[Leaf-user] My New Dachstein LRP
Hello All, I have been noticing some errors in my logs that look like: Mar 8 00:33:44 a904j637 kernel: Packet log: input DENY eth0 PROTO=17 192.168.159.129:137 192.168.159.255:137 L=96 S=0x00 I=13824 F=0x T=128 (#12) but I have no machine 192.168.159.129 on my subnet and am only using 192.168.1.x What does this mean? Cheers, Lonnie -- Lonnie Cumberland OutStep Technologies Incorporated EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] The Basis Express Virtual Office Data Backup and Recovery Services URL: http://www.basis-express.com The Virtual Office without boundries!!! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] New Dachstein Up and running, but
Hello All, could some one please tell me what some of these connections are: IP masquerading entries prot expire source destination ports udp 4:27.27 192.168.1.12 141.217.16.103464 - 53 (61036) udp 1:47.05 192.168.1.12 141.217.16.103452 - 53 (61033) udp 1:26.98 192.168.1.2 141.217.1.15 44155 - 53 (61026) tcp 224:13.85 192.168.1.2 141.217.17.10143 - 61670 (143) udp 4:19.25 192.168.1.12 141.217.16.103463 - 53 (61035) tcp 232:44.85 192.168.1.12 216.136.226.118 3417 - 5050 (61008) the port 53 is DOMAINNAME, I think, and 143 is IMAP, right? those should be there I think, but what about the others? Cheers, Lonnie -- Lonnie Cumberland OutStep Technologies Incorporated EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] The Basis Express Virtual Office Data Backup and Recovery Services URL: http://www.basis-express.com The Virtual Office without boundries!!! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] forwarding Protocal 47(gre) on Eigerstein LRP
Thanks Scott, I think that I will now proceed to upgrade my old EigerStein LRP to the newer Dachstein one. Could you please tell me about this EchoWall? Thandk again for being a REAL help. cheers, Lonnie Lonnie, Boyd: Ah, serendipity. :) One email, two answers... To get a PPTP-based VPN client working from behind a LEAF/LRP disk, you need to do four things (none of which is to search the email archives, though that works too ;): 1. Be sure to be using a VPN enabled kernel. Dachstein has this by default. Earlier stuff, including 2.9.8, doesn't. See Charles' page for the kernels. If you install a new one, *always* install with it the associated modules. 2. Load the PPTP masq module: uncomment its line in /etc/modules, backup, reboot. 3. Goof the firewall rules to allow protocol 47 and port 1723 in. 4. Use the ipfwd utility (ships by default) to forward the GRE (protocol 47) packets across the firewall. As you'd expect, steps 3 4 are done for you automagically using the echoWall package. Hope this helps! -Scott On Sun, 3 Mar 2002, Lonnie Cumberland wrote: Hello, Could you please tell me how to prot forward this protocal 47 on my Eigerstein LRP box? I know how to forward regular ports coming in to a server behind the firewall, but I do not know about htis protocal 47 (gre) Thanks, Lonnie -- Lonnie Cumberland OutStep Technologies Incorporated EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] The Basis Express Virtual Office Data Backup and Recovery Services URL: http://www.basis-express.com The Virtual Office without boundries!!! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] forwarding Protocal 47(gre) on Eigerstein LRP
Sorry for the dumb question Scott, but is Echowall an LRP package that is either added to, or already on, the Dachstein CDROM? Or, is a a complete seperate LRP Firewall distro? I guess that I have not been keeping up much since I have been using the Eigerstein LRP version which was very easy t oget set up for masquerading and the like. Thanks again, Lonnie Lonnie: You can best find echoWall on freshmeat.net. The blurb there is fairly accurate. :) http://freshmeat.net/projects/echowall/ cheers, Scott On Mon, 4 Mar 2002, Lonnie Cumberland wrote: Thanks Scott, I think that I will now proceed to upgrade my old EigerStein LRP to the newer Dachstein one. Could you please tell me about this EchoWall? Thandk again for being a REAL help. cheers, Lonnie Lonnie, Boyd: Ah, serendipity. :) One email, two answers... To get a PPTP-based VPN client working from behind a LEAF/LRP disk, you need to do four things (none of which is to search the email archives, though that works too ;): 1. Be sure to be using a VPN enabled kernel. Dachstein has this by default. Earlier stuff, including 2.9.8, doesn't. See Charles' page for the kernels. If you install a new one, *always* install with it the associated modules. 2. Load the PPTP masq module: uncomment its line in /etc/modules, backup, reboot. 3. Goof the firewall rules to allow protocol 47 and port 1723 in. 4. Use the ipfwd utility (ships by default) to forward the GRE (protocol 47) packets across the firewall. As you'd expect, steps 3 4 are done for you automagically using the echoWall package. Hope this helps! -Scott -- Lonnie Cumberland OutStep Technologies Incorporated EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] The Basis Express Virtual Office Data Backup and Recovery Services URL: http://www.basis-express.com The Virtual Office without boundries!!! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] My Mistake, but?
