[Leaf-user] Firewall Setup
While sifting through docs I found this error which I have been receiving, while trying to ping any internet IP from the LRP box: sendto(): operation not permitted It says that this is the result of incorrect setup of the Firewall rules. Where can I find some documentation on setting up a set of Firewall rules that will give me at least minimal access to the net (www & email for now). At least if I can get that working I can slowly work through the rest. My main problem is right now, to test out the router I have to switch my cable modem to it. Once that is done, it makes it difficult (currently impossible) to do any research on problems as they come up. Again, your help is greatly appreciated. Sincerely, Justin Pease N u a n c e N i n e Web Usability, Development and Design www.nuance9.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Firewall Setup
What distribution are you using? What IP addresses are you using for your external interface? Quoting [EMAIL PROTECTED]: > While sifting through docs I found this error which I have been > receiving, while trying to > ping any internet IP from the LRP box: > sendto(): operation not permitted > It says that this is the result of incorrect setup of the Firewall > rules. Where can I find some > documentation on setting up a set of Firewall rules that will give me at > least minimal access > to the net (www & email for now). At least if I can get that working I > can slowly work > through the rest. > > My main problem is right now, to test out the router I have to switch my > cable modem to it. > Once that is done, it makes it difficult (currently impossible) to do > any research on > problems as they come up. > > Again, your help is greatly appreciated. > Sincerely, > > Justin Pease > N u a n c e N i n e > Web Usability, Development and Design > www.nuance9.com > > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Firewall Setup
A couple of things are happening. First, it seems that your Dach box is not obtaining a proper address from your ISP. If your address used to be 24.116.x.x, you should be seeing something similar now. Since it is getting assigned a 10.x.x.x address, the ipfilter code is generating the "operation not permitted" message --- as Dachstein disallows RFC 1918 addresses (of which the 10.x.x.x is). Since these are reserved for the "private" side of networks, the external interface will reject everything if an "illegal" address is configured on that interface. The thing to track down is why the external interface is not obtaining the proper IP from your ISP. That is outside of my experience, since I have always used static IPs. I'd recommend you walk very carefully thru the network.conf, paying close attention to the sections involving dynamic external IPs. A good step-by-step procedure for setting it up can be found at: http://www.pigtail.net/LRP/ --- about half way down the page is where the fun begins... Also note, some ISPs restrict your connection to a specific MAC address. If your ISP does that, it may be rejecting your attempt to obtain a DHCP lease. If that is the case, you will have to notify your ISP to give the MAC of your intended external NIC. I recall somewhere that some systems have "trick" for spoofing the MAC address, so you don't have to involve the ISP. Unfortunately, I haven't seen that approach in action, and I don't know if or how it would work. Good luck, Dan Quoting [EMAIL PROTECTED]: > I am using the most recent DachStein Floppy based distro. > The current install appears to have setup 10.x.x.x IP addresses for the > external NIC (eth0). > This seems strange to me, as in the past the ISP DHCP assigned IP was > 24.116.x.x. > > Thanks. > > Justin > > On 13 Jan 2002 at 20:02, [EMAIL PROTECTED] wrote: > > What distribution are you using? > What IP addresses are you using for your external interface? > > > Quoting [EMAIL PROTECTED]: > > > While sifting through docs I found this error which I have been > > receiving, while trying to > > ping any internet IP from the LRP box: > > sendto(): operation not permitted > > It says that this is the result of incorrect setup of the Firewall > > rules. Where can I find some > > documentation on setting up a set of Firewall rules that will give me > at > > least minimal access > > to the net (www & email for now). At least if I can get that working > I > > can slowly work > > through the rest. > > > > My main problem is right now, to test out the router I have to switch > my > > cable modem to it. > > Once that is done, it makes it difficult (currently impossible) to > do > > any research on > > problems as they come up. > > > > Again, your help is greatly appreciated. > > Sincerely, > > > > Justin Pease > > N u a n c e N i n e > > Web Usability, Development and Design > > www.nuance9.com > > > > > > ___ > > Leaf-user mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/leaf-user > > > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > > Sincerely, > > Justin Pease > N u a n c e N i n e > Web Usability, Development and Design > www.nuance9.com > > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Firewall Setup
