[Leaf-user] MacIP/AppleTalkIP ?

2002-02-21 Thread Scott Sandeman-Allen 

Does anyone have any experience routing/filtering/firewalling any of 
these protocoals?

Any suggestions where a guy might find some documentation? Notes?

I did a search on Leaf and didn't find much.

Thanks,

Scott

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] SSH Problems with DMZ

2002-02-13 Thread Scott Sandeman-Allen 

Hi, me again!

I have configured my Dachstien CD based router and parts are working 
quite fine. My web server can be seen from its dedicated public IP 
and from my masq. network.Unfortunately, I cannot ssh into the server 
via the public-ip  router. This despite the fact I have enabled the 
port in the same places and the same way as with tcp:80.

A few days ago I could only get ssh running by having a separate port 
(222) forwarded to 22 on the server.

Off the top, here are some of the pertinent settings:

DMZ=YES

SSH  WWW open with EXTERN_TCP_PORTn=0/0 ssh public_IP/n etc.

INTERN_SERVERS=tcp_public_IP_ssh_dmz_IP_ssh

DMZ_OPEN_DEST=tcp_public_IP_ssh

(where public-ip is one of my static IPs from the ISP.)

I have been over the settings quite a few times and did find a couple 
of errors but still, no SSH. If I bypass the router,the systems link 
within seconds and it all works fine.

Any thoughts?

Thanks,

Scott

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] [DMZ w/Dachstein CD] Am I going nuts?!?

2002-02-11 Thread Scott Sandeman-Allen 

Hi,

I've been trying to configure LEAF Dachstein CD to firewall 5 IP 
addresses. I have tried several configurations but cannot get the 
beast to work. I have changed the IP's and removed the comments to 
make it a shorter message... I hope those who may help are okay with 
this.

Here is what I have:
Router/firewall with 3 NIC's.
Five (5) class C static IP's  i.e. 231.123.123.242:245
ISP Gateway 231.123.123.246
2 servers on DMZ
192.168.71.242 WWW  SSH
192.168.71.243 SSH (SQL for WWW)

What I'm trying to do is this:
DMZ the two servers
NAT to workstations on 192.168.70.0/24 (each w/static IP)

With the following configuration, I get an ipchains table which I 
have condensed and added below. I have removed the packet counts and 
the logging options except for the one '!y' in the forwarding 
section. When I test this and other configs, using
ipchains -C -p tcp -i eth0 -s 0.0.0.0 www 231.123.123.242 www

I get a deny, even though the chains list shows
ACCEPT tcp eth00/0  231.123.123.242* - 80

I'm thinking the problem is a line lower down which states:

DENY   all eth00/0  0/0  n/a

S, have I messed up and not set something right or am I just a 
loonie and should go back to some basket weaving... or is there a 
problem with a script (I tried to figure them out but I have a ways 
to go before I get into that).

Thanks in advance for any and all assistance!

Scott

--- begin  naked /etc/network.conf -


VERBOSE=YES
MAX_LOOP=10
IPFWDING_KERNEL=FILTER_ON
IPALWAYSDEFRAG_KERNEL=YES
CONFIG_HOSTNAME=YES
CONFIG_HOSTSFILE=YES
CONFIG_DNS=NO
IF_AUTO=eth0 eth1 eth2
IF_LIST=$IF_AUTO
ALLIF_ACCEPT_REDIRECTS=YES
DEF_IP_SPOOF=YES
DEF_IP_KRNL_LOGMARTIANS=YES
BRG_SWITCH=NO
BRG_EXEMPT_PROTOS=


eth0_IPADDR=231.123.123.241
eth0_MASKLEN=29
eth0_BROADCAST=+
eth0_DEFAULT_GW=231.123.123.241
eth0_IP_EXTRA_ADDRS=231.123.123.242
231.123.123.243
231.123.123.244
231.123.123.245
eth0_IP_SPOOF=YES
eth0_IP_KRNL_LOGMARTIANS=YES
eth0_IP_SHARED_MEDIA=NO
eth0_BRIDGE=NO
eth0_PROXY_ARP=NO
eth0_FAIRQ=NO

eth1_IPADDR=192.168.70.254
eth1_MASKLEN=24
eth1_BROADCAST=+
eth1_IP_SPOOF=YES
eth1_IP_KRNL_LOGMARTIANS=YES
eth1_IP_SHARED_MEDIA=NO
eth1_BRIDGE=NO
eth1_PROXY_ARP=NO
eth1_FAIRQ=NO

eth2_IPADDR=192.168.71.254
eth2_MASKLEN=24
eth2_BROADCAST=+
eth2_IP_SPOOF=YES
eth2_IP_KRNL_LOGMARTIANS=YES
eth2_IP_SHARED_MEDIA=NO
eth2_BRIDGE=NO
eth2_PROXY_ARP=NO
eth2_FAIRQ=NO

IPFILTER_SWITCH=firewall
SNMP_BLOCK=YES
MRK_CRIT=1
MRK_IA=2
EXTERN_IF=eth0
EXTERN_DHCP=NO

# nothing added via this mechanism _yet_
IPCH_IN=/etc/ipchains.input
IPCH_FWD=/etc/ipchains.forward
IPCH_OUT=/etc/ipchains.output

# open external ports
EXTERN_ICMP_PORT0=0/0 : 192.168.70.0/24
EXTERN_ICMP_PORT1=0/0 : 192.168.71.0/24
EXTERN_UDP_PORTS=0/0_domain
EXTERN_TCP_PORT0=0/0 53 231.123.123.0/24
EXTERN_TCP_PORT1=0/0 80 231.123.123.242
EXTERN_TCP_PORT2=0/0 22 231.123.123.242
EXTERN_TCP_PORT3=0/0 222 231.123.123.243

INTERN_IF=eth1
INTERN_NET=192.168.70.0/24
INTERN_IP=192.168.70.254

MASQ_SWITCH=YES
NOMASQ_DEST=tcp_0/0_ssh
NOMASQ_DEST_BYPASS=tcp_231.123.123.240/29_ssh

DMZ_SWITCH=YES
DMZ_IF=eth2
DMZ_NET=192.168.71.0/24
DMZ_SRC=231.123.123.240/29
DMZ_EXT_ADDRS=$eth0_DEFAULT_GW $EXTERN_IP
DMZ_HIGH_TCP_CONNECT=NO
DMZ_CLOSED_DEST=tcp_${DMZ_NET}_6000:6004 tcp_${DMZ_NET}_7100
DMZ_OPEN_DEST= udp_${DMZ_NET}_domain
tcp_${DMZ_NET}_domain
icmp_${DMZ_NET}_:
tcp_${DMZ_NET}_22
tcp_192.168.71.242_80

DMZ_SERVER0=udp $EXTERN_IP domain 192.168.71.242 domain
DMZ_SERVER1=tcp $EXTERN_IP domain 192.168.71.242 domain
DMZ_SERVER2=tcp 231.123.123.242 www 192.168.71.242 www
DMZ_SERVER3=tcp 231.123.123.242 ssh 192.168.71.242 ssh
DMZ_SERVER4=tcp 231.123.123.243 222 192.168.71.243 22
DMZ_OUTBOUND_ALL=YES

--- end  naked /etc/network.conf -

--- begin iopchains -L -n -v  compressed.txt -

Chain input
target protifname  source dest   ports
DENY   icmp*   0/0  0/0  5 - *
DENY   icmp*   0/0  0/0  13 - *
DENY   icmp*   0/0  0/0  14 - *
DENY   all eth00.0.0.0   0/0  n/a
DENY   all eth0255.255.255.255  0/0  n/a
DENY   all eth0127.0.0.0/8  0/0  n/a
DENY   all eth0224.0.0.0/4  0/0  n/a
DENY   all eth010.0.0.0/8   0/0  n/a
DENY   all eth0172.16.0.0/120/0  n/a
DENY   all eth0192.168.0.0/16   0/0  n/a
DENY   all eth00.0.0.0/8  0/0  n/a
DENY   all eth0128.0.0.0/16 0/0  n/a
DENY   all eth0191.255.0.0/16   0/0  n/a
DENY   all eth0192.0.0.0/24 0/0  n/a
DENY   all eth0223.255.255.0/24

[Leaf-user] 2.4 Kernel packet inspection?

2002-02-11 Thread Scott Sandeman-Allen 

Hi,

As I review firewalling etc. I have become interested in stateful 
packet filtering as well as a few other goodies offered by the 2.4 
kernel (and a few not yet offered).

Is there any work in progress for LRP to be running packet 
inspection/mangling etc. in the near future?

Thanks,

Scott

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] [DMZ w/Dachstein CD] Going nuts?- Yes!

2002-02-11 Thread Scott Sandeman-Allen 

 ipchains -C -p tcp -i eth0 -s 0.0.0.0 www 231.123.123.242 www

I believe there is a typo in the test line. It should read:

ipchains -C -p tcp -i eth0 -s 0.0.0.0 www -d 231.123.123.242 www
   ^^
I don't know if the typo is just here in this message or in your actual test
as well. If it is in your tests, I couldn't predict what would happen.

Typing error in my message. The error checking in the -C option 
detects missing protocols, ports etc. including missing destinations.

It also helps when you don't use 0/0 but use something remotely real 
instead of an intentionally blocked IP like 0.0.0.0 and 
255.255.255.255. =8@

It all seems to work from a testing perspective. Now to try the 
chains in real life tomorrow.

Thanks again for your help!

S.

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] DMZ config example.

2002-02-02 Thread Scott Sandeman-Allen 

Is there anywhere I can find an example DMZ config script. I'm going 
through the documentation and about 95% is making sense but a couple 
of things are challenging me.

If there are none, I'd be happy to supply one once I get it figured 
out but may end up asking a bunch more questions on the list.

Thanks in advance,

Scott

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user