Oops!!! Sorry for the last email. I just found out that Echowall is an LRP package that is added to Dachstein. I guess that I will have to add it to the boot floppy when I use the CDROM version. Actuall, I am wondering if it would be easy to put the Dachstein CDROM LRP onto a small hard disk partition and have it boot from there. That is how I actually had the Eigerstein running and was very easy to maintain. Cheers, Lonnie Lonnie: You can best find echoWall on freshmeat.net. The blurb there is fairly accurate. :) http://freshmeat.net/projects/echowall/ cheers, Scott On Mon, 4 Mar 2002, Lonnie Cumberland wrote: Thanks Scott, I think that I will now proceed to upgrade my old EigerStein LRP to the newer Dachstein one. Could you please tell me about this EchoWall? Thandk again for being a REAL help. cheers, Lonnie Lonnie, Boyd: Ah, serendipity. :) One email, two answers... To get a PPTP-based VPN client working from behind a LEAF/LRP disk, you need to do four things (none of which is to search the email archives, though that works too ;): 1. Be sure to be using a VPN enabled kernel. Dachstein has this by default. Earlier stuff, including 2.9.8, doesn't. See Charles' page for the kernels. If you install a new one, *always* install with it the associated modules. 2. Load the PPTP masq module: uncomment its line in /etc/modules, backup, reboot. 3. Goof the firewall rules to allow protocol 47 and port 1723 in. 4. Use the ipfwd utility (ships by default) to forward the GRE (protocol 47) packets across the firewall. As you'd expect, steps 3 4 are done for you automagically using the echoWall package. Hope this helps! -Scott -- Lonnie Cumberland OutStep Technologies Incorporated EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] The Basis Express Virtual Office Data Backup and Recovery Services URL: http://www.basis-express.com The Virtual Office without boundries!!! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Samba across Eigerstein LRP
Actually your are VERY right and I am now really looking into a VPN solution. Thnaks for the advice. Lonnie Yeech, you seems to want to broadcast all that NetBIOS stuff into the WAN connection that we're all spending years trying to block :( First, I will warn you opening those ports on your firewall with any OS (particuarly the Win9x/ME group) is pretty much like using a piece of cardboard to stop a tank. Opening up ssh/sftp or IPSec would be _highly_ recommended to doing NetBIOS. In fact, I am not sure that this would work at all w/o VPN because of the name resolution and MAC addressing. I wouldn't suggest WINS here at all, but you may come up with something possibly with a hosts or lmhosts file(s) on both computers. WINS addressing and DNS are similar, yet worlds apart in reality which makes me think that this would be very difficult to accomplish regardless of what you do to the firewall. In my experience, I would either do ftp w/address filtering (and permissions), VPN, or ssh/sftp with the emphasis on the latter two. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user -- Lonnie Cumberland OutStep Technologies Incorporated EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] The Basis Express Virtual Office Data Backup and Recovery Services URL: http://www.basis-express.com The Virtual Office without boundries!!! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Samba across Eigerstein LRP
Hello All, I have been having some trouble to be able to use Samba across my LRP. Has anyone had luck with this? I have port-forwarded netbios-ns, netbios-dgm, netbios-ssn ports on tcp/udp 137,138,139 but still I cannot connect to my Samba server which is on a Linux Redhat 7.2 box from outside the firewall. I can connect while I am inside the firewall from my Winsows ME machine with no problems. Is there some way to fix this? Best Regards, Lonnie -- Lonnie Cumberland OutStep Technologies Incorporated EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] The Basis Express Virtual Office Data Backup and Recovery Services URL: http://www.basis-express.com The Virtual Office with out boundries!!! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Samba across Eigerstein LRP
Hello All, I have been having some trouble to be able to use Samba across my LRP. Has anyone had luck with this? I have port-forwarded netbios-ns, netbios-dgm, netbios-ssn ports on tcp/udp 137,138,139 but still I cannot connect to my Samba server which is on a Linux Redhat 7.2 box from outside the firewall. I can connect while I am inside the firewall from my Winsows ME machine with no problems. Is there some way to fix this? Best Regards, Lonnie -- Lonnie Cumberland OutStep Technologies Incorporated EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] The Basis Express Virtual Office Data Backup and Recovery Services URL: http://www.basis-express.com The Virtual Office without boundries!!! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Samba across Eigerstein LRP
Hi Jonathan, I think that it can be made into a WINS server by modifying a few of the settings in the smb.conf file, but will I need to change my LRP more? I am runnning the Eigerstein LRP and have had VERY good luck in the past with these masquerading firewalls that Charles has put together. PS) Great Job Charles on the LRP!!! cheers, Lonnie Hi Lonnie, Since you already have a Samba server running, you can tell it to act as the WINS server also, which will allow Windows machines to see each other across subnets. What kind of firewall is it? Do you use IP Masq? There is a bit of debate as to whether or not a WINS server is necessary, but it will make it work. - Jon Lonnie Cumberland wrote: Hello All, I have been having some trouble to be able to use Samba across my LRP. Has anyone had luck with this? I have port-forwarded netbios-ns, netbios-dgm, netbios-ssn ports on tcp/udp 137,138,139 but still I cannot connect to my Samba server which is on a Linux Redhat 7.2 box from outside the firewall. I can connect while I am inside the firewall from my Winsows ME machine with no problems. Is there some way to fix this? Best Regards, Lonnie -- Lonnie Cumberland OutStep Technologies Incorporated EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] The Basis Express Virtual Office Data Backup and Recovery Services URL: http://www.basis-express.com The Virtual Office with out boundries!!! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user -- Lonnie Cumberland OutStep Technologies Incorporated EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] The Basis Express Virtual Office Data Backup and Recovery Services URL: http://www.basis-express.com The Virtual Office without boundries!!! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Samba across Eigerstein LRP