Hi. The excerpt you quote looks like womething I wrote. If that's so ... ... what I was trting to indicate is that if the LEAF router has in place an ipchains rule that DENYs input going to the address you try to ping (or, possibly, to your gateway), you will get this message from sendto(). The action you take in response is to inspect your actual firewall rulesets (with "ipchins -L -n -v", assuming a 2.2.x kernel) and find the problem rule. Once you find it, you can backtrack to the problem in the config files. There is no such thing, **in general**, as "a set of Firewall rules that will give me at least minimal access to the net". LEAF systems ... both their out-of-the-box firewalling and add-ins like EchoWall and SeaWall ... attempt to provide for setting up rulesets to handle the most common forms of Internet connections. But you, or whoever is troubleshooting your problem, needs to know what your setup is in order to figure out what firewalling will work with it. If you want to check access ***for test purposes only***, you can often do so by making these changes to your ruleset: ipchains -P input ACCEPT ipchains -P ourput ACCEPT ipchains -F input ipchains -F output This leaves in place ONLY your forward-chain rules, which handle NAT'ing. But it is embarrassingly insecure, so I wouldn't recommend doing this except for a brief test. At 07:08 PM 1/13/02 -0600, [EMAIL PROTECTED] wrote: >While sifting through docs I found this error which I have been receiving, while trying to >ping any internet IP from the LRP box: >sendto(): operation not permitted >It says that this is the result of incorrect setup of the Firewall rules. Where can I find some >documentation on setting up a set of Firewall rules that will give me at least minimal access >to the net (www & email for now). At least if I can get that working I can slowly work >through the rest. -- "Never tell me the odds!"--- Ray Olszewski-- Han Solo Palo Alto, CA[EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Firewall Setup
I have sporadically had the same problem, probably due to network misconfig on my end. What I am still curious about --- maybe someone can explain this --- is why a unix socket system call, sendto(), is being invoked by ping --- which assumedly would be using inet calls like listen() and accept(). Sendto() should only be used for IPC on the same machine, right? H [EMAIL PROTECTED] wrote: > While sifting through docs I found this error which I have been receiving, while >trying to > ping any internet IP from the LRP box: > sendto(): operation not permitted > It says that this is the result of incorrect setup of the Firewall rules. Where can >I find some > documentation on setting up a set of Firewall rules that will give me at least >minimal access > to the net (www & email for now). At least if I can get that working I can slowly >work > through the rest. > > My main problem is right now, to test out the router I have to switch my cable modem >to it. > Once that is done, it makes it difficult (currently impossible) to do any research >on > problems as they come up. > > Again, your help is greatly appreciated. > Sincerely, > > Justin Pease > N u a n c e N i n e > Web Usability, Development and Design > www.nuance9.com > > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Firewall Setup
Richard, > From: "Dr. Richard W. Tibbs" <[EMAIL PROTECTED]> > Date: Mon, 14 Jan 2002 11:06:13 -0500 > > I have sporadically had the same problem, probably due to network > misconfig on my end. > What I am still curious about --- maybe someone can explain this --- is > why a unix socket system call, sendto(), is being invoked by ping --- > which assumedly would be using inet calls like listen() and accept(). > Sendto() should only be used for IPC on the same machine, right? > H Quickly checking my handy 'libc' info it says by 'sendto': The normal way of sending data on a datagram socket is by using the `sendto' function, declared in `sys/socket.h'. which fits with my memory. 'ping' send ICMP packages/datagrams and doesn't use TCP/IP which is what the listen (), accept () family of function are for. Greetings -- Mark Plowman, [EMAIL PROTECTED] What is the hound of Wong-san crapping?!! [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Firewall Setup
[EMAIL PROTECTED] wrote: > > While sifting through docs I found this error which I have been receiving, while >trying to > ping any internet IP from the LRP box: > sendto(): operation not permitted It's either your network or your firewall rules or some permissions on some files got messed up. Quick fix is download LEAF version called Dachstein 1.0.2. It's well written, and is a complete firewall, once you get your nic modules and your network.conf straight. For a home setup, that goes quickly when you read the readme. I.) Your network isn't functioning. Network nic modules may not be on diskette. Network nic modules may be on diskette but are commented in modules.conf. Network nic modules may be on disk and uncommented but helper modules may be commented and aren't being loaded before nic modules. Syntax errors may be in /etc/network.conf. Ways to check: ifconfig -a netstat -rn orip addr show ip route show and more /var/log/syslog and dmesg | more stuff like that, ok. > It says that this is the result of incorrect setup of the Firewall rules. Where can >I find some > documentation on setting up a set of Firewall rules that will give