Re: [leaf-user] Routing to two servers

2004-02-25 Thread JamesSturdevant 
Yes, that is the entire block from the status option. Here is log message:

Feb 25 08:06:47 vpnserver Shorewall:net2all:DROP: IN=eth0 OUT=eth1 
MAC=00:20:af:9a:ef:f7:00:00:c5:97:bf:4c:08:00  SRC=66.41.184.127 
DST=172.16.201.90 LEN=48 TOS=00 PREC=0x00 TTL=115 ID=8084 DF PROTO=TCP 
SPT=3155 DPT=80 SEQ=3326239879 ACK=0 WINDOW=16384 SYN URGP=0

JamesS
At 01:35 PM 2/24/2004 -0800, Tom Eastep wrote:
On Tue, 24 Feb 2004, JamesSturdevant wrote:

 I am trying to get two IPs on one interface to route to two different
 web servers. I am using Shorewall 1.4.2 on LEAF Bering.

 I have two IP addresses on my network interface:
 eth0   xx.yyy.zz.10
 eth0:0 xx.yyy.zz.11

 I am trying to route port 80 from each of them to different
 machines and changing the port on one.  This is what I have
 in my rules file:

 DNATnet loc:172.16.201.90:8081  tcp 80-  xx.yyy.zz.11
 DNATnet loc:172.16.201.90   tcp 8081  -  xx.yyy.zz.11

 DNATnet loc:172.16.201.9tcp 80-  xx.yyy.zz.10

 I can get to my web server on xx.yyy.zz.10 and to my server on
 xx.yyy.zz.11 if is use port 8081 but not when I use port 80. The
 shorewall.log file show a DROP from net2all when port 80 is used.

May we see one of these messages?

 Shorewall status shows this for net2loc:

 Chain net2loc (1 references)
   pkts bytes target prot opt in  out  source destination
   4886 2563K ACCEPT all  --  *   *0.0.0.0/0  0.0.0.0/0  state
 RELATED,ESTABLISHED
  0 0 newnotsyn  tcp  --  *   *0.0.0.0/0  0.0.0.0/0  state
 NEW tcp flags:!0x16/0x02
  0 0 ACCEPT tcp  --  *   *0.0.0.0/0  172.16.201.90  state
 NEW tcp dpt:8081
  0 0 ACCEPT tcp  --  *   *0.0.0.0/0  172.16.201.90  state
 NEW tcp dpt:8081
 20   960 ACCEPT tcp  --  *   *0.0.0.0/0  172.16.201.9   state
 NEW tcp dpt:80
  5   328 net2allall  --  *   *0.0.0.0/0  0.0.0.0/0

 Chain net_dnat (1 references)
   pkts bytes target prot opt in  out  source destination
  0 0 DNAT   tcp  --  *   *0.0.0.0/0  0.0.0.0/0  tcp
 dpt:8081 to:172.16.201.90
  0 0 DNAT   tcp  --  *   *0.0.0.0/0  xx.yyy.zz.11   tcp
 dpt:80 to:172.16.201.90:8081
 20   960 DNAT   tcp  --  *   *0.0.0.0/0  xx.yyy.zz.10   tcp
 dpt:80 to:172.16.201.9


Does the above show the entire contents of each chain?

-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Routing to two servers

2004-02-25 Thread Tom Eastep 
On Wednesday 25 February 2004 06:13 am, JamesSturdevant wrote:
 Yes, that is the entire block from the status option. Here is log message:

 Feb 25 08:06:47 vpnserver Shorewall:net2all:DROP: IN=eth0 OUT=eth1
 MAC=00:20:af:9a:ef:f7:00:00:c5:97:bf:4c:08:00  SRC=66.41.184.127
 DST=172.16.201.90 LEN=48 TOS=00 PREC=0x00 TTL=115 ID=8084 DF PROTO=TCP
 SPT=3155 DPT=80 SEQ=3326239879 ACK=0 WINDOW=16384 SYN URGP=0

Please follow the instructions at http://www.shorewall.net/support.htm under 
the paragraph beginning THIS IS IMPORTANT! in bold type.

Thanks,
-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]




---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Tinydns to block adware/spyware

2004-02-25 Thread Lee Kimber 
Has anyone tried using tinydns to block HTTP requests to ad-tracking sites, adware, 
and spyware?

I had a play at using tinydns's private zone file to block domain names from a list of 
known trackers I have (I currently keep this list in /etc/hosts on various machines).

I couldn't get it to work because (I think) I couldn't get tinydns to consider itself 
authorative for these domains in terms of DNS requests from my network clients.

So, for example, I tried adding entries like this to the private zones file:

=www2.doubleclick.com:127.0.0.1

That didn't stop tinydns resolving the name correctly so I trawled around and found 
DJB saying that you need to set up your DNS server as a SOA for other domains. That's 
where it gets a whole lot more complex!

I did try:
.doubleclick.com::localhost
=www2.doubleclick.com:127.0.0.1

but that didn't work either. Anyone had a go at this?

I'm happy to share my hosts file with anyone that wants it but it needs editing as it 
blocks a rnage of sites that some folks might not be bothered about.



-- 

Lee Kimber
Track what Linux users are saying about Microsoft
http://www.kimberconsulting.com/linux_news.htm



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Tinydns and VHosts in DMZ

2004-02-25 Thread Michael D Schleif 
* Sak [EMAIL PROTECTED] [2004:02:24:23:48:22-0800] scribed:
 Hey everyone,
 
 I'm having a little trouble with accessing virtual hosts in my DMZ.
 I've setup tinydns and it handles the primary DNS stuff (requests for
 102010.org) just fine.  But when I try to access the other domain
 either inside, or outside the network, I get a ...could not be
 found. response.
 
 In my tinydns-private file, I've got the following for the DMZ, and
 the sites that I'm hosting...
 
 .2.168.192.in-addr.arpa::ns1.102010.org
 =demian.102010.org:192.168.2.2 
 +www.102010.org:192.168.2.2
 +www.adreamcreation.org:192.168.2.2
 
 My tinydns-public file looks like this...
 
 .102010.org::ns1.102010.org
 .38.231.216.in-addr.arpa::ns1.102010.org
 
 @102010.org::demian.102010.org
 =gw.102010.org:216.231.38.127
 +ns1.102010.org:216.231.38.127
 +ns2.102010.org:216.231.38.127

 =demian.102010.org:216.231.38.127
 +www.102010.org:216.231.38.127
 +www.adreamcreation.org:216.231.38.127
snip /

What does dnscache tell you?

   tail -f /var/log/dnscache/current | tai64nlocal

One (1) name and two (2) addresses -- that is probably not what you
want.

Do these DMZ hosts have two (2) interfaces?

If so, what is the domain of your private LAN?

   =demian.private.network:192.168.2.2

If not, then ditch the /etc/tinydns-private/root/data stuff, and access
your DMZ hosts the same way I would:

   ssh -X demian.102010.org

hth

-- 
Best Regards,

mds
mds resource
877.596.8237
-
Dare to fix things before they break . . .
-
Our capacity for understanding is inversely proportional to how much
we think we know.  The more I know, the more I know I don't know . . .
--


signature.asc
Description: Digital signature

Re: [leaf-user] Tinydns to block adware/spyware

2004-02-25 Thread Michael D Schleif 
* Lee Kimber [EMAIL PROTECTED] [2004:02:25:09:21:18-0800] scribed:
 Has anyone tried using tinydns to block HTTP requests to ad-tracking
 sites, adware, and spyware?
 
 I had a play at using tinydns's private zone file to block domain
 names from a list of known trackers I have (I currently keep this list
 in /etc/hosts on various machines).
 
 I couldn't get it to work because (I think) I couldn't get tinydns to
 consider itself authorative for these domains in terms of DNS requests
 from my network clients.
 
 So, for example, I tried adding entries like this to the private zones
 file:
 
 =www2.doubleclick.com:127.0.0.1
 
 That didn't stop tinydns resolving the name correctly so I trawled
 around and found DJB saying that you need to set up your DNS server as
 a SOA for other domains. That's where it gets a whole lot more
 complex!
 
 I did try:
 .doubleclick.com::localhost
 =www2.doubleclick.com:127.0.0.1
 
 but that didn't work either. Anyone had a go at this?
snip /

Is this what you want?

   http://cr.yp.to/djbdns/dot-local.html

hth

-- 
Best Regards,

mds
mds resource
877.596.8237
-
Dare to fix things before they break . . .
-
Our capacity for understanding is inversely proportional to how much
we think we know.  The more I know, the more I know I don't know . . .
--


signature.asc
Description: Digital signature

Re: [leaf-user] Tinydns and VHosts in DMZ

2004-02-25 Thread Sak 
On Wed, Feb 25, 2004 at 12:21:01PM -0600, Michael D Schleif wrote:
 What does dnscache tell you?
 
tail -f /var/log/dnscache/current | tai64nlocal

Here's the output...

gw: -root-
# tail -f /var/log/dnscache/current | tai64nlocal
2004-02-25 10:37:12.109829500 stats 2428 1269339 1 0
2004-02-25 10:37:12.109832500 cached 1 tld1.ultradns.net.
2004-02-25 10:37:12.109835500 cached 1 tld2.ultradns.net.
2004-02-25 10:37:12.109838500 tx 0 1 www.adreamcreation.org. org. cc4a7001 cc4a7101
2004-02-25 10:37:12.172382500 nxdomain cc4a7001 3600 www.adreamcreation.org.
2004-02-25 10:37:12.172389500 sent 2428 40
2004-02-25 10:37:12.172867500 query 2429 c0a80105:8091:d4be 1 
www.adreamcreation.org.102010.org.
2004-02-25 10:37:12.172874500 tx 0 1 www.adreamcreation.org.102010.org. 102010.org. 
7f01
2004-02-25 10:37:12.173552500 nxdomain 7f01 2560 www.adreamcreation.org.102010.org.
2004-02-25 10:37:12.173558500 sent 2429 51

 One (1) name and two (2) addresses -- that is probably not what you
 want.

I don't understand what you mean here.

 Do these DMZ hosts have two (2) interfaces?

The DMZ host has a single interface.

 If so, what is the domain of your private LAN?
 
=demian.private.network:192.168.2.2

The contents of my /etc/tinydns-private/env/DOMAINS file is...

1.168.192.in-addr.arpa
102010.org

Do I need to specify a different domain for the DMZ?  Do I need to
include the virtual domains in this file?

There's no problem access the DMZ host under any of the .102010.org
names.  All the services go through just fine.  The only problem is
when I attempt to access a vhost by name.

-- 
Thanks,
Sak.
-


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Routing to two servers

2004-02-25 Thread Tom Eastep 
On Wed, 25 Feb 2004, JamesSturdevant wrote:

 OK, I've attached the full status report, the failure listed in
 shorewall.log, and a copy of the rules file. I hope this helps.

 JamesS

 At 08:00 AM 2/25/2004 -0800, Tom Eastep wrote:
 On Wednesday 25 February 2004 06:13 am, JamesSturdevant wrote:
   Yes, that is the entire block from the status option. Here is log message:
  
   Feb 25 08:06:47 vpnserver Shorewall:net2all:DROP: IN=eth0 OUT=eth1
   MAC=00:20:af:9a:ef:f7:00:00:c5:97:bf:4c:08:00  SRC=66.41.184.127
   DST=172.16.201.90 LEN=48 TOS=00 PREC=0x00 TTL=115 ID=8084 DF PROTO=TCP
   SPT=3155 DPT=80 SEQ=3326239879 ACK=0 WINDOW=16384 SYN URGP=0
 
 Please follow the instructions at http://www.shorewall.net/support.htm under
 the paragraph beginning THIS IS IMPORTANT! in bold type.
 

Set NAT_BEFORE_RULES=No in shorewall.conf. Since you have a one-to-one NAT
entry and NAT_BEFORE_RULES=Yes, the one-to-one NAT entry is taking
precedence.

-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Tinydns and VHosts in DMZ

2004-02-25 Thread Michael D Schleif 
* Sak [EMAIL PROTECTED] [2004:02:25:10:50:47-0800] scribed:
 On Wed, Feb 25, 2004 at 12:21:01PM -0600, Michael D Schleif wrote:
  What does dnscache tell you?
  
 tail -f /var/log/dnscache/current | tai64nlocal
 
 Here's the output...
 
 gw: -root-
 # tail -f /var/log/dnscache/current | tai64nlocal
 2004-02-25 10:37:12.109829500 stats 2428 1269339 1 0
 2004-02-25 10:37:12.109832500 cached 1 tld1.ultradns.net.
 2004-02-25 10:37:12.109835500 cached 1 tld2.ultradns.net.
 2004-02-25 10:37:12.109838500 tx 0 1 www.adreamcreation.org. org. cc4a7001 cc4a7101
 2004-02-25 10:37:12.172382500 nxdomain cc4a7001 3600 www.adreamcreation.org.

 2004-02-25 10:37:12.172389500 sent 2428 40
 2004-02-25 10:37:12.172867500 query 2429 c0a80105:8091:d4be 1 
 www.adreamcreation.org.102010.org.
 2004-02-25 10:37:12.172874500 tx 0 1 www.adreamcreation.org.102010.org. 102010.org. 
 7f01
 2004-02-25 10:37:12.173552500 nxdomain 7f01 2560 
 www.adreamcreation.org.102010.org.

 2004-02-25 10:37:12.173558500 sent 2429 51
 
  One (1) name and two (2) addresses -- that is probably not what you
  want.
 
 I don't understand what you mean here.

First of all, adreamcreation.org is *NOT* delegated to you, no matter
what whois says:

   # dnsqr any adreamcreation.org
   255 adreamcreation.org:
   36 bytes, 1+0+0+0 records, response, authoritative, nxdomain
   query: 255 adreamcreation.org

   # dnsqr ns adreamcreation.org
   2 adreamcreation.org:
   36 bytes, 1+0+0+0 records, response, authoritative, nxdomain
   query: 2 adreamcreation.org

Domain 102010.org appears to be setup properly.  You must understand the
concept of `nxdomain'.


Second, your original examples:

   In my tinydns-private file, I've got the following for the DMZ, and
   the sites that I'm hosting...

   .2.168.192.in-addr.arpa::ns1.102010.org
   =demian.102010.org:192.168.2.2
   +www.102010.org:192.168.2.2
   +www.adreamcreation.org:192.168.2.2

   My tinydns-public file looks like this...

   .102010.org::ns1.102010.org
   .38.231.216.in-addr.arpa::ns1.102010.org

   @102010.org::demian.102010.org
   =gw.102010.org:216.231.38.127
   +ns1.102010.org:216.231.38.127
   +ns2.102010.org:216.231.38.127

   =demian.102010.org:216.231.38.127
   +www.102010.org:216.231.38.127
   +www.adreamcreation.org:216.231.38.127

show the `One (1) name and two (2) addresses' malady:

 / .2.168.192.in-addr.arpa
   ns1.102010.org
 \ .38.231.216.in-addr.arpa

/ 192.168.2.2
   demian.102010.org
\ 216.231.38.127

This is not readily accomplished.

  Do these DMZ hosts have two (2) interfaces?
 
 The DMZ host has a single interface.

Your DNS host probably has two interfaces.  tinydns-private *MUST*
associated with the private interface, and tinydns-public *MUST* be
associated with the public interface.

Your DMZ host has one (1) interface; therefore, you will have better
success if you limit that interface to one (1) address.

  If so, what is the domain of your private LAN?
  
 =demian.private.network:192.168.2.2
 
 The contents of my /etc/tinydns-private/env/DOMAINS file is...
 
 1.168.192.in-addr.arpa
 102010.org
snip /

This is going to be a major problem.

First, look closely at the above, and you will see that you are
specifying two (2) private networks:

   1.168.192.in-addr.arpa
   192.168.2.2

Second, since 102010.org is a *public* domain:

   # dnsq any 102010.org a.root-servers.net
   255 102010.org:
   110 bytes, 1+0+2+2 records, response, noerror
   query: 255 102010.org
   authority: org 172800 NS tld1.ultradns.net
   authority: org 172800 NS tld2.ultradns.net
   additional: tld1.ultradns.net 172800 A 204.74.112.1
   additional: tld2.ultradns.net 172800 A 204.74.113.1

By definition, a.root-servers.net *CANNOT* know anything about your
private network.

-- 
Best Regards,

mds
mds resource
877.596.8237
-
Dare to fix things before they break . . .
-
Our capacity for understanding is inversely proportional to how much
we think we know.  The more I know, the more I know I don't know . . .
--


signature.asc
Description: Digital signature

[leaf-user] Three-interface Bering sample

2004-02-25 Thread David Pitts 
Hi.  Can someone point me to the current three-interface Shorewall
config for Bering 2 and Shorewall 1.4.9?

Thanks.

David Pitts
IT Services Manager
Reid Library 
University of Western Australia
 
Telephone:   (08) 6488 3492 Fax:  (08) 6488 1012



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56alloc_id438op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html