Hi Scott, So you can now have Windows client connections from outside the LRP to your Samba server inside the Firewall? Is it working for you? Also, what is on port 445? I do not know that one. Cheers, Lonnie Lonnie: Heya. Here's what I put into the SMB section of the echowall ruleset: #SMB#$IPCHAINS -A input -s 0/0 -d $IP_EXT/32 135 -p tcp -j ACCEPT #SMB#$IPCHAINS -A input -s 0/0 -d $IP_EXT/32 137:139 -p udp -j ACCEPT #SMB#$IPCHAINS -A input -s 0/0 -d $IP_EXT/32 139 -p tcp -j ACCEPT #SMB#$IPCHAINS -A input -s 0/0 -d $IP_EXT/32 445 -p tcp -j ACCEPT I'm not sure if all of them are needed for every SAMBA session, but I'd be hesitant to leave any out... cheers, Scott I have been having some trouble to be able to use Samba across my LRP. Has anyone had luck with this? I have port-forwarded netbios-ns, netbios-dgm, netbios-ssn ports on tcp/udp 137,138,139 but still I cannot connect to my Samba server which is on a Linux Redhat 7.2 box from outside the firewall. I can connect while I am inside the firewall from my Winsows ME machine with no problems. Is there some way to fix this? Best Regards, Lonnie -- Lonnie Cumberland OutStep Technologies Incorporated EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] The Basis Express Virtual Office Data Backup and Recovery Services URL: http://www.basis-express.com The Virtual Office without boundries!!! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Samba across Eigerstein LRP
Hu Scott, Where in the ipfilters.conf did you put these? I cold not locate a specific area that had already been set up for SMB. cheers, Lonnie Lonnie: Heya. Here's what I put into the SMB section of the echowall ruleset: #SMB#$IPCHAINS -A input -s 0/0 -d $IP_EXT/32 135 -p tcp -j ACCEPT #SMB#$IPCHAINS -A input -s 0/0 -d $IP_EXT/32 137:139 -p udp -j ACCEPT #SMB#$IPCHAINS -A input -s 0/0 -d $IP_EXT/32 139 -p tcp -j ACCEPT #SMB#$IPCHAINS -A input -s 0/0 -d $IP_EXT/32 445 -p tcp -j ACCEPT I'm not sure if all of them are needed for every SAMBA session, but I'd be hesitant to leave any out... cheers, Scott I have been having some trouble to be able to use Samba across my LRP. Has anyone had luck with this? I have port-forwarded netbios-ns, netbios-dgm, netbios-ssn ports on tcp/udp 137,138,139 but still I cannot connect to my Samba server which is on a Linux Redhat 7.2 box from outside the firewall. I can connect while I am inside the firewall from my Winsows ME machine with no problems. Is there some way to fix this? Best Regards, Lonnie ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user -- Lonnie Cumberland OutStep Technologies Incorporated EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] The Basis Express Virtual Office Data Backup and Recovery Services URL: http://www.basis-express.com The Virtual Office without boundries!!! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Samba across Eigerstein LRP
Well, no luck so far. I added the rules to the bottom of my /etc/ipfilters.conf and rebooted the LRP. while trying to connect from an outside Linux machine I get: smbclient -L www.outstep.com but then get a connection timed out on 141.217.140.65:139 I have also added these in my port-forward section - # This is the Samba Netbios-ns $IPMASQADM portfw -a -P tcp -L $EXTERN_IP netbios-ns -R 192.168.1.7 netbios-ns $IPMASQADM portfw -a -P udp -L $EXTERN_IP netbios-ns -R 192.168.1.7 netbios-ns echo Added Netbios-ns Port -- Samba Service # This is the Samba Netbios-dgm $IPMASQADM portfw -a -P tcp -L $EXTERN_IP netbios-dgm -R 192.168.1.7 netbios-dgm $IPMASQADM portfw -a -P udp -L $EXTERN_IP netbios-dgm -R 192.168.1.7 netbios-dgm echo Added Netbios-dgm Port -- Samba Service # This is the Samba Netbios-ssn $IPMASQADM portfw -a -P tcp -L $EXTERN_IP netbios-ssn -R 192.168.1.7 netbios-ssn $IPMASQADM portfw -a -P udp -L $EXTERN_IP netbios-ssn -R 192.168.1.7 netbios-ssn echo Added Netbios-ssn Port -- Samba Service the 192.168.1.7 is my Linux Samba server that I can connect to from the other machines currently behind the Firewall. cheers, Lonnie Lonnie: Hello! Yes, that's the idea. No, I've not tested it. Perhaps you can? Port-445 is Microsoft Domain Service, I believe. I saw it once in a tech-support document on their site. -Scott So you can now have Windows client connections from outside the LRP to your Samba server inside the Firewall? Is it working for you? Also, what is on port 445? I do not know that one. Cheers, Lonnie Lonnie: Heya. Here's what I put into the SMB section of the echowall ruleset: #SMB#$IPCHAINS -A input -s 0/0 -d $IP_EXT/32 135 -p tcp -j ACCEPT #SMB#$IPCHAINS -A input -s 0/0 -d $IP_EXT/32 137:139 -p udp -j ACCEPT #SMB#$IPCHAINS -A input -s 0/0 -d $IP_EXT/32 139 -p tcp -j ACCEPT #SMB#$IPCHAINS -A input -s 0/0 -d $IP_EXT/32 445 -p tcp -j ACCEPT I'm not sure if all of them are needed for every SAMBA session, but I'd be hesitant to leave any out... cheers, Scott I have been having some trouble to be able to use Samba across my LRP. Has anyone had luck with this? -- Lonnie Cumberland OutStep Technologies Incorporated EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] The Basis Express Virtual Office Data Backup and Recovery Services URL: http://www.basis-express.com The Virtual Office without boundries!!! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] VPN idea
Hello All, I had asked a question about mapping NFS through the firewall some time ago and agree that it was not a good idea, but recently the idea of setting up a VPN started to make sence to me regarding this problem. If I were to setup a VPN between 2 machines, the LRP I wold guess and the outside client, then the client on the VPN should act as though it it is really behind the firewall. Wouldn't the then allow me to use NFS to connect to the client machine from the server which is inside the real firewall protection? cheers, Lonnie -- Lonnie Cumberland OutStep Technologies Incorporated (313) 832-7366 URL: http://www.outstep.com EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] https port 443 problems
Hello All, I have gotten my Eigerstein LRP firewall up and running better these days, but cannot seem to connect to my serure web server behind the firewall eventhough port 443 is being forwarded through the LRP just fine. does someone know what might be going on here and how I might be able to fix it? Thanks, Lonnie -- Lonnie Cumberland OutStep Technologies Incorporated (313) 832-7366 URL: http://www.outstep.com EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] https port 443 problems
Hello, Thanks all for the response to this email chain. Well, you see I am just not getting any response when I try to connect with a client outside of the LRP and the connection just times-out. and the rule that I have in place is: $IPMASQADM portfw -a -P tcp -L $EXTERN_IP https -R 192.168.1.2 https If I try to connect to https://192.168.1.2 from my client inside the firewall at 192.168.1.12 then I can connect just fine. It is only when I try t oconnect from a client outside the firewall that everything seems to time-out. I have also adjusted the VirtualHost settings for my Apache SSL configuration which is running on Mandrake Linux 8.1. Cheers, Lonnie At 03:11 PM 2/9/02 -0500, Lonnie Cumberland wrote: Hello All, I have gotten my Eigerstein LRP firewall up and running better these days, but cannot seem to connect to my serure web server behind the firewall eventhough port 443 is being forwarded through the LRP just fine. does someone know what might be going on here and how I might be able to fix it? Well ... if they are being forwarded through the LEAF router, can we assume they are arriving at the https server? Or do you just mean that the LEAF router is *supposed* to be forwarding the port? If they are reaching the https server, what can you tell us about it? What OS? What https server software? What do its logs report about the attempted connection? And what does the browser tell you about the failures? Surely you get more feedback from it than cannot seem to connect conveys to us. I've run SSL behind a NAT'ing firewall before (though I haven't done it in some time, and not here), so I know it can be done in principle. As usual, troubleshooting requires details. -- Never tell me the odds!--- Ray Olszewski-- Han Solo Palo Alto, CA [EMAIL PROTECTED] -- Lonnie Cumberland OutStep Technologies Incorporated (313) 832-7366 URL: http://www.outstep.com EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] multiple web DNS on LRP
Hi There, No actually I really think that it is an LRP problem because the IP is being port-forwarded to the actual web server and thus the name information is being lost. From what I can tell about the Virtual hosting, if the Apache web server resolves and redirects based upon the name then it should work. My thought now are that maybe I need to install a web servcer onto my LRP that can support virtual hosts. cheers and thanks for the help, Lonnie it sounds like you have an apache issue. try http://httpd.apache.org/docs/vhosts/index.html for help with virtual hosts with apache. HTH, brett --- Lonnie Cumberland [EMAIL PROTECTED] wrote: Hello All, How are you doing today? Good I hope. I have another small problem that I hope someone might have an answer for. The problem is this. I have 2 (real) DNS names that are pointing to the same (real) IP. I then have my LRP firewall and some servers behind it on a masquerade setup. From what I can find out, with Virtual hosting on my Apache webserver machine, I am supposed to be able to have 2 different DNS entries like www.test1.com and www.test2.com point to the same IP, 1.2.3.4 and the web server will bring up the correct pages based upon the name that the user was trying to reach. Currently when a user comes to my IP, the LRP port-forwards to my masqd machine web server. How can I handle these 2 DNS entries with my LRP and still only have one IP? All help would be greatly appreciated. Lonnie -- Lonnie Cumberland OutStep Technologies Incorporated (313) 832-7366 URL: http://www.outstep.com EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- Lonnie Cumberland OutStep Technologies Incorporated (313) 832-7366 URL: http://www.outstep.com EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] multiple web DNS on LRP
Thanks Lee for taking the time to explain this to me. It clears up a lot of my confusion about the basic process. Sorry if it was off-topic but I had originally thought that it had to do with the LRP port-forwrding process. Thanks again, Lonnie ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Re: NFS mounting through Firewall
Hello All, while looking around on the net I came across this NFS via SSH that you might be interested in taking a look at. http://www.math.ualberta.ca/imaging/snfs/ Cheers, Lonnie Would NFS tunneled through SSH be acceptable? dbc. On Tue, 29 Jan 2002, Lonnie Cumberland wrote: Hi Nicolas, I think that after much thought that I will opt to try to explain to them the security problems of using NFS over the firewall and try to use another solution instead. Thanks for all of the help to you and everyone on the list who always seems to try to answer most of my seemingly dumb questions. Cheers, Lonnie Hi Lonnie! Actually was are still a amall company and this particular job if for some friends, a research group the university who has recently had problems, who will not listen to reason about the problems of port- forwarding services like NFS. With that in mind, I told them that I would help get them as secure as possible given their specific requirements. Sorry, that's what I realized when I rethought about this (ie that it must have been something not internal to your company...). BTW, I hope these people are not in CS... Like many people in the academic arena, it will take getting hacked and attacked a few time before they realize that they should have listened to more well informed people in the past, like me, who has tried very hard to get them out of the current mentality of patch- work until the next problem. If these weren't your friends I would almost be tempted to suggest that you get this in writing that they prefer that solution over a more secure one (after being informed of the security implications) (Some good ol' CUA...) So, being this, I will simple try to make the best out of what they have and will let get done. The problem seem to be that NFS doesn't seem to be very firewall friendly... These guys will learn with time I am sure. For their sake I hope so... (and before they get seriously hacked) After making some changes to the firewall and setting up the port- forwarding for sunrpc and nfs on udp packets, I am no longer getting an RPC time out but now just: mount: RPC: Unable to receive; errno = Connection refused This might seem like a dumb question (and sorry if you mentionned the answer to this one before, I couldn't find it) but where they communicating with each other before the firewall was installed? Anything in the logs? I haven't played with NFS recently but if I had that message I think I would check if I got the appropriate/relevant entries in hosts.allow hosts.deny (ie lines for portmap, lockd, mountd, rquotad statd). [The text at the following URL might be useful in getting this right: http://www.smartcomputing.com/editorial/article.asp? article=articles%2F2001%2Fs1206%2F48s06web%2F48s06web%2Easp] (Sorry, this might be two long for the mailing list, you'll probably have to cut paste it...) on the client machine when I try to mount the directory. The client can been seen on the DNS as well as the server has the client IP in its hosts file. I assumed here that you meant the hosts files and not the hosts.allow hosts.deny file, sorry if that was not the case... Any ideas from here? BTW, did you try opening the ports mentionned in the messages I posted? Apparently it's not easy getting them right but I do believe one of the messages actually mentionned a way of finding them out (rpcinfo -p or rpcinfo -p localhost) I did see a mention at the following URL http://www.io.com/help/linux/NFS-HOWTO-5.html (NFS and firewalls) that it might be possible to change the ports used by NFS to some specific ports but how this is done I unfortunatly don't know (sorry...). Have a nice day good luck! Nick ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user -- Lonnie Cumberland OutStep Technologies Incorporated (313) 832-7366 URL: http://www.outstep.com EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] NFS mounting through Firewall
Hello Ray, Actually because of the nature of our setup here, w have 2 machines that need allow for nfs mounting and although my personnal thoughts are that they too should be behind the firewall completely, unfortunately I do not get the last word in this. Opening port 2049 means that I have added this rule to the ipfilter.conf file. $IPMASQADM portfw -a -P udp -L $EXTERN_IP 2040 -R 192.168.1.16 2049 That is strance because the information that I was seeing from nmap suggested taht the nfs port was udp and on 2049 although I might be wrong. I actually do, from the client mount 1.2.3.4:/testdir /test and after about 3 - 4 minutes I get: mount: RPC: Timed out does this help to clear things up? Do I also need to open udp/tcp port 111? Cheers, Lonnie I haven't actually tried doing this, so I'm guessing a bit here (despite your fairly complete report this time) ... but the rpc portmapper will need to communicate to do the NFS mount. It listens on port 111 (TCP, I think). Your firewall probably blocks port 111 coming in and surely doesn't port-forward it to your inside NFS server. Then, I'm not sure what opened a udp port 2049 means, exactly. Since this is an outside machine coming in, you'll need both to open and to port-forward it. Finally, how long is a long time? If about 3 minutes, check once again for a DNS problem ... is the remote mount command using the right FQDN for your changed setup? Aside from that ... have you thought through the security implications of this setup? I haven't, but it feels risky to me. At 07:36 PM 1/28/02 -0500, Lonnie Cumberland wrote: Hello All, I have been trying, with no luck so fat to mount a directory from a machine that I have behind the Eigerstein LRP to a client machine outside the firewall. I have opened a udp port 2049 which is supposed to be for nfs, but still I cannot seem to mount the server directory even though I can mount the server directory to other machines that are also inside the firewall. When I issue the mount command on the external client it just times out after a long time. Does anyone have some idea? I would give more specific details, but I am not getting any information from the logs or on the command prompt. -- Never tell me the odds!--- Ray Olszewski-- Han Solo Palo Alto, CA [EMAIL PROTECTED] -- Lonnie Cumberland OutStep Technologies Incorporated (313) 832-7366 URL: http://www.outstep.com EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] NFS mounting through Firewall