me at least >minimal access > to the net (www & email for now). At least if I can get that working I can slowly >work > through the rest. II) It's your firewall rules. Strange. I've written a firewall or two, and I don't remember this error. But then again, I don't go looking to stop ping. From my memory, when ping can't get out, it simply sits there, waiting, as versus giving you a lower level driver error. You don't have any rules. The ones you have are wrong. You made your own. You are using an old LEAF version. You are using the newest and best LEAF, but you have syntax errors in network.conf or you deleted some other files. You are cobbleing a LEAF together out of parts and pieces you've found on the net, due to rational exuberance, but you lack the hindsight to know what you really wanted. something like that. Ways to fix: Well, you asked for some rules, so what you do is this: 1) List you rules with /sbin/ipchains -L -v -n > /tmp/rules /usr/sbin/ipmasqamd portfw -ln >> /tmp/rules cat /proc/net/ip_masq/autofw >> /tmp/rules more /tmp/rules something like that gets you all the rules that maybe in effect. 2) To get rid of all the current rules is to flush them out, using: /sbin/ipchains -F /usr/sbin/ipmasqadm portfw -f /usr/sbin/ipmasqadm autofw -F 3) To set the global policy to ACCEPT for the input and output chains on all nics, you would do: /sbin/ipchains -P input ACCEPT /sbin/ipchains -P output ACCEPT /sbin/ipchains -P forward ACCEPT 4) Some rules for a system that uses one IP addresses from an ISP on eth0 as the external nic, and one private LAN that uses NAT to hide it that is called the 192.168.1.0 network connected to eth1, could use the following after flushing and setting the policies: /sbin/ipchains -A foward -j MASQ -p all -s 192.168.1.0/24 It doesn't take much, does it :-o What this does is allow all traffic in and out of both nics, and masq's the internal network. It leaves you open to connection attempts to services like telnet running on the LEAF. Even though the LEAF is open to the connection attempts, the internal network is unreachable because it is masq'd and there is no route to it. It leaves you open to spoofed and stuffed attacks, which are very rare. So do use this forever. You're fine with it while you configure your system if you don't have any services running, like telnet or ssh on the LEAF. This mini ruleset will work if your default gateway and the rest of your routing table is correct. However, like I said, the simple answer is Dachstein on floppy only. If you want to doink around with the CD version, that different. Good Luck, Matthew > My main problem is right now, to test out the router I have to switch my cable modem >to it. > Once that is done, it makes it difficult (currently impossible) to do any research on > problems as they come up. > > Again, your help is greatly appreciated. > Sincerely, > > Justin Pease > N u a n c e N i n e > Web Usability, Development and Design > www.nuance9.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Firewall setup Questions, Newbie
I need to setup a firewall for my office. There is already a router/gateway box but we dont have access to it in order to put a firewall on. I would like to use a LEAF box as a firewall directly behind the router. Is it possible to set one of the LRP dists up as a firewall only? DHCP is already setup on another machine and I cannot start changing the IP's of the office computers. There isn't much mention of setting up a firewall solely in the documentation that I have seen, is there an example of what needs to be configured for a LRP dist? Any help is greatly appreciated, Cheers, Brian *** ADVERTISEMENT ** For ALL the latest Soccer news on your club, GAA sports results and the latest on your F1 stars plus much more check out http://sport.iol.ie/sport. Sport On-Line It's a passion ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Firewall Setup / Cable Setup
Ok. I have spent the last 2 days messing with Dachstein (Floppy based).
I still can't get it to work.
I have gone through all menu option on lrcfg about 20 times. I have looked over most
of
the documentation I have found.
This is my situation:
I am getting my DHCPACK from my ISP. DHCP on the external side is working and sets
up.
DHCP on the internal side seems to be working, as my XP box is pulling the IP, etc.
from
the LRP box.
Under pretty much default settings, I can ping from both boxes to each other - but not
to
the outside world. When I attempt to ping from the client box out - I get request
time
outs. When I attempt to ping from the LRP out I get type 3 ping failure
("sendto():operation not permitted.) The documentation I could find indicated that
this
was a firewall issue possibly related to ipchains.
I looked at ipchains, and really didn't have any idea where to start.
So instead I just went into ipfilter.conf and commented the following line as so:
# IPCH="sbin/ipchains --no-warnings"
I figured this would just cut out all ip packet filtering, and at least narrow down
the
problem. After doing this, backing up, and rebooting - I can now ping out from the
LRP
box and can even resolve domain names. From the client box I can ping to the external
node of the LRP box, but no further. It still get "request time out" on all outside
pings.
