[leaf-user] Two Mail Servers Behind Firewall
This list was a great help when I was trying to get a Dachstein firewall up and running a few months ago. Now I've got another question I'm hoping can be solved here. We're thinking of ways to run a second email server for a different division in our company in addition to our main Exchange 2K server. This second server would only host email for people in the field who need webmail service, nothing else so we want to keep it separate from the main server. 1) Can Dachstein be set up to take in traffic for both and then route it correctly? 2) What are some options to set this up? 3) what else do I need to think about? FYI here's our setup: ISP takes care of MX records then routes the email to us. T-1 line hits a router provided by them then sends port 25 traffic to the Dac firewall. The Dac firewall is set to port forward it on to our Exchange server. The second email server doesn't need to run Exchange so please make reccommendations on that as well. If you need any more info to help just ask. Thanks, Chris --- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] My Dachstein not quite up and running
Just got back to work today after a long weekend and ready to try tackling this prob again... First off, was it okay for me to remove the $ from: INTERN_SERVERS=tcp_$192.168.1.2_smtp_10.10.10.200_smtp or should I put it back in? MX records are the DNS entries that tell remote systems how to contact your mail server (as opposed to A records, which match system names to IP addresses). If you don't have an MX record tying your domain name to the IP of your mail server, you won't get mail from the internet at large. Note that this doesn't mean you won't get mail...your MX records could point somewhere else (like your ISP or the registrar for your domain name), and that system could forward mail to you. Do I need to update them with the following setup: Actual mail server address: 208.57.96.252, controlled by the ISP, forwards mail from their server to ours through their router to 192.168.1.2 (what used to be our Exchange server, but is now eth 0 on the firewall)? Since the firewall is set to forward traffic received at port 25 of 192.168.1.2 through to 10.10.10.200 (new ip of our Exchange server) wouldn't it work without having to change the MX records with our ISP? Assuming of course that portforwarding is actually setup and working correctly. Output from netstat -nr: Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 0.0.0.0 192.168.1.1 0.0.0.0 UG0 0 0 eth0 Output from ipchains -nvL: Chain input (policy DENY: 0 packets, 0 bytes): pkts bytes target prot opttosa tosx ifname mark outsize sourcedestination ports 0 0 DENY udp -- 0xFF 0x00 eth0 192.168.1.1 0.0.0.0/0 * - 520 0 0 DENY udp -- 0xFF 0x00 eth0 0.0.0.0 0.0.0.0/0 * - 68 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/00.0.0.0/0 5 - * 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/00.0.0.0/0 13 - * 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/00.0.0.0/0 14 - * 0 0 DENY all l- 0xFF 0x00 eth0 0.0.0.0 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 255.255.255.255 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 127.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 224.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all -- 0xFF 0x00 eth0 10.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 172.16.0.0/120.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 0.0.0.0/80.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 128.0.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 191.255.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.0.0.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 223.255.255.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 240.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 10.10.10.0/240.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.168.1.2 0.0.0.0/0 n/a 0 0 REJECT all l- 0xFF 0x00 eth0 0.0.0.0/0127.0.0.0/8 n/a 0 0 REJECT all l- 0xFF 0x00 eth0 0.0.0.0/010.10.10.0/24 n/a 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 137 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 135 0 0 REJECT udp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 137 0 0 REJECT udp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 135 0 0 REJECT tcp --
Re: [leaf-user] My Dachstein not quite up and running
Here's the output of ip addr list: 1: lo: LOOPBACK,UP mtu 3924 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope global lo 2: ipsec0: NOARP mtu 0 qdisc noop qlen 10 link/ipip 3: ipsec1: NOARP mtu 0 qdisc noop qlen 10 link/ipip 4: ipsec2: NOARP mtu 0 qdisc noop qlen 10 link/ipip 5: ipsec3: NOARP mtu 0 qdisc noop qlen 10 link/ipip 6: brg0: BROADCAST,MULTICAST mtu 1500 qdisc noop link/ether fe:fd:02:00:45:3d brd ff:ff:ff:ff:ff:ff 7: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:90:47:01:98:80 brd ff:ff:ff:ff:ff:ff inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0 8: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:90:47:01:a0:7a brd ff:ff:ff:ff:ff:ff inet 10.10.10.254/24 brd 10.10.10.255 scope global eth1 I think it looks good. I can't make the actual switch of the Exchange server to behind the firewall until everyone goes home for the night so I'll have to report back on that later. Thanks for your help! Chris --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] My Dachstein not quite up and running