Thanks Ray, If I can find a solution then I will post it so that others can see what I had to do. Thanks again, Lonnie The NFS port is 2049. The rpc.portmapper port is 111, and it is involved in NFS mounts. I really don't know the detials of how this should work through a firewall (unlike you, I *do* get the last word here, and we wouldn't even try this), but the RPC in your failure message is probably the failed Remote Procedure Call to the portmapper. (I assume the 1.2.3.4 part of what you posted is fake and you are using the correct real IP address.) I'm sorry I can't help you more specifically than this. You're probably going to have to experiment a bit to get this working right, and once you do, it may be worth your posting the details here, since I haven't ever seen this question posed before. At 08:39 PM 1/28/02 -0500, Lonnie Cumberland wrote: Hello Ray, Actually because of the nature of our setup here, w have 2 machines that need allow for nfs mounting and although my personnal thoughts are that they too should be behind the firewall completely, unfortunately I do not get the last word in this. Opening port 2049 means that I have added this rule to the ipfilter.conf file. $IPMASQADM portfw -a -P udp -L $EXTERN_IP 2040 -R 192.168.1.16 2049 That is strance because the information that I was seeing from nmap suggested taht the nfs port was udp and on 2049 although I might be wrong. I actually do, from the client mount 1.2.3.4:/testdir /test and after about 3 - 4 minutes I get: mount: RPC: Timed out does this help to clear things up? Do I also need to open udp/tcp port 111? [old stuff deleted] -- Never tell me the odds!--- Ray Olszewski-- Han Solo Palo Alto, CA [EMAIL PROTECTED] -- Lonnie Cumberland OutStep Technologies Incorporated (313) 832-7366 URL: http://www.outstep.com EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Re: NFS mounting through Firewall
Hello Nicolas, Actually was are still a amall company and this particular job if for some friends, a research group the university who has recently had problems, who will not listen to reason about the problems of port- forwarding services like NFS. With that in mind, I told them that I would help get them as secure as possible given their specific requirements. Like many people in the academic arena, it will take getting hacked and attacked a few time before they realize that they should have listened to more well informed people in the past, like me, who has tried very hard to get them out of the current mentality of patch- work until the next problem. So, being this, I will simple try to make the best out of what they have and will let get done. Supprisingly, I have put in a few other eigerStein LRP firewalls around here and those departments and groups completely, and I must say easily, decided to go for the better protection schemes which I had initially suggested. These guys will learn with time I am sure. Best Regards, Cheers, Lonnie Hello All, I have been trying, with no luck so fat to mount a directory from a machine that I have behind the Eigerstein LRP to a client machine outside the firewall. Considering that, AFAIK, NFS has a very bad reputation security-wise I kinda think that this is a very bad idea (TM) (-; but if you still want to do it I think reading the following messages http://www.geocrawler.com/archives/3/90/1999/2/0/350356/ and http://www.esker.fr/itspublic/Documents/2804044B.htm might be useful to you. Apparently ( as far as I'm concerned fortunatly) NFS doesn't appear to be very firewall friendly (It's apparently the port mapper which listens at port 111 tcp udp (apparently, BTW, the name of this service is sunrpc/portmap) which hands out the port addresses which will be used...) I have opened a udp port 2049 which is supposed to be for nfs, but still I cannot seem to mount the server directory even though I can mount the server directory to other machines that are also inside the firewall. According to the list of well known port numbers (http://www.iana.org/assignments/port-numbers), and to the messages I posted the URL to previously you would have to open this in udp also (and as I believe Ray suggested probably to port forward them too...) BTW, I do believe that they are usually opened by default... Actually because of the nature of our setup here, w have 2 machines that need allow for nfs mounting and although my personnal thoughts are that they too should be behind the firewall completely, unfortunately I do not get the last word in this. (-; (-; (-; If the President/CEO doesn't get the last word on this, who does? (I confess, I paid a visit to your website... (rackmounted servers/firewall, nice... (-; ). (-; (-; (-; Couldn't you establish a VPN tunnel between them instead, wouldn't that work better be more secure? Opening port 2049 means that I have added this rule to the ipfilter.conf file. $IPMASQADM portfw -a -P udp -L $EXTERN_IP 2040 -R 192.168.1.16 2049 BTW, this is probably a typo that got there when you retyped that line but you've got port 2040 (instead of 2049) on the extern interface... If you do open these ports I would highly suggest that you open them only for the IP addresses of the other pc/server as some of these ports (especially 111) are regularly probed by people wanting to get into your pc... Good luck! Nicolas Riendeau PS: Please forgive my English as it is not my mother tongue. Thanks! -- Lonnie Cumberland OutStep Technologies Incorporated (313) 832-7366 URL: http://www.outstep.com EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Re: NFS mounting through Firewall
Hello Again After making some changes to the firewall and setting up the port- forwarding for sunrpc and nfs on udp packets, I am no longer getting an RPC time out but now just: mount: RPC: Unable to receive; errno = Connection refused on the client machine when I try to mount the directory. The client can been seen on the DNS as well as the server has the client IP in its hosts file. Any ideas from here? Cheers, Lonnie Hello All, I have been trying, with no luck so fat to mount a directory from a machine that I have behind the Eigerstein LRP to a client machine outside the firewall. Considering that, AFAIK, NFS has a very bad reputation security-wise I kinda think that this is a very bad idea (TM) (-; but if you still want to do it I think reading the following messages http://www.geocrawler.com/archives/3/90/1999/2/0/350356/ and http://www.esker.fr/itspublic/Documents/2804044B.htm might be useful to you. Apparently ( as far as I'm concerned fortunatly) NFS doesn't appear to be very firewall friendly (It's apparently the port mapper which listens at port 111 tcp udp (apparently, BTW, the name of this service is sunrpc/portmap) which hands out the port addresses which will be used...) I have opened a udp port 2049 which is supposed to be for nfs, but still I cannot seem to mount the server directory even though I can mount the server directory to other machines that are also inside the firewall. According to the list of well known port numbers (http://www.iana.org/assignments/port-numbers), and to the messages I posted the URL to previously you would have to open this in udp also (and as I believe Ray suggested probably to port forward them too...) BTW, I do believe that they are usually opened by default... Actually because of the nature of our setup here, w have 2 machines that need allow for nfs mounting and although my personnal thoughts are that they too should be behind the firewall completely, unfortunately I do not get the last word in this. (-; (-; (-; If the President/CEO doesn't get the last word on this, who does? (I confess, I paid a visit to your website... (rackmounted servers/firewall, nice... (-; ). (-; (-; (-; Couldn't you establish a VPN tunnel between them instead, wouldn't that work better be more secure? Opening port 2049 means that I have added this rule to the ipfilter.conf file. $IPMASQADM portfw -a -P udp -L $EXTERN_IP 2040 -R 192.168.1.16 2049 BTW, this is probably a typo that got there when you retyped that line but you've got port 2040 (instead of 2049) on the extern interface... If you do open these ports I would highly suggest that you open them only for the IP addresses of the other pc/server as some of these ports (especially 111) are regularly probed by people wanting to get into your pc... Good luck! Nicolas Riendeau PS: Please forgive my English as it is not my mother tongue. Thanks! -- Lonnie Cumberland OutStep Technologies Incorporated (313) 832-7366 URL: http://www.outstep.com EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] NFS hanging up
Thanks for the info, the problem turned out to be the DNS, but it is all better now. cheers, Lonnie Lonnie -- it just seems to hang is a bit too imprecise to make a good starting point. So I'll just take a wild shot at it -- might you have left in /etc/exports an entry for a hostname or IP address that is now unresolvable? If so, that would introduce a 3-minute delay at the point where you say the system hangs. More generally, do the Mandrake systems *ever* resume init'ing? Operationally, ever means wait about 5 minutes before deciding that they are completely blocked. Then see if a ^C will cause boot/init to resume. If you can get the boot/init sequence to complete, do the logs report anything interesting? Whatever is going on, your LEAF router is extremely unlikely to be involved (unless you need access to an off-LAN nameserver that you now cannot reach, or unless you were exporting to off-LAN hosts). At 11:18 PM 1/26/02 -0500, Lonnie Cumberland wrote: Hello All, I have just installed an EigerStein LRP firewall and it seems to be working good, but I have 6 machines which were NFS mounting and exporting various directories before I put them behind the firewall so that they could cross communicate. They worked just fine at that time with the NFS. I then put them behind the Eigersten LRP firewall and changed all of their /etc/hosts files so reflect the new IP's on each machine and so that each machine could lookup the name of the other machine from their hosts file. The problem now is that when the NFS daemon is started on each machine, it just seems to hang after reporting Starting the NFS daemon. My OS on these machines is Linux Mandrake 8.1. does anyone have any idea as to what is happening here and how I might be able to fix it? -- Never tell me the odds!--- Ray Olszewski-- Han Solo Palo Alto, CA [EMAIL PROTECTED] -- Lonnie Cumberland OutStep Technologies Incorporated (313) 832-7366 URL: http://www.outstep.com EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] FreeSCO firewall and Eigerstein LRP
Hello All, I came across another firewall called FreeSCO, not to be confused with the OS, which is built from Linux as well and was wondering if anyone had any expeience with it? Actually I was just trying to find out a comparison between it and the Eigerstein LRP. cheers, Lonnie -- Lonnie Cumberland OutStep Technologies Incorporated (313) 832-7366 URL: http://www.outstep.com EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] FreeSCO firewall and Eigerstein LRP
Thanks for the info!!! It was very helpful... cheers, Lonnie On Sunday 27 January 2002 19:34, Lonnie Cumberland wrote: Hello All, I came across another firewall called FreeSCO, not to be confused with the OS, which is built from Linux as well and was wondering if anyone had any expeience with it? Actually I was just trying to find out a comparison between it and the Eigerstein LRP. For my IMHO, look at http://www.geocities.com/guitarlynn/lrp.html -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! -- Lonnie Cumberland OutStep Technologies Incorporated (313) 832-7366 URL: http://www.outstep.com EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Secure Apache Server Question
Hello All, it seems that my firewall is now almost working the way that we want, but we are having a little trouble getting the Apache SSL secure web server to work even though we have set up a port forward for port 443 which is supposed to be for the secure connection I think. Does anyone have any ideas? The secured SSL Apache web server was working just fine before we placed it behind the firewall, just to let you know. Cheers, Lonnie -- Lonnie Cumberland OutStep Technologies Incorporated (313) 832-7366 URL: http://www.outstep.com EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] NFS hanging up