LRP Box Stats:
p166 w/ 64mb
internal IP 192.168.1.254
external IP 10.120.92.142
XP Box
p550 w/256mb
internal ip 192.168.1.1
gateway 192.168.1.254
dhcp server 192.168.1.254
dns1 24.116.0.81
dns2 24.116.0.201
Pretty much everything is set to default other than that one line I mentioned earlier.
guitarlynn requested the following info:
results of ip route show:
192.168.1.0/24 dev eth1proto kernel scope linksrc
192.168.1.254
10.120.92.0/22 dev eth0proto kernel scope linksc
10.120.92.142
default via 10.120.92.1 dev eth0
results of netstat -i
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-
OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth015000 620 0 0 0
106 0 0 0 BMRU
eth115000 381 0 0 0
351 0 0 0 BMRU
lo 39240 108 0 0 0
108 0 0 0 LRU
I would guess turning off ipchains really isn't a good solution (especially since it
doesn't
fully solve the problem). Any help would be appreciated. If you need more info -
just tell
me what to send.
Sincerely,
Justin Pease
N u a n c e N i n e
Web Usability, Development and Design
www.nuance9.com
___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Firewall Setup / Cable Setup
First, your original problem was (probably) that your external connection
uses a private-range (10.b.c.d) address. Since you say the LEAF router
itself works with this address (after you disable ipchains, that is), I
assume the address is legit and not an symptom of, say, a
MAC-address-authentication problem with your ISP. Dachstein by default DENYs
input from and output to all private-range addresses on the external
connection.
Second, your "solution" of turning off all firewalling was a good *test* but
a bad *solution*. (Your interpretation of the ping response was right on
target.) The reason is that you removed the forward-chain rules that NAT
your LAN addresses. Without NAT, you can't use an unroutable private address
range on the LAN. So in this instance, we'd exect to see the router itself
able to connect to the Internet, but not the hosts behind it on the LAN ...
exactly what you report.
The better *test* is to restore the line you commented out. Then, after the
router finishes the boot/init process, enter these commands:
ipchains -F input
ipchains -F output
ipchains -P input ACCEPT
ipchains -P output ACCEPT
This clears the input and output chains while leaving the forward chain
alone. Now see if you can ping from the LAN through the router to the
Internet. If you can, we've found the problem. If you can't, then the
problem is somewhere else.
Having found it, we still have to fix it. I don't use the Dach default
firewall, but someone else can tell you the edit for it ... or you can try
scanning the list archives (the external-privvate-address problem comes up
regularly on the list). [Mike, is this problem common enough to deserve a
FAQ answer?] Or you can use a different drop-in firewall; I know
echowall.lrp, for example, handles private-range external addresses OK.
At 04:20 PM 1/19/02 -0600, [EMAIL PROTECTED] wrote:
[...]
>This is my situation:
>
>I am getting my DHCPACK from my ISP. DHCP on the external side is working
and sets
>up.
>
>DHCP on the internal side seems to be working, as my XP box is pulling the
IP, etc. from
>the LRP box.
>
>Under pretty much default settings, I can ping from both boxes to each
other - but not to
>the outside world. When I attempt to ping from the client box out - I get
request time
>outs. When I attempt to ping from the LRP out I get type 3 ping failure
>("sendto():operation not permitted.) The documentation I could find
indicated that this
>was a firewall issue possibly related to ipchains.
>
>I looked at ipchains, and really didn't have any idea where to start.
>
>So instead I just went into ipfilter.conf and commented the following line
as so:
># IPCH="sbin/ipchains --no-warnings"
>
>I figured this would just cut out all ip packet filtering, and at least
narrow down the
>problem. After doing this, backing up, and rebooting - I can now ping out
from the LRP
>box and can even resolve domain names. From the client box I can ping to
the external
>node of the LRP box, but no further. It still get "request time out" on
all outside pings.
>
>LRP Box Stats:
>
>p166 w/ 64mb
>internal IP 192.168.1.254
>external IP 10.120.92.142
>
>XP Box
>p550 w/256mb
>internal ip 192.168.1.1
>gateway 192.168.1.254
>dhcp server 192.168.1.254
>dns1 24.116.0.81
>dns2 24.116.0.201
[...]
