Re: [Leaf-user] DachStein 1.0.2 - stopping martian loggin
John: Heya. Regarding your firewall troubles, might I suggest that you please give the echowall.lrp package a try, available at ftp.echogent.com. It's expressly designed towards making an Eiger/Dach firewall with port-forwarding as easy as possible to setup. In other words, it's meant for novice users. No offense! Just two of the things you wrote suggest you might be the target audience: The first was that I could not port forward SSH to an internal box with either Eiger or Dach. I had the proper stuff uncommented in /etc/network.conf, but it just didn't work. I ended up having to do the following: ipchains -I input -i eth0 -j ACCEPT -p tcp -s 0/0 -d 0/0 24 This rule is a bit reckless: it will allow any TCP packets from anywhere *to* anything hit your TCP port 24. Nothing typically listens to TCP port 24 (the IANA designates it as any private email server), so I suspect you either meant port 22 for SSH, or you changed your SSHd server to listen to port 24 instead. In any case...allowing a TCP connection from any address destined for any address shouldn't ever be required. Dec 16 20:42:22 jfsgw kernel: Packet log: input DENY eth0 PROTO=17 10.2.0.1:67 255.255.255.255:68 L=350 S=0x00 I=22593 F=0x T=255 (#9) Have a look at www.echogent.com/cgi-bin/fwlog.pl with this packet log. It's harmless noise, which the echowall package willl actually not report about, by default. Hope this helps! -Scott ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] DachStein 1.0.2 - stopping martian loggin
Hi Charles, Thanks again fro all the great work on Eiger and DachStein, they are both working really well for me. After a bit of fighting and learning of ipchains, I gotten a couple of sucesses here while trying to fix some problems. The first was that I could not port forward SSH to an internal box with either Eiger or Dach. I had the proper stuff uncommented in /etc/network.conf, but it just didn't work. I ended up having to do the following: ipchains -I input -i eth0 -j ACCEPT -p tcp -s 0/0 -d 0/0 24 to get the rule early enough in the input chain to be effective. But I think this is actually too early now, since I'm bypassing some of the good input rules. My ipchains ruleset looks like this now: # ipchains -L input Chain input (policy DENY): target prot opt sourcedestination ports ACCEPT tcp -- anywhere anywhere any - 24 DENY udp -- 10.2.0.1 anywhere any - bootps DENY icmp l- anywhere anywhere redirect DENY icmp l- anywhere anywhere timestamp-request DENY icmp l- anywhere anywhere timestamp-reply DENY all l- 0.0.0.0 anywhere n/a DENY all l- 255.255.255.255 anywhere n/a DENY all l- localnet/8 anywhere n/a DENY all l- BASE-ADDRESS.MCAST.NET/4 anywhere n/a DENY all -- 10.0.0.0/8 anywhere n/a DENY all -- 172.16.0.0/12anywhere n/a DENY all -- 192.168.0.0/16 anywhere n/a DENY all l- 0.0.0.0/8anywhere n/a DENY all l- 128.0.0.0/16 anywhere n/a DENY all l- 191.255.0.0/16 anywhere n/a DENY all l- 192.0.0.0/24 anywhere n/a DENY all l- 223.255.255.0/24 anywhere n/a DENY all l- 240.0.0.0/4 anywhere n/a DENY all l- 192.168.1.0/24 anywhere n/a DENY all l- 24-240-176-224.hsacorp.net anywhere n/a REJECT all l- anywhere localnet/8n/a REJECT all l- anywhere 192.168.1.0/24n/a REJECT tcp -- anywhere anywhere any - netbios-ns REJECT tcp -- anywhere anywhere any - 135 REJECT udp -- anywhere anywhere any - netbios-ns REJECT udp -- anywhere anywhere any - 135 REJECT tcp -- anywhere anywhere any - netbios-dgm:netbios-ssn REJECT udp -- anywhere anywhere any - netbios-dgm REJECT udp -- anywhere anywhere netbios-ns:netbios-dgm - any REJECT udp -- anywhere anywhere 135 - any REJECT tcp -- anywhere anywhere netbios-ns:netbios-ssn - any REJECT tcp -- anywhere anywhere 135 - any ACCEPT tcp -- anywhere anywhere any - ssh REJECT tcp -- anywhere anywhere any - auth ACCEPT tcp -- anywhere anywhere any - 1024:65535 REJECT udp l- anywhere anywhere any - snmp:snmp-trap ACCEPT udp -- anywhere anywhere any - domain ACCEPT udp -- anywhere anywhere any - bootpc DENY udp -- anywhere anywhere any - bootps ACCEPT udp -- anywhere anywhere any - 1024:65535 ACCEPT icmp -- anywhere anywhere any - any ACCEPT ospf -- anywhere anywhere n/a DENY all l- anywhere anywhere n/a REJECT udp l- anywhere anywhere any - snmp:snmp-trap REJECT udp l- anywhere anywhere snmp:snmp-trap - any ACCEPT all -- anywhere anywhere n/a The second problem was that I was getting tons and tons of the following messages in the /var/log/[messages,kern.log,syslog] files: Dec 16 20:42:22 jfsgw kernel: Packet log: input DENY eth0 PROTO=17 10.2.0.1:67 255.255.255.255:68 L=350 S=0x00 I=22593 F=0x T=255 (#9) Dec 16 20:42:22 jfsgw kernel:
Re: [Leaf-user] DachStein 1.0.2 - stopping martian loggin
Great job of posting the pertinent information for debugging, John. To save bandwidth, I've snipped some of the less important stuff in my reply below. On Sun, 16 Dec 2001 20:38:51 EST John Stoffel wrote: The first was that I could not port forward SSH to an internal box with either Eiger or Dach. I had the proper stuff uncommented in /etc/network.conf, but it just didn't work. I ended up having to do the following: ipchains -I input -i eth0 -j ACCEPT -p tcp -s 0/0 -d 0/0 24 Looks like the problem is you're forwarding port 24 to port 22 (ssh) on 192.168.1.6, but, in the absence of the above rule, you are blocking port 24. More below... to get the rule early enough in the input chain to be effective. But I think this is actually too early now, since I'm bypassing some of the good input rules. Probably so. My ipchains ruleset looks like this now: # ipchains -L input Chain input (policy DENY): target prot opt sourcedestination ports ACCEPT tcp -- anywhere anywhere any - 24 [ snip ] ACCEPT tcp -- anywhere anywhere any - ssh [ snip ] Interesting bits pulled up from the network.conf I snipped out below... EXTERN_TCP_PORTS=0/0_ssh INTERN_SSH_SERVER=192.168.1.6 # Internal SSH server to make available EXTERN_SSH_PORT=24 # External port to use for internal SSH access The any - ssh ACCEPT is created by EXTERN_TCP_PORTS=0/0_ssh The correct adjustment to your network.conf settings depends on whether or not you run sshd on your firewall and allow connections from external nets. If you do, you probably want EXTERN_TCP_PORTS=0/0_24 0/0_ssh EXTERN_SSH_PORT=24 If not, you can probably leave EXTERN_TCP_PORTS alone and comment EXTERN_SSH_PORT back out like so: EXTERN_TCP_PORTS=0/0_ssh # EXTERN_SSH_PORT=24 (Note that you can still ssh to the internal address of the firewall from your internal network even if you forward port 22 on the external interface to an internal host.) The second problem was that I was getting tons and tons of the following messages in the /var/log/[messages,kern.log,syslog] files: Dec 16 20:42:22 jfsgw kernel: Packet log: input DENY eth0 PROTO=17 10.2.0.1:67 255.255.255.255:68 L=350 S=0x00 I=22593 F=0x T=255 (#9) Dec 16 20:42:22 jfsgw kernel: Packet log: input DENY eth0 PROTO=17 10.2.0.1:67 255.255.255.255:68 L=350 S=0x00 I=22595 F=0x T=255 (#9) Dec 16 20:42:49 jfsgw kernel: Packet log: input DENY eth0 PROTO=2 192.168.100.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=0 F=0x T=1 (#11) Dec 16 20:44:22 jfsgw kernel: Packet log: input DENY eth0 PROTO=17 10.2.0.1:67 255.255.255.255:68 L=344 S=0x00 I=22697 F=0x T=255 (#9) Dec 16 20:44:30 jfsgw kernel: Packet log: input DENY eth0 PROTO=17 10.2.0.1:67 255.255.255.255:68 L=344 S=0x00 I=22700 F=0x T=255 (#9) Even though I had the settings to turn off the logging of martians. I I'm guessing here, but I'd bet the *IP_KRNL_LOGMARTIANS flags that I assume you're referring to only affect if the kernel spits out messages like so: Aug 17 12:49:35 systenrouter kernel: ll header: ff ff ff ff ff ff 00 50 ba b5 27 04 08 00 Aug 17 12:49:36 systenrouter kernel: martian source abcdef01 for abcdefff, dev eth1 when a packet that arrives on an interface destined for an address, broadcast or otherwise, the interface in question isn't supposed to serve. Since the five packets above are broadcast to everyone using 255.255.255.255 and 224.0.0.1, the kernel isn't really surprised to see them hitting eth0. They may not even be considered martians. (Someone who's more familiar with martians, please step in and correct me if necessary.) ended up changing the /etc/ipfilters.conf file so that in the 'stopMartians' function, I didn't bother to log packets for the RFC 1918, 1627 and 1597 blocks. I just removed the '-l' flag from those three lines, saved /etc o floppy and rebooted. You could probably achieve the same effect by adjusting the value of the SILENT_DENY variable in /etc/network.conf . [ remaining statements and questions snipped since they're *much* more in Charles' ballpark ] Hope that helps show ways you can use network.conf to achieve some of the things you did manually with ipchains. --Brad ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