Hello All, I have just installed an EigerStein LRP firewall and it seems to be working good, but I have 6 machines which were NFS mounting and exporting various directories before I put them behind the firewall so that they could cross communicate. They worked just fine at that time with the NFS. I then put them behind the Eigersten LRP firewall and changed all of their /etc/hosts files so reflect the new IP's on each machine and so that each machine could lookup the name of the other machine from their hosts file. The problem now is that when the NFS daemon is started on each machine, it just seems to hang after reporting Starting the NFS daemon. My OS on these machines is Linux Mandrake 8.1. does anyone have any idea as to what is happening here and how I might be able to fix it? All healp would be greatly appreciated, Lonnie -- Lonnie Cumberland OutStep Technologies Incorporated (313) 832-7366 URL: http://www.outstep.com EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Proxy-ARP Script Problems
Hello Charles, I will be able to send you the "network.conf" and "ipfilter.conf" tomorrow. As they are large, I will send them directly to you, ok. Now then the test network that I had set up looked like this: INTERNET | Gate (146.9.31.1) | Class "C" (146.9.31.x) | | 146.9.31.19 -- | LRP | -- | 146.9.31.19 | | | 146.9.31.56 --- (gate 146.9.31.1) | Test PC | --- With this basic setup I would have thought that I should be able to complete the connection although it only seems to resolve the names if I try to run Netscape. I can also PING from the LRP to the "Test PC" but I cannot PING from the "Test PC" to anywhere. cheers, Lonnie Charles Steinkuehler wrote: 104601c13fc7$98355b80$4101220a@csteinathlon"> Please use reply-all to keep the leaf-user list in the thread... I had put the IP of the external machines in the DMZ_EXT_ADDRS, but onin the ethext_ROUTES.I will go and do that now.The only last problem seems to be as I have described in my last emailto you.If I start up Netscape, for example, from a server in the DMZ and try toconnect to a URL, www.yahoo.com for example, then it seems that netscapewill resolve the address into its IP and then just say "connecting tox.x.x.x", but never actually connect.This same thing happens if I try to PING some address on the Internet totest my being able to connect to the server in the DMZ.any ideas as to why things are not connecting? Not without any more details...you are resolving names, which means you'vegot some sort of network connectivity (or cached data). It could besomething as simple as letting the arp caches timeout on your network (ormanually flushing them), or there could be something wrong with yourconfiguration (either in LRP, the systems you're trying to put in the DMZ,or both). You need to provide details of exactly how things are configured,and exactly how you're testing. Since you're trying to get DMZ systemsrunning, in addition to the LRP configuration, we'll need information on howyour DMZ system is configured as well. See the troubleshooting HOWTO(available at my support page) for details on how to get the configinformation from your LRP system to a floppy. Ideally, you can post thefiles online somewhere...if not, you can e-mail them directly to me. Ifthere's not too much data, you can send them as plain text through theleaf-user list, just copied into the body of the message.Charles Steinkuehlerhttp://lrp.steinkuehler.nethttp://c0wz.steinkuehler.net (lrp.c0wz.com mirror)___Leaf-user mailing list[EMAIL PROTECTED]https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Proxy-ARP Script Problems
Hello All, I have been trying for a long time now to get the Proxy-ARP set up but I cannot seem to get the scripts to work. In every case, I can easily configure eth0 to talk to the outside world, but then I cannot talk to the DMZ I have been using the EigerStein LRP and in the past have had not troubles setting up the Masquerading firewall. I havebeen trying to set up: With gate (146.9.31.1) INTERNET | | 146.9.31.19 - |LRP| - | 146.9.31.19 | (DMZ) | -- 146.9.31.x - ||| Server Server...Server (38) (18) N Could some one please send me some scripts that they have which are working? I cannot seem to find the problem with mine. Sincerely, Lonnie -- Lonnie Cumberland OutStep Technologies Incorporated TEL:(313) 832-7366 URL: http://www.outstep.com EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Re: [Leaf-user] EigerStein DMZ v1.1 Proxy ARP installation
Thanks everyone for the help and I will start trying to get things set up with all of this great information. The only last thing is that my current LRP installations are the Eigerstein-Static versions that I have placed onto a small hard disk on to the router so that I do not have to boot from a floppy. Which version do I need to get that contains these scripts? Is this the Eigetstein Beta or the CDROM version that I have heard about? In any case, I want to also have it boot off of the small MSDOS hard disk just like my old faithful masquarading firewall does so I presume that I do not need any special re-compiled version, or do I? Thanks for the help all, Lonnie Actually I was also interested in only needing 2 ethernet cards as the scripts that I have seen seem to need 3. If all you want is the Proxy-arp DMZ, just ignore the internal network interface. Of course, if you only have 2 NIC's installed, you'll have to change a few things (DMZ is setup for eth2 by default, which you don't have). Off the top of my head: Swap instances of eth1 eth2 in network.conf (ie internal network=eth2, DMZ network=eth1) Remove eth2 from the IF_AUTO list, so the scripts don't try to automatically configure it Everything *should* work... Of course, you'll have some firewall rules masquerading your (non-existant) internal network on eth2 to the internet, but the rules don't hurt anything (except burning a few CPU cycles, which you should have pleanty of, even with a 486). Holler if you run into trouble with the above changes, or still have problems once you've altered the DMZ for eth1. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user -- Lonnie Cumberland President/CEO OutStep Technologies Incorporated TEL:(313) 832-7366 FAX:(313) 832-7366 URL: http://www.outstep.com EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/leaf-user