[Leaf-user] DachsteinCD, need help getting started
I have been having loads of trouble getting up and running consistently with the dachstein CD. I have been practicing making configurations on one machine in order to hone my knowledge of setting up different types of firewalls. However, sometimes I just can't get ip masquerading to work in the simplest configuration. I must be missing some tiny switch sometimes when I set up the box. Basically I want to allow all machines behind the firewall to be able to browse,email,ssh,etc. My hosts.allow is wide open ALL: 192.168.212.0/255.255.255.0, and my hosts.deny has only ALL: PARANOID and ALL:ALL. I can ping internally and externally from the firewall, just can't masq anything. Also, I've noticed that the weblet page showing installed modules shows ip_masq_portfw and ip_masq_autofw and unused. Are these modules necessary only if I forward ports to a private ip, or are they necessary for masquerading? Or does (unused) mean something else? Installed Modules: ip_masq_vdolive 1180 0 (unused) ip_masq_user3708 0 (unused) ip_masq_raudio 2980 0 (unused) ip_masq_quake 1220 0 (unused) ip_masq_portfw 2416 0 (unused) ip_masq_mfw 3196 0 ip_masq_irc 1924 0 (unused) ip_masq_ftp 3576 0 (unused) ip_masq_cuseeme 964 0 (unused) ip_masq_autofw 2476 0 (unused) tulip 32412 2 pci-scan2288 0 [tulip] isofs 17692 0 ide-cd 22672 0 cdrom 26712 0 [ide-cd] -Scott ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] DachsteinCD, need help getting started
Scott Ecker wrote: I have been having loads of trouble getting up and running consistently with the dachstein CD. I have been practicing making configurations on one machine in order to hone my knowledge of setting up different types of firewalls. However, sometimes I just can't get ip masquerading to work in the simplest configuration. I must be missing some tiny switch sometimes when I set up the box. Basically I want to allow all machines behind the firewall to be able to browse,email,ssh,etc. My hosts.allow is wide open ALL: 192.168.212.0/255.255.255.0, and my hosts.deny has only ALL: PARANOID and ALL:ALL. host.allow and host.deny are only used to filter traffic destined for a service on the LEAF box. Basically none of your internal LAN traffic is destined for the LEAF box, rather it goes to the internet (except maybe ssh). So your host.allow and host.deny are not stopping traffic from being masq'd, making it out to the net, not making it back in through the firewall. I can ping internally and externally from the firewall, just can't masq anything. Can you ping from an internal computer to the two LEAF cards? To the LEAF's default gateway? You'd help us debug your problems by posting the details described in the LEAF How do I request help document: http://sourceforge.net/docman/display_doc.php?docid=1891group_id=13751 Also, I've noticed that the weblet page showing installed modules shows ip_masq_portfw and ip_masq_autofw and unused. These have no affect whatsoever on your ability to: Have a valid IP address on the propoer network on your internal lan computer Have a valid netmask on your internal lan computer Have a valid dns on your internal lan computer Have a valid default gateway on your internal lan computer Have all the same on the LEAF, twice. Have all computers on the same network. Fill out the network.conf right (that's not easy, you're not being scolded). I think Charles usually have *very* good documentation, especially for the recent releases. Are these modules necessary only if I forward ports to a private ip, or are they necessary for masquerading? Or does (unused) mean something else? They are used when you have *incoming* traffic from the internet into you LAN to a service like a web server you run. They forward a single port (like web port 80) on the LEAF into your LAN computer's port 80, in the case of portfw. In the case of autofw, that forwards a range of ports like 65300-65500 from the LEAF to the LAN computers same port range (like what you do when you run an ftp server). [snip] Usually, almost all of Dachstein is setup in the network.conf. If you didn't distill that into the variables and post it, then there was no significant chance of helping you correctly. Good Luck, Matthew -Scott ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] DachsteinCD, need help getting started
From an internal machine I can ping the internal and external interface on the firewall, but nothing beyond that. I noticed that my syslog is filling up with tons of these: Nov 18 12:14:33 mail kernel: Packet log: \ output DENY eth0 PROTO=1 10.10.5.2:8 \ 216.231.41.22:0 L=60 S=0x00 I=35342 F=0x T=127 (#6) You can check out a shortened copy of my network.conf here: (http://www.troutpocket.org/dachstein.txt). I'm not using DHCP or DHCLIENT. I am using a private IP on the external interface because I'm setting it up behind another router just for testing purposes. Let me know what other info would be helpfull. -Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Matt Schalit Sent: Sunday, November 18, 2001 10:29 AM To: [EMAIL PROTECTED] Subject: Re: [Leaf-user] DachsteinCD, need help getting started Scott Ecker wrote: I have been having loads of trouble getting up and running consistently with the dachstein CD. I have been practicing making configurations on one machine in order to hone my knowledge of setting up different types of firewalls. However, sometimes I just can't get ip masquerading to work in the simplest configuration. I must be missing some tiny switch sometimes when I set up the box. Basically I want to allow all machines behind the firewall to be able to browse,email,ssh,etc. My hosts.allow is wide open ALL: 192.168.212.0/255.255.255.0, and my hosts.deny has only ALL: PARANOID and ALL:ALL. host.allow and host.deny are only used to filter traffic destined for a service on the LEAF box. Basically none of your internal LAN traffic is destined for the LEAF box, rather it goes to the internet (except maybe ssh). So your host.allow and host.deny are not stopping traffic from being masq'd, making it out to the net, not making it back in through the firewall. I can ping internally and externally from the firewall, just can't masq anything. Can you ping from an internal computer to the two LEAF cards? To the LEAF's default gateway? You'd help us debug your problems by posting the details described in the LEAF How do I request help document: http://sourceforge.net/docman/display_doc.php?docid=1891group_id=13751 Also, I've noticed that the weblet page showing installed modules shows ip_masq_portfw and ip_masq_autofw and unused. These have no affect whatsoever on your ability to: Have a valid IP address on the propoer network on your internal lan computer Have a valid netmask on your internal lan computer Have a valid dns on your internal lan computer Have a valid default gateway on your internal lan computer Have all the same on the LEAF, twice. Have all computers on the same network. Fill out the network.conf right (that's not easy, you're not being scolded). I think Charles usually have *very* good documentation, especially for the recent releases. Are these modules necessary only if I forward ports to a private ip, or are they necessary for masquerading? Or does (unused) mean something else? They are used when you have *incoming* traffic from the internet into you LAN to a service like a web server you run. They forward a single port (like web port 80) on the LEAF into your LAN computer's port 80, in the case of portfw. In the case of autofw, that forwards a range of ports like 65300-65500 from the LEAF to the LAN computers same port range (like what you do when you run an ftp server). [snip] Usually, almost all of Dachstein is setup in the network.conf. If you didn't distill that into the variables and post it, then there was no significant chance of helping you correctly. Good Luck, Matthew -Scott ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