EXTERN_TCP_PORTS=0/0_25 to allow anyone on the internet to send you e-mail, and you'll probably have a lot better luck. Did it and still not receiving. Also tried Mike's suggestion to remove the $ from INTERN_SERVERS=tcp_$192.168.1.2_smtp_10.10.10.200_smtp. Backed up the firewall and rebooted, still nothing. output from netstat -nr still looks the same here's the output from ipchains -nvL Chain input (policy DENY: 0 packets, 0 bytes): pkts bytes target prot opttosa tosx ifname mark outsize sou rcedestination ports 18 1296 DENY udp -- 0xFF 0x00 eth0 192 .168.1.1 0.0.0.0/0 * - 520 0 0 DENY udp -- 0xFF 0x00 eth0 0.0 .0.0 0.0.0.0/0 * - 68 0 0 DENY icmp l- 0xFF 0x00 * 0.0 .0.0/00.0.0.0/0 5 - * 0 0 DENY icmp l- 0xFF 0x00 * 0.0 .0.0/00.0.0.0/0 13 - * 0 0 DENY icmp l- 0xFF 0x00 * 0.0 .0.0/00.0.0.0/0 14 - * 0 0 DENY all l- 0xFF 0x00 eth0 0.0 .0.0 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 255 .255.255.255 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 127 .0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 224 .0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all -- 0xFF 0x00 eth0 10. 0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 172 .16.0.0/120.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 0.0 .0.0/80.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 128 .0.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 191 .255.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192 .0.0.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 223 .255.255.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 240 .0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 10. 10.10.0/240.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192 .168.1.2 0.0.0.0/0 n/a 0 0 REJECT all l- 0xFF 0x00 eth0 0.0 .0.0/0127.0.0.0/8 n/a 0 0 REJECT all l- 0xFF 0x00 eth0 0.0 .0.0/010.10.10.0/24 n/a 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0 .0.0/00.0.0.0/0 * - 137 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0 .0.0/00.0.0.0/0 * - 135 87 6786 REJECT udp -- 0xFF 0x00 eth0 0.0 .0.0/00.0.0.0/0 * - 137 0 0 REJECT udp -- 0xFF 0x00 eth0 0.0 .0.0/00.0.0.0/0 * - 135 6 492 REJECT tcp -- 0xFF 0x00 eth0 0.0 .0.0/00.0.0.0/0 * - 138:139 20 4453 REJECT udp -- 0xFF 0x00 eth0 0.0 .0.0/00.0.0.0/0 * - 138 0 0 REJECT udp -- 0xFF 0x00 eth0 0.0 .0.0/00.0.0.0/0 137:138 - * 0 0 REJECT udp -- 0xFF 0x00 eth0 0.0 .0.0/00.0.0.0/0 135 - * 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0 .0.0/00.0.0.0/0 137:139 - * 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0 .0.0/00.0.0.0/0 135 - * 19 936 ACCEPT tcp -- 0xFF 0x00 eth0 0.0 .0.0/00.0.0.0/0 * - 25 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0 .0.0/00.0.0.0/0 * - 113 612 214K ACCEPT tcp -- 0xFF 0x00 eth0 0.0 .0.0/00.0.0.0/0 * - 1024:65535 0 0
Re: [leaf-user] My Dachstein not quite up and running
Apologies for the typo in my previous messages. My two problems haven't gone away--1) Exchange server is not receiving internet email and 2) workstations cannot browse the web. I'm thinking my first problem is related to Doug's problem under the recent headers: Dachstein Port Forwarding, but since I'm not a trained Exchange Sysadmin like he is I'm in need of more specific how-to help. Here's the current setup: T-1 line in | | ISP's router (external IP: 208.57.96.254; internal IP: 192.168.1.1) | | Firewall (external IP: 192.168.1.2; internal IP: 10.10.10.254) | | Exchange Server (IP: 10.10.10.200, Gateway: 10.10.10.254) The portfw module is loaded. I made the following changes to network.conf: # TCP services open to outside world # Space seperated list: srcip/mask_dstport #EXTERN_TCP_PORTS=216.171.153.128/25_ssh 0/0_www 0/0_1023 EXTERN_TCP_PORTS=192.168.1.2_25 and # Uncomment following for port-forwarded internal services. # The following is an example of what should be put here. # Tuples are as follows: # protocol_local-ip_local-port_remote-ip_remote-port #INTERN_SERVERS=tcp_${EXTERN_IP}_ftp_192.168.1.1_ftp tcp_${EXTERN_IP}_smtp_192.168.1.1_smtp INTERN_SERVERS=tcp_$192.168.1.2_smtp_10.10.10.200_smtp and CONFIG_DNS=YES and DOMAINS=private.network #DNS0=127.0.0.1 DNS0=208.57.0.10 DNS1=208.57.0.11 Output of netstat -nr: Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 0.0.0.0 192.168.1.1 0.0.0.0 UG0 0 0 eth0 Output of ipchains -nvL: Chain input (policy DENY: 0 packets, 0 bytes): pkts bytes target prot opttosa tosx ifname mark outsize sourcedestination ports 31 2232 DENY udp -- 0xFF 0x00 eth0 192.168.1.1 0.0.0.0/0 * - 520 0 0 DENY udp -- 0xFF 0x00 eth0 0.0.0.0 0.0.0.0/0 * - 68 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/00.0.0.0/0 5 - * 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/00.0.0.0/0 13 - * 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/00.0.0.0/0 14 - * 0 0 DENY all l- 0xFF 0x00 eth0 0.0.0.0 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 255.255.255.255 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 127.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 224.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all -- 0xFF 0x00 eth0 10.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 172.16.0.0/120.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 0.0.0.0/80.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 128.0.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 191.255.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.0.0.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 223.255.255.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 240.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 10.10.10.0/240.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.168.1.2 0.0.0.0/0 n/a 0 0 REJECT all l- 0xFF 0x00 eth0 0.0.0.0/0127.0.0.0/8 n/a 0 0 REJECT all l- 0xFF 0x00 eth0 0.0.0.0/010.10.10.0/24 n/a 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 137 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 135 15 1170 REJECT udp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 137 0 0 REJECT udp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 135 0 0 REJECT tcp -- 0xFF 0x00 eth0
Re: [leaf-user] My Dachstein not quite up and running
Okay, today I'm trying to get our Exchange 2000 mailserver online behind the firewall. Currently mail is set to go straight from our ISP's router to 192.168.1.2 (the ip address of our exchange server) I'm trying to do a minimal amount of work to get the firewall in between the ISP's router and the exchange server so I configured the firewall's external interface (eth0) to be 192.168.1.2 and the internal interface to 10.10.10.254. The exchange server is now 10.10.10.2 In trying to setup port forwarding for smtp services I put the following in my network.conf file: # TCP services open to outside world # Space seperated list: srcip/mask_dstport #EXTERN_TCP_PORTS=216.171.153.128/25_ssh 0/0_www 0/0_1023 EXTERN_TCP_PORTS=192.168.1.1/24_25 and # Uncomment following for port-forwarded internal services. # The following is an example of what should be put here. # Tuples are as follows: # protocol_local-ip_local-port_remote-ip_remote-port #INTERN_SERVERS=tcp_${EXTERN_IP}_ftp_192.168.1.1_ftp tcp_${EXTERN_IP}_smtp_192.168.1.1_smtp INTERN_SERVERS=tcp_$192.168.1.2_smtp_10.10.10.200_smtp I've also reconfigured the smtp settings on the Exchange Server and in Exchange. Currently I can send mail out (both to the LAN and to the internet) but incoming internet email never makes it to the server. I've also tried changing the EXTERN_TCP_PORTS line to read: EXTERN_TCP_PORTS=192.168.1.2/24_25 and even tried EXTERN_TCP_PORTS=208.57.96.254/24_25 (The ISP's router's external IP) With either of those settings I can also send, but not receive. What else can I try? --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] My Dachstein not quite up and running
It needs to be 192.168.1.2 to match the address the mail is being forwarded to. I'll give it a try. Have you loaded the portfw module??? under the modules menu, ip_masq_portfw is uncommented. is there something else that needs to be done to get it to load? --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Log Interpretation Please
Removing the -l in the 10.0.0.0/8 rules in ipfilter.conf will stop the logging regardless. I could only find three instances of 10.0.0.0/8 in the file. one was commented out, and the other 2 didn't have a -l. Is there another instance I'm missing? # RFC 1918/1627/1597 blocks # $IPCH -A $LIST -j DENY -p all -s 10.0.0.0/8 -d 0/0 -l $* # Prevent RFC 1918/1627/1597 IP packets from coming in $IPCH -A input -j DENY -p all -s 0/0 -d 10.0.0.0/8 -i $EXTERN_RIF # Stop outgoing RFC 1918/1627/1597 packets $IPCH -A output -j DENY -p all -s 0/0 -d 10.0.0.0/8 -i $EXTERN_RIF --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] My Dachstein not quite up and running
It needs to be 192.168.1.2 to match the address the mail is being forwarded to. I'll give it a try. Didn't work. Still can only send, not receive. Have you loaded the portfw module??? is it listed in the lsmod command? Yep. modulepages used by ip_masq_portfw 2416 0 (unused) Here's something else fun to work on while we're at it: I tried putting other machines behind the firewall today since the office was empty (office retreat, except for me!) and only the NT box, and the Exchange server (Running Windows 2000 server) can browse the web. Our windows 98se, windows me, and windows 95 computers can't. They log into the server fine, get an ip address fine, just no web. They can ping the firewall (both interfaces) and the ISP's router (also both interfaces) but when I ping something like www.yahoo.com it comes back with unknown host. Any ideas on this one? --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] My Dachstein not quite up and running
Thanks to Steve the weblet is now running. I had 10.10.10.0/255.255.255.0 added in the hosts.allow files, but didn't realize I also had to add 10.10.10./255.255.255.0 as well. (a) port forward traffic to port 25 on the LEAF router to the 10.10.10.x mail server (b) have the ISP router port forward port 25 to the LEAF router's external address. (I'm assuming here that the ISP router NATs 192.168.1.0/24, something you haven't actually said. It is possible that the ISP actually routes to 192.168.1.0/24 rather than NATs it, and that some address translation takes place upstream of you. In that case, everything is different, and you haven't told us enough details to get good advice.) While this approach should work, it is clumsy. I'm not sure if it's NAT or routed. Assuming it's NATed, and it is already setup to go from the ISP's router to 192.168.1.2, couldn't I use that address for eth0 on the firewall, and setup portforwarding to send it to the static IP of the mail server behind the firewall? This seems the simplest way to me since it only requires me to make a few changes to Dachstein and not have to have our ISP change anything at all. --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] My Dachstein not quite up and running
If your overall LAN setup is simple enough, this will work. Since this approach double NATs all the traffic (first by the LEAF router; second by the ISP someplace), there is always some risk that something you implement will run into a rare problem. Worry most about things that you are port forwarding (not mail; that should work just fine) ... particularly the traditional problem services (ftp, irc, a few others) and the p2p services. We're a simple operation and don't run irc or most other internet applications besides email and web browsing. Our webmaster does ftp files to our webhosting company, but that seems to already work from behind the firewall without having to set any port forwarding rules for it. Before I actually move our email server behind the firewall let me just make sure I have the right process. ip_masq_portfw is already uncommented in etc/modules so I think I do this by adding the following line after #TCP services open to outside world: EXTERNAL_TCP_PORTS=0/0_25 and the following line after #Uncomment the following for port-forwarded internal services. INTERNAL_SERVERS=tcp$192.168.1.2_25_10.10.10.200_25 (Where 192.168.1.2 will be eth0 on the firewall, 25 is the port to forward from, 10.10.10.200 will be the mailserver's ip, and 25 is the port to forward to.) Please correct me where I've strayed, thanks. --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] My Dachstein not quite up and running
I'm back at work for the week now so I'll try the suggestions you guys gave since Thursday. In the meantime, I moved the firewall to a more accessible location and reconnected it with new cables. Now I get the following msg popping up every few seconds: eth0: rtl8139 Interrupt line blocked, status and when I try to ping an external address I get: eth0: Trasmit timeout, status ff media ff and 100% packet loss. I can ping the internal NT fine. --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] My Dachstein not quite up and running
Okay, my dhcpd file now reads as follows: subnet 10.10.10.0 netmask 255.255.255.0 { option routers 10.10.10.254; option domain-name esimail.org; option domain-name-servers 127.0.0.1; range 10.10.10.1 10.10.10.199; } I made the newbie mistake of thinking option meant optional so I hadn't changed them previously. (per Charles) Switched eth1_IPADDR=10.10.10.1 to eth1_IPADDR=10.10.10.254 (per Lynn) and checked the things Ray asked about: the masq rule reads: 0 0 MASQ all -- 0xFF 0x00 eth0 10.10.10.0/24 0.0.0.0/0 n/a and cat /proc/sys/net/ipv4/ip_forward does return a 1 Now everything seems to work correctly! (Ping, web access, and SSH at least--I haven't put our Exchange server behind the firewall yet since there are other users in the office.) I am so thankful for your help through this. Three more question before I go though: 1) Since the ISP's router is set to route incoming mail to our exchange server at it's current address (192.168.1.2) all I should have to do is assign that server a new static IP (something along the lines of 10.10.10.200) and let the ISP know about this change, right? 2) It looks like our ISP's router is set to renew nonstatic ip addresses every 27000 seconds (7.5 hours). I know this affects the ip address for eth0, will that affect anything else behind the firewall? Basically I'm wondering if this is okay to leave as-is or should I try to assign eth0 a static ip. 3) How do I enable the weblet application? I changed the settings in the weblet package: SERVER_NAME and SERVER_ADDR to both be 10.10.10.254 to match the eth1 address. I also changed the CLIENT_ADDR to 10.10.10. but so far I've been unable to access is from the internal NT box. Thanks again, Chris --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] My Dachstein not quite up and running
Now that I check it, the ip for eth0 changed overnight--unless someone rebooted the firewall when I wasn't here. it's new ip is 192.168.1.38 which I can successfully ping from both the firewall and NT. But I still can't ping past it to 208.57.96.252 (on the NT is says Request timed out on the firewall it hangs then says 7 packets sent, 0 packets received, 100% packet loss when I hit ^c). --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] My Dachstein not quite up and running
After rebooting sometimes I can't ping the firewall or log in via ssh, even if I didn't change any settings. Is this normal? A. The external ISP's router is on network 192.168.1.0/24 and provides DHCP leases for at least a portion of that network. B. The Dachstein router is configured to use 192.168.1.0/24, the same network, and to provide DHCP leases for at least a portion of that network on its internal interface. Okay, this makes more sense. The ISP's router assigns everything from 192.168.1.1 through 192.168.1.255, so we should change the entire subnet that Dachstein will assign right? To fix this, you need to change the internal network that Dachstein uses. I've been away from Dach for long enough that I forget the name of the file it keeps its basic config info in ... it will be something like /etc/network.conf . But find that file, look in it for the one or several places where 192.168.1.*/24 addresses are associated with the internal interface or network, and change them to some non-conflicting value. Then save and reboot (including restarting networiing on the NT server, so it gets a new lease on the new network). Okay, in /etc/network.conf I changed the following values: Interfaces: eth1_IPADDR=10.10.10.1 eth1_MASKLEN=24 eth1_BROADCAST=10.10.10.255 Internal Interface INTERN_IF=eth1 INTERN_NET=10.10.10.0/24 INTERN_IP=10.10.10.254 Those were all the instances of 192.168.x.x that I could find associated with eth1. I can send a copy of the entire network.conf file if you like. Do you have any control over the settings on the ISP's router? I infer from what you sent that it has a real (public, routable) IP address on its external interface and NAT's 192.168.1.0/24 on the internal interface. Depending on what that router can do, you **might** be able to switch it to a different internal network, even better a static route to the Dach firewall that does not require NAT'ing. Then the Dach router can keep the network numbering it and you are used to, and you'll avoid the problems that might arise from double-NAT'ing of outgoing traffic. We might be able to change some things on it, but it requires calling our ISP and having them make the changes via telnet (I think). Currently I know there is a rule setup on that router to route all SMTP traffic to our Exchange server via a static IP address: 192.168.1.2. Other thank that I don't know. It's an Adtran router. So I rebooted the server and now I can no longer get it to assign the NT machine an ip address. I used ipconfig /release followed by ipconfig /renew and it said Error: DHCP Server Unavailable: Renewing adapter CpqNF31 Ping from NT to 10.10.10.1 (new address of eth1) Destination host unreachable. Firewall can ping eth1, eth0, and 208.57.96.252 Here's the new output files: ip addr show 1: lo: LOOPBACK,UP mtu 3924 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope global lo 2: ipsec0: NOARP mtu 0 qdisc noop qlen 10 link/ipip 3: ipsec1: NOARP mtu 0 qdisc noop qlen 10 link/ipip 4: ipsec2: NOARP mtu 0 qdisc noop qlen 10 link/ipip 5: ipsec3: NOARP mtu 0 qdisc noop qlen 10 link/ipip 6: brg0: BROADCAST,MULTICAST mtu 1500 qdisc noop link/ether fe:fd:09:00:4a:4a brd ff:ff:ff:ff:ff:ff 7: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:90:47:01:98:80 brd ff:ff:ff:ff:ff:ff inet 192.168.1.39/24 brd 192.168.1.255 scope global eth0 8: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:90:47:01:a0:7a brd ff:ff:ff:ff:ff:ff inet 10.10.10.1/24 brd 10.10.10.255 scope global eth1 ip route show 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.39 10.10.10.0/24 dev eth1 proto kernel scope link src 10.10.10.1 default via 192.168.1.1 dev eth0 ipchains -nvL Chain input (policy DENY: 3 packets, 1224 bytes): pkts bytes target prot opttosa tosx ifname mark outsize sourcedestination ports 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/00.0.0.0/0 5 - * 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/00.0.0.0/0 13 - * 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/00.0.0.0/0 14 - * 1 328 DENY all l- 0xFF 0x00 eth0 0.0.0.0 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 255.255.255.255 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 127.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 224.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0
Re: [leaf-user] My Dachstein not quite up and running
That'll teach me to send replies before checking email... Now I updated some settings per Charles' email as follows: dhcpd daemon config: subnet 10.10.10.0 netmask 255.255.255.0 dnscache: LRP internal IP--10.10.10.254 querying hosts IP's--added 10.10 hosts.allow added--ALL: 10.10.10.0/255.255.255.0 grep 192.168.1 /etc/* showed several places where it showed up, but most of it was commented out so I left it alone. 2 instances showed up uncommented so I changed them: Under sh-hpptd.conf: Server_Name=10.10.10.254 and Server_Addr=10.10.10.254 now I can ping everything from the firewall, and get a 10.10.10 ip address for the NT box but still only eth1 from the NT box behind the firewall. everything else gets a Request timed out error. What info would be helpful for you to get me to the next step? --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] My Dachstein not quite up and running
I've searched the archives, but the only thing that looked helpful to me was the following: Dachstein and its predecessors block private ips by default. In Dachstein you can just comment out the line that denies these It is in /etc/ipfilter.conf - under stopmartians procedure # RFC 1918/1627/1597 blocks third line down just comment it $IPCH -A $LIST -j DENY -p all -s 192.168.0.0/16 -d 0/0 -l $* save it svi network reload if that makes everything work then backup etc to the floppy. Which I did, but it didn't help. There was another thread that looked promising called Can't Ping but the problems and responses were quite cryptic and confusing to me. Once again the physical setup is as follows: T1 to ISP's router (which handles DHCP) ISP's router to Hub Hub to Firewall ( other networks outside of firewall) Firewall to Switch (internal network connected to this switch) Our current SMTP server is set to forward all traffic to 208.57.96.252 which I think is the gateway address for the ISP's router--does that sound right? For testing purposes the internal network only consists of a single NT4 machine configured for dynamic IP addressing. The output I get after commenting out the above line in ipfilter.conf is as follows: Leaf Distribution: dachstein-cd-v1.0.2 /var/log/messages Jan 29 18:05:17 Clean syslogd 1.3-3#31.slink1: restart. Jan 29 18:05:18 Clean kernel: klogd 1.3-3#31.slink1, log source = /proc/kmsg started. Jan 29 18:05:18 Clean kernel: Cannot find map file. Jan 29 18:05:18 Clean kernel: Loaded 24 symbols from 15 modules. Jan 29 18:05:18 Clean kernel: Linux version 2.2.19-3-LEAF-RAID (root@debian) (gcc version 2.7.2.3) #4 Sat Dec 1 17:27:59 CST 2001 Jan 29 18:05:18 Clean kernel: BIOS-provided physical RAM map: Jan 29 18:05:18 Clean kernel: BIOS-e820: 0009f000 @ (usable) Jan 29 18:05:18 Clean kernel: BIOS-e820: 00f0 @ 0010 (usable) Jan 29 18:05:18 Clean kernel: Console: colour VGA+ 80x25 Jan 29 18:05:18 Clean kernel: Calibrating delay loop... 33.28 BogoMIPS Jan 29 18:05:18 Clean kernel: Memory: 13580k/16384k available (1108k kernel code, 416k reserved, 488k data, 52k init) Jan 29 18:05:18 Clean kernel: Checking if this processor honours the WP bit even in supervisor mode... Ok. Jan 29 18:05:18 Clean kernel: Dentry hash table entries: 2048 (order 2, 16k) Jan 29 18:05:18 Clean kernel: Buffer cache hash table entries: 16384 (order 4, 64k) Jan 29 18:05:18 Clean kernel: Page cache hash table entries: 4096 (order 2, 16k) Jan 29 18:05:18 Clean kernel: CPU: AMD 486 DX/2-WB stepping 04 Jan 29 18:05:18 Clean kernel: Checking 386/387 coupling... OK, FPU using exception 16 error reporting. Jan 29 18:05:18 Clean kernel: Checking 'hlt' instruction... OK. Jan 29 18:05:18 Clean kernel: POSIX conformance testing by UNIFIX Jan 29 18:05:18 Clean kernel: PCI: PCI BIOS revision 2.00 entry at 0xfc9d0 Jan 29 18:05:18 Clean kernel: PCI: Using configuration type 1 Jan 29 18:05:18 Clean kernel: PCI: Probing PCI hardware Jan 29 18:05:18 Clean kernel: Linux NET4.0 for Linux 2.2 Jan 29 18:05:18 Clean kernel: Based upon Swansea University Computer Society NET3.039 Jan 29 18:05:18 Clean kernel: NET4: Unix domain sockets 1.0 for Linux NET4.0. Jan 29 18:05:18 Clean kernel: NET4: Linux TCP/IP 1.0 for NET4.0 Jan 29 18:05:18 Clean kernel: IP Protocols: ICMP, UDP, TCP, IGMP Jan 29 18:05:18 Clean kernel: TCP: Hash tables configured (ehash 16384 bhash 16384) Jan 29 18:05:18 Clean kernel: Linux IP multicast router 0.06 plus PIM-SM Jan 29 18:05:18 Clean kernel: klips_info:ipsec_init: KLIPS startup, FreeS/WAN IPSec version: 1.91 Jan 29 18:05:18 Clean kernel: early initialization of device ipsec0 is deferred Jan 29 18:05:18 Clean kernel: early initialization of device ipsec1 is deferred Jan 29 18:05:18 Clean kernel: early initialization of device ipsec2 is deferred Jan 29 18:05:18 Clean kernel: early initialization of device ipsec3 is deferred Jan 29 18:05:18 Clean kernel: Initializing RT netlink socket Jan 29 18:05:18 Clean kernel: Starting kswapd v 1.5 Jan 29 18:05:18 Clean kernel: Detected PS/2 Mouse Port. Jan 29 18:05:18 Clean kernel: Serial driver version 4.27 with MANY_PORTS MULTIPORT SHARE_IRQ enabled Jan 29 18:05:18 Clean kernel: ttyS00 at 0x03f8 (irq = 4) is a 16550A Jan 29 18:05:18 Clean kernel: Software Watchdog Timer: 0.05, timer margin: 60 sec Jan 29 18:05:18 Clean kernel: Real Time Clock Driver v1.09 Jan 29 18:05:18 Clean kernel: RAM disk driver initialized: 16 RAM disks of 12288K size Jan 29 18:05:18 Clean kernel: hda: TOSHIBA CD-ROM XM-5602B, ATAPI CDROM drive Jan 29 18:05:18 Clean kernel: ide0 at 0x1f0-0x1f7,0x3f6 on irq 14 Jan 29 18:05:18 Clean kernel: Floppy drive(s): fd0 is 1.44M Jan 29 18:05:18 Clean kernel: FDC 0 is a National Semiconductor PC87306 Jan 29 18:05:18 Clean kernel: md driver 0.90.0 MAX_MD_DEVS=256, MAX_REAL=12 Jan 29 18:05:18 Clean kernel: raid5: measuring checksumming speed Jan 29 18:05:18 Clean kernel:8regs :34.671 MB/sec Jan 29 18:05:18
Re: [leaf-user] My Dachstein not quite up and running
Thanks for the help so far, and for helping me along as I limp through this. Here is how the physical setup goes: T1 to Adtrans (provided by our ISP which handles DHCP) This goes to a 3Com Superstack II hub From there we currently lease out 4 lines and connect our own LAN. Some of the leased lines run to servers that run their own firewall software so I want to be able to leave the 4 leased lines outside of the Dachstein firewall, run a line from the hub to the firewall and use a 3Com Superstack III switch behind the firewall to connect our LAN. So I've connected a line from the hub to eth0 and connected eth1 to the switch along with the rest of the LAN. Shouldn't this work, or do I need to do something else special to Dachstein to bring it up running? --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] My Dachstein not quite up and running
Okay, these two messages are the requested output files. This first one is the output when I followed only the initial setup and added ssh. The next message will be the output when I set it up to use a static external IP address. Thanks for the help, Chris Leaf Distribution: dachstein-cd-v1.0.2 uname -a: Linux Nimrod 2.2.19-3-LEAF-RAID #4 Sat Dec 1 17:27:59 CST 2001 i386 unknown ip addr show: 1: lo: LOOPBACK,UP mtu 3924 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope global lo 2: ipsec0: NOARP mtu 0 qdisc noop qlen 10 link/ipip 3: ipsec1: NOARP mtu 0 qdisc noop qlen 10 link/ipip 4: ipsec2: NOARP mtu 0 qdisc noop qlen 10 link/ipip 5: ipsec3: NOARP mtu 0 qdisc noop qlen 10 link/ipip 6: brg0: BROADCAST,MULTICAST mtu 1500 qdisc noop link/ether fe:fd:0d:00:74:41 brd ff:ff:ff:ff:ff:ff 7: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:90:47:01:98:80 brd ff:ff:ff:ff:ff:ff inet 192.168.1.184/24 brd 192.168.1.255 scope global eth0 8: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:90:47:01:a0:7a brd ff:ff:ff:ff:ff:ff inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1 ip route show: 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.184 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 default via 192.168.1.1 dev eth0 lsmod: Module PagesUsed by ip_masq_vdolive 1180 0 (unused) ip_masq_user3708 0 (unused) ip_masq_raudio 2980 0 (unused) ip_masq_quake 1220 0 (unused) ip_masq_portfw 2416 0 (unused) ip_masq_mfw 3196 0 (unused) ip_masq_irc 1924 0 (unused) ip_masq_ftp 3576 0 (unused) ip_masq_cuseeme 964 0 (unused) ip_masq_autofw 2476 0 (unused) rtl813910856 2 pci-scan2300 0 [rtl8139] isofs 17692 0 ide-cd 22672 0 cdrom 26712 0 [ide-cd] ipchains -nvL: Chain input (policy DENY: 2 packets, 1152 bytes): pkts bytes target prot opttosa tosx ifname mark outsize sourcedestination ports 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/00.0.0.0/0 5 - * 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/00.0.0.0/0 13 - * 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/00.0.0.0/0 14 - * 4 1320 DENY all l- 0xFF 0x00 eth0 0.0.0.0 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 255.255.255.255 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 127.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 224.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 10.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 172.16.0.0/120.0.0.0/0 n/a 256 27503 DENY all l- 0xFF 0x00 eth0 192.168.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 0.0.0.0/80.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 128.0.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 191.255.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.0.0.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 223.255.255.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 240.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.168.1.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.168.1.1840.0.0.0/0 n/a 0 0 REJECT all l- 0xFF 0x00 eth0 0.0.0.0/0127.0.0.0/8 n/a 0 0 REJECT all l- 0xFF 0x00 eth0 0.0.0.0/0192.168.1.0/24 n/a 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 137 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 135 0 0 REJECT udp -- 0xFF 0x00 eth0
Re: [leaf-user] My Dachstein not quite up and running
This message is the output when I set it up to use a static external IP address. Thanks for the help, Chris Leaf Distribution: dachstein-cd-v1.0.2 uname -a: Linux Nimrod 2.2.19-3-LEAF-RAID #4 Sat Dec 1 17:27:59 CST 2001 i386 unknown ip addr show: 1: lo: LOOPBACK,UP mtu 3924 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope global lo 2: ipsec0: NOARP mtu 0 qdisc noop qlen 10 link/ipip 3: ipsec1: NOARP mtu 0 qdisc noop qlen 10 link/ipip 4: ipsec2: NOARP mtu 0 qdisc noop qlen 10 link/ipip 5: ipsec3: NOARP mtu 0 qdisc noop qlen 10 link/ipip 6: brg0: BROADCAST,MULTICAST mtu 1500 qdisc noop link/ether fe:fd:0d:00:5c:e9 brd ff:ff:ff:ff:ff:ff 7: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:90:47:01:98:80 brd ff:ff:ff:ff:ff:ff inet 208.57.96.252/30 brd 208.57.96.255 scope global eth0 8: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:90:47:01:a0:7a brd ff:ff:ff:ff:ff:ff inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1 ip route show: 208.57.96.252/30 dev eth0 proto kernel scope link src 208.57.96.252 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 lsmod: Module PagesUsed by ip_masq_vdolive 1180 0 (unused) ip_masq_user3708 0 (unused) ip_masq_raudio 2980 0 (unused) ip_masq_portfw 2416 0 (unused) ip_masq_mfw 3196 0 (unused) ip_masq_ftp 3576 0 (unused) ip_masq_autofw 2476 0 (unused) rtl813910856 2 pci-scan2300 0 [rtl8139] isofs 17692 0 ide-cd 22672 0 cdrom 26712 0 [ide-cd] ipchains -nvL: Chain input (policy DENY: 0 packets, 0 bytes): pkts bytes target prot opttosa tosx ifname mark outsize sourcedestination ports 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/00.0.0.0/0 5 - * 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/00.0.0.0/0 13 - * 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/00.0.0.0/0 14 - * 0 0 DENY all l- 0xFF 0x00 eth0 0.0.0.0 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 255.255.255.255 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 127.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 224.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 10.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 172.16.0.0/120.0.0.0/0 n/a 110 14377 DENY all l- 0xFF 0x00 eth0 192.168.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 0.0.0.0/80.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 128.0.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 191.255.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.0.0.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 223.255.255.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 240.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.168.1.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 208.57.96.2520.0.0.0/0 n/a 0 0 REJECT all l- 0xFF 0x00 eth0 0.0.0.0/0127.0.0.0/8 n/a 0 0 REJECT all l- 0xFF 0x00 eth0 0.0.0.0/0192.168.1.0/24 n/a 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 137 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 135 0 0 REJECT udp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 137 0 0 REJECT udp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 135 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 138:139 0 0
Re: Fw: [leaf-user] Dachstein CD with Realtek 8139 NICs
Great! Thanks for the confirmation. I'm running into another issue though, when I run the unmount /mnt command after making changes to config files on the floppy I get the following msg: Unmount: not found Did I burn a bad copy of the CD or is there something I'm doing wrong? Chris At 06:48 AM 1/9/2003, you wrote: Yes, here is what I have in my /etc/modules ... ! mount iso9660 /dev/hda # Change the default directory, like this: ! dir /lib/modules/net ###Some ethernet cards #3c509 irq=5 pci-scan rtl8139 .. --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: Fw: [leaf-user] Umount, not UNmount, Duhhh!
Okay, I'm an idiot =) Thanks for all the answers received and all your patience with an obvious newbie! Chris --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Dachstein CD Question
Charles, This typically happens if the booting process doesn't load the etc package (etc.lrp). There are many reasons for why this can happen, but I think the most likely would be the system is not finding the CD-ROM drive. You were right, it found the CD drive fine, but the drive didn't support CD-R. Guess that's the problem when you try to use stuff that's really too old... Thanks for the help! Chris --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Dachstein CD with Realtek 8139 NICs
Hi, I'm trying to set up Dachstein to run with two NICs based on the Realtek 8139 chipset. I don't have much linux experience so I need simple and specific walk-through instructions. The most pressing question I have right now is: The disk that came with the NICs wanted me to compile a driver from the source code rtl8139.c, then copy it to /lib/modules/2.2.14-5.0/pcmcia then edit the /etc/pcmcia/config file and the linuxconf. How do I do this? or, is there an easier way to get around this? Chris --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: Fw: [leaf-user] Dachstein CD with Realtek 8139 NICs
Just checking, so all I have to do then is uncomment the pci-scan line and add another line that says rtl8139 and it should work? Thanks, Chris At 03:49 PM 1/8/2003, you wrote: You should not have to compile anything. The module is already on the CD. Just edit the file /etc/modules to declare your cards. I think it is something rtl8139 and maybe it also need pci-scan module too. I do not have access to my router here but if you need details, let me know and I will send you the sample. Hope that helps. --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html