[Leaf-user] MacIP/AppleTalkIP ?
Does anyone have any experience routing/filtering/firewalling any of these protocoals? Any suggestions where a guy might find some documentation? Notes? I did a search on Leaf and didn't find much. Thanks, Scott ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] SSH Problems with DMZ
Hi, me again! I have configured my Dachstien CD based router and parts are working quite fine. My web server can be seen from its dedicated public IP and from my masq. network.Unfortunately, I cannot ssh into the server via the public-ip router. This despite the fact I have enabled the port in the same places and the same way as with tcp:80. A few days ago I could only get ssh running by having a separate port (222) forwarded to 22 on the server. Off the top, here are some of the pertinent settings: DMZ=YES SSH WWW open with EXTERN_TCP_PORTn=0/0 ssh public_IP/n etc. INTERN_SERVERS=tcp_public_IP_ssh_dmz_IP_ssh DMZ_OPEN_DEST=tcp_public_IP_ssh (where public-ip is one of my static IPs from the ISP.) I have been over the settings quite a few times and did find a couple of errors but still, no SSH. If I bypass the router,the systems link within seconds and it all works fine. Any thoughts? Thanks, Scott ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] [DMZ w/Dachstein CD] Am I going nuts?!?
Hi, I've been trying to configure LEAF Dachstein CD to firewall 5 IP addresses. I have tried several configurations but cannot get the beast to work. I have changed the IP's and removed the comments to make it a shorter message... I hope those who may help are okay with this. Here is what I have: Router/firewall with 3 NIC's. Five (5) class C static IP's i.e. 231.123.123.242:245 ISP Gateway 231.123.123.246 2 servers on DMZ 192.168.71.242 WWW SSH 192.168.71.243 SSH (SQL for WWW) What I'm trying to do is this: DMZ the two servers NAT to workstations on 192.168.70.0/24 (each w/static IP) With the following configuration, I get an ipchains table which I have condensed and added below. I have removed the packet counts and the logging options except for the one '!y' in the forwarding section. When I test this and other configs, using ipchains -C -p tcp -i eth0 -s 0.0.0.0 www 231.123.123.242 www I get a deny, even though the chains list shows ACCEPT tcp eth00/0 231.123.123.242* - 80 I'm thinking the problem is a line lower down which states: DENY all eth00/0 0/0 n/a S, have I messed up and not set something right or am I just a loonie and should go back to some basket weaving... or is there a problem with a script (I tried to figure them out but I have a ways to go before I get into that). Thanks in advance for any and all assistance! Scott --- begin naked /etc/network.conf - VERBOSE=YES MAX_LOOP=10 IPFWDING_KERNEL=FILTER_ON IPALWAYSDEFRAG_KERNEL=YES CONFIG_HOSTNAME=YES CONFIG_HOSTSFILE=YES CONFIG_DNS=NO IF_AUTO=eth0 eth1 eth2 IF_LIST=$IF_AUTO ALLIF_ACCEPT_REDIRECTS=YES DEF_IP_SPOOF=YES DEF_IP_KRNL_LOGMARTIANS=YES BRG_SWITCH=NO BRG_EXEMPT_PROTOS= eth0_IPADDR=231.123.123.241 eth0_MASKLEN=29 eth0_BROADCAST=+ eth0_DEFAULT_GW=231.123.123.241 eth0_IP_EXTRA_ADDRS=231.123.123.242 231.123.123.243 231.123.123.244 231.123.123.245 eth0_IP_SPOOF=YES eth0_IP_KRNL_LOGMARTIANS=YES eth0_IP_SHARED_MEDIA=NO eth0_BRIDGE=NO eth0_PROXY_ARP=NO eth0_FAIRQ=NO eth1_IPADDR=192.168.70.254 eth1_MASKLEN=24 eth1_BROADCAST=+ eth1_IP_SPOOF=YES eth1_IP_KRNL_LOGMARTIANS=YES eth1_IP_SHARED_MEDIA=NO eth1_BRIDGE=NO eth1_PROXY_ARP=NO eth1_FAIRQ=NO eth2_IPADDR=192.168.71.254 eth2_MASKLEN=24 eth2_BROADCAST=+ eth2_IP_SPOOF=YES eth2_IP_KRNL_LOGMARTIANS=YES eth2_IP_SHARED_MEDIA=NO eth2_BRIDGE=NO eth2_PROXY_ARP=NO eth2_FAIRQ=NO IPFILTER_SWITCH=firewall SNMP_BLOCK=YES MRK_CRIT=1 MRK_IA=2 EXTERN_IF=eth0 EXTERN_DHCP=NO # nothing added via this mechanism _yet_ IPCH_IN=/etc/ipchains.input IPCH_FWD=/etc/ipchains.forward IPCH_OUT=/etc/ipchains.output # open external ports EXTERN_ICMP_PORT0=0/0 : 192.168.70.0/24 EXTERN_ICMP_PORT1=0/0 : 192.168.71.0/24 EXTERN_UDP_PORTS=0/0_domain EXTERN_TCP_PORT0=0/0 53 231.123.123.0/24 EXTERN_TCP_PORT1=0/0 80 231.123.123.242 EXTERN_TCP_PORT2=0/0 22 231.123.123.242 EXTERN_TCP_PORT3=0/0 222 231.123.123.243 INTERN_IF=eth1 INTERN_NET=192.168.70.0/24 INTERN_IP=192.168.70.254 MASQ_SWITCH=YES NOMASQ_DEST=tcp_0/0_ssh NOMASQ_DEST_BYPASS=tcp_231.123.123.240/29_ssh DMZ_SWITCH=YES DMZ_IF=eth2 DMZ_NET=192.168.71.0/24 DMZ_SRC=231.123.123.240/29 DMZ_EXT_ADDRS=$eth0_DEFAULT_GW $EXTERN_IP DMZ_HIGH_TCP_CONNECT=NO DMZ_CLOSED_DEST=tcp_${DMZ_NET}_6000:6004 tcp_${DMZ_NET}_7100 DMZ_OPEN_DEST= udp_${DMZ_NET}_domain tcp_${DMZ_NET}_domain icmp_${DMZ_NET}_: tcp_${DMZ_NET}_22 tcp_192.168.71.242_80 DMZ_SERVER0=udp $EXTERN_IP domain 192.168.71.242 domain DMZ_SERVER1=tcp $EXTERN_IP domain 192.168.71.242 domain DMZ_SERVER2=tcp 231.123.123.242 www 192.168.71.242 www DMZ_SERVER3=tcp 231.123.123.242 ssh 192.168.71.242 ssh DMZ_SERVER4=tcp 231.123.123.243 222 192.168.71.243 22 DMZ_OUTBOUND_ALL=YES --- end naked /etc/network.conf - --- begin iopchains -L -n -v compressed.txt - Chain input target protifname source dest ports DENY icmp* 0/0 0/0 5 - * DENY icmp* 0/0 0/0 13 - * DENY icmp* 0/0 0/0 14 - * DENY all eth00.0.0.0 0/0 n/a DENY all eth0255.255.255.255 0/0 n/a DENY all eth0127.0.0.0/8 0/0 n/a DENY all eth0224.0.0.0/4 0/0 n/a DENY all eth010.0.0.0/8 0/0 n/a DENY all eth0172.16.0.0/120/0 n/a DENY all eth0192.168.0.0/16 0/0 n/a DENY all eth00.0.0.0/8 0/0 n/a DENY all eth0128.0.0.0/16 0/0 n/a DENY all eth0191.255.0.0/16 0/0 n/a DENY all eth0192.0.0.0/24 0/0 n/a DENY all eth0223.255.255.0/24
[Leaf-user] 2.4 Kernel packet inspection?
Hi, As I review firewalling etc. I have become interested in stateful packet filtering as well as a few other goodies offered by the 2.4 kernel (and a few not yet offered). Is there any work in progress for LRP to be running packet inspection/mangling etc. in the near future? Thanks, Scott ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] [DMZ w/Dachstein CD] Going nuts?- Yes!
ipchains -C -p tcp -i eth0 -s 0.0.0.0 www 231.123.123.242 www I believe there is a typo in the test line. It should read: ipchains -C -p tcp -i eth0 -s 0.0.0.0 www -d 231.123.123.242 www ^^ I don't know if the typo is just here in this message or in your actual test as well. If it is in your tests, I couldn't predict what would happen. Typing error in my message. The error checking in the -C option detects missing protocols, ports etc. including missing destinations. It also helps when you don't use 0/0 but use something remotely real instead of an intentionally blocked IP like 0.0.0.0 and 255.255.255.255. =8@ It all seems to work from a testing perspective. Now to try the chains in real life tomorrow. Thanks again for your help! S. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] DMZ config example.
Is there anywhere I can find an example DMZ config script. I'm going through the documentation and about 95% is making sense but a couple of things are challenging me. If there are none, I'd be happy to supply one once I get it figured out but may end up asking a bunch more questions on the list. Thanks in advance, Scott ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user