2004-02-25 10:37:12.109829500 stats 2428 1269339 1 0 2004-02-25 10:37:12.109832500 cached 1 tld1.ultradns.net. 2004-02-25 10:37:12.109835500 cached 1 tld2.ultradns.net. 2004-02-25 10:37:12.109838500 tx 0 1 www.adreamcreation.org. org. cc4a7001 cc4a7101 2004-02-25 10:37:12.172382500 nxdomain cc4a7001 3600 www.adreamcreation.org. 2004-02-25 10:37:12.172389500 sent 2428 40 2004-02-25 10:37:12.172867500 query 2429 c0a80105:8091:d4be 1 www.adreamcreation.org.102010.org. 2004-02-25 10:37:12.172874500 tx 0 1 www.adreamcreation.org.102010.org. 102010.org. 7f01 2004-02-25 10:37:12.173552500 nxdomain 7f01 2560 www.adreamcreation.org.102010.org. 2004-02-25 10:37:12.173558500 sent 2429 51 One (1) name and two (2) addresses -- that is probably not what you want. I don't understand what you mean here. Do these DMZ hosts have two (2) interfaces? The DMZ host has a single interface. If so, what is the domain of your private LAN? =demian.private.network:192.168.2.2 The contents of my /etc/tinydns-private/env/DOMAINS file is... 1.168.192.in-addr.arpa 102010.org Do I need to specify a different domain for the DMZ? Do I need to include the virtual domains in this file? There's no problem access the DMZ host under any of the .102010.org names. All the services go through just fine. The only problem is when I attempt to access a vhost by name. -- Thanks, Sak. - --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Routing to two servers
On Wed, 25 Feb 2004, JamesSturdevant wrote: OK, I've attached the full status report, the failure listed in shorewall.log, and a copy of the rules file. I hope this helps. JamesS At 08:00 AM 2/25/2004 -0800, Tom Eastep wrote: On Wednesday 25 February 2004 06:13 am, JamesSturdevant wrote: Yes, that is the entire block from the status option. Here is log message: Feb 25 08:06:47 vpnserver Shorewall:net2all:DROP: IN=eth0 OUT=eth1 MAC=00:20:af:9a:ef:f7:00:00:c5:97:bf:4c:08:00 SRC=66.41.184.127 DST=172.16.201.90 LEN=48 TOS=00 PREC=0x00 TTL=115 ID=8084 DF PROTO=TCP SPT=3155 DPT=80 SEQ=3326239879 ACK=0 WINDOW=16384 SYN URGP=0 Please follow the instructions at http://www.shorewall.net/support.htm under the paragraph beginning THIS IS IMPORTANT! in bold type. Set NAT_BEFORE_RULES=No in shorewall.conf. Since you have a one-to-one NAT entry and NAT_BEFORE_RULES=Yes, the one-to-one NAT entry is taking precedence. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Tinydns and VHosts in DMZ
* Sak [EMAIL PROTECTED] [2004:02:25:10:50:47-0800] scribed: On Wed, Feb 25, 2004 at 12:21:01PM -0600, Michael D Schleif wrote: What does dnscache tell you? tail -f /var/log/dnscache/current | tai64nlocal Here's the output... gw: -root- # tail -f /var/log/dnscache/current | tai64nlocal 2004-02-25 10:37:12.109829500 stats 2428 1269339 1 0 2004-02-25 10:37:12.109832500 cached 1 tld1.ultradns.net. 2004-02-25 10:37:12.109835500 cached 1 tld2.ultradns.net. 2004-02-25 10:37:12.109838500 tx 0 1 www.adreamcreation.org. org. cc4a7001 cc4a7101 2004-02-25 10:37:12.172382500 nxdomain cc4a7001 3600 www.adreamcreation.org. 2004-02-25 10:37:12.172389500 sent 2428 40 2004-02-25 10:37:12.172867500 query 2429 c0a80105:8091:d4be 1 www.adreamcreation.org.102010.org. 2004-02-25 10:37:12.172874500 tx 0 1 www.adreamcreation.org.102010.org. 102010.org. 7f01 2004-02-25 10:37:12.173552500 nxdomain 7f01 2560 www.adreamcreation.org.102010.org. 2004-02-25 10:37:12.173558500 sent 2429 51 One (1) name and two (2) addresses -- that is probably not what you want. I don't understand what you mean here. First of all, adreamcreation.org is *NOT* delegated to you, no matter what whois says: # dnsqr any adreamcreation.org 255 adreamcreation.org: 36 bytes, 1+0+0+0 records, response, authoritative, nxdomain query: 255 adreamcreation.org # dnsqr ns adreamcreation.org 2 adreamcreation.org: 36 bytes, 1+0+0+0 records, response, authoritative, nxdomain query: 2 adreamcreation.org Domain 102010.org appears to be setup properly. You must understand the concept of `nxdomain'. Second, your original examples: In my tinydns-private file, I've got the following for the DMZ, and the sites that I'm hosting... .2.168.192.in-addr.arpa::ns1.102010.org =demian.102010.org:192.168.2.2 +www.102010.org:192.168.2.2 +www.adreamcreation.org:192.168.2.2 My tinydns-public file looks like this... .102010.org::ns1.102010.org .38.231.216.in-addr.arpa::ns1.102010.org @102010.org::demian.102010.org =gw.102010.org:216.231.38.127 +ns1.102010.org:216.231.38.127 +ns2.102010.org:216.231.38.127 =demian.102010.org:216.231.38.127 +www.102010.org:216.231.38.127 +www.adreamcreation.org:216.231.38.127 show the `One (1) name and two (2) addresses' malady: / .2.168.192.in-addr.arpa ns1.102010.org \ .38.231.216.in-addr.arpa / 192.168.2.2 demian.102010.org \ 216.231.38.127 This is not readily accomplished. Do these DMZ hosts have two (2) interfaces? The DMZ host has a single interface. Your DNS host probably has two interfaces. tinydns-private *MUST* associated with the private interface, and tinydns-public *MUST* be associated with the public interface. Your DMZ host has one (1) interface; therefore, you will have better success if you limit that interface to one (1) address. If so, what is the domain of your private LAN? =demian.private.network:192.168.2.2 The contents of my /etc/tinydns-private/env/DOMAINS file is... 1.168.192.in-addr.arpa 102010.org snip / This is going to be a major problem. First, look closely at the above, and you will see that you are specifying two (2) private networks: 1.168.192.in-addr.arpa 192.168.2.2 Second, since 102010.org is a *public* domain: # dnsq any 102010.org a.root-servers.net 255 102010.org: 110 bytes, 1+0+2+2 records, response, noerror query: 255 102010.org authority: org 172800 NS tld1.ultradns.net authority: org 172800 NS tld2.ultradns.net additional: tld1.ultradns.net 172800 A 204.74.112.1 additional: tld2.ultradns.net 172800 A 204.74.113.1 By definition, a.root-servers.net *CANNOT* know anything about your private network. -- Best Regards, mds mds resource 877.596.8237 - Dare to fix things before they break . . . - Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . -- signature.asc Description: Digital signature
[leaf-user] Three-interface Bering sample
Hi. Can someone point me to the current three-interface Shorewall config for Bering 2 and Shorewall 1.4.9? Thanks. David Pitts IT Services Manager Reid Library University of Western Australia Telephone: (08) 6488 3492 Fax: (08) 6488 1012 --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id56alloc_id438op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html