--
"Never tell me the odds!"---
Ray Olszewski-- Han Solo
Palo Alto, CA[EMAIL PROTECTED]
___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Firewall Setup / Cable Setup
Put a blank floppy in the LEAF floppy drive. At a prompt, enter "mount -t msdos /dev/fd0 /mnt" "cat /etc/network.conf >> /mnt/network.txt" "umount /mnt" send any other information on other things you've done to configure the box. You shouldn't have to modify anything but network.conf and add your modules. You can then take the network.txt file and copy/paste it in a email. This appears to be the source of your problem unless you have modified something else manually. It sounds like your ping isn't attempting to ping the internet. make sure that : IPFWDING_KERNEL=FILTER_ON IPFILTER_SWITCH=firewall Other note: XP Box p550 w/256mb internal ip 192.168.1.1 gateway 192.168.1.254 dhcp server 192.168.1.254 dns1 24.116.0.81 <~~~ If your running dnscache.lrp, change to dns2 24.116.0.201<~~~ 192.168.1.254 -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Firewall Setup / Cable Setup
DUH! Thanks Ray! nm my post. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Firewall Setup / Cable Setup
[EMAIL PROTECTED] wrote:
> Ok. I have spent the last 2 days messing with Dachstein (Floppy based).
>
> I still can't get it to work.
>
> I have gone through all menu option on lrcfg about 20 times. I have looked over
>most of
> the documentation I have found.
>
> This is my situation:
>
> I am getting my DHCPACK from my ISP. DHCP on the external side is working and sets
> up.
>
> internal IP 192.168.1.254
> external IP 10.120.92.142
>
> Sincerely,
>
> Justin Pease
> N u a n c e N i n e
You need to comment out the following line in /etc/ipfilter.conf
close to the start of the file - around line 200 under
stopMartians () {
# RFC 1918/1627/1597 blocks
# $IPCH -A $LIST -j DENY -p all -s 10.0.0.0/8 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 172.16.0.0/12 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 192.168.0.0/16 -d 0/0 -l $*
That should allow 10 private addresses in through the firewall. Does your ISP tell
you that
they are masquerading you with private addresses? I think it is unethical to not tell
clients
that they are not given a real routable IP.
PS
I love my ISP. Not only do they give out static ips, but they will give out extra
ones to their
clients without charge. In this day of AOL and other marketing schemes it is
refreshing to find
someone who is technically superb and would rather be ethical than take your money.
Not too
many do that.
___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Firewall Setup / Cable Setup
Ray Olszewski wrote: > >Having found it, we still have to fix it. I don't use the Dach default >firewall, but someone else can tell you the edit for it ... or you can try >scanning the list archives (the external-privvate-address problem comes up >regularly on the list). [Mike, is this problem common enough to deserve a >FAQ answer?] Or you can use a different drop-in firewall; I know >echowall.lrp, for example, handles private-range external addresses OK. > > The default Dachstein firewall scripts deny traffic on the external interface that comes from/goes to private-range ip-adresses. I think you can solve this in your case by commenting out line 208 in /etc/ipfilter.conf. Here is how to do it: - Go to the lrcfg menu (if you are not already there), choose 1, then 2. Now you are editing /etc/ipfilter.conf. - Go to line 208 (the line number is at the bottom right of your screen) - Place a # at the beginning of line 208. (just like line 207) - Save the changes, and exit from the editor - Exit from the menu so that you are at the commandline. - On the commandline type this: svi network ipfilter reload - Test the changed firewall. If everything works ok you can backup etc.lrp through the menu. Good luck! Ewald Wasscher ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Firewall setup Questions, Newbie
On Monday 28 January 2002 19:56, Brian Downey wrote: > I need to setup a firewall for my office. There is already a > router/gateway box but we dont have access to it in order to put a > firewall on. I would like to use a LEAF box as a firewall directly > behind the router. Is it possible to set one of the LRP dists up as a > firewall only? DHCP is already setup on another machine and I cannot > start changing the IP's of the office computers. There isn't much > mention of setting up a firewall solely in the documentation that I > have seen, is there an example of what needs to be configured for a > LRP dist? A transparent, bridging firewall!!! Yes, LEAF can do this! Check out: http://leaf.sourceforge.net/devel/thc/dox/pa.txt Hope this helps, -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Firewall setup Questions, Newbie
> I need to setup a firewall for my office. There is already a > router/gateway box > but we dont have access to it in order to put a firewall on. > I would like to > use a LEAF box as a firewall directly behind the router. Is You should provide lots more information about your existing setup. I'll focus on DHCP. Does the DHCP server live behind the existing router/gateway? Does the office network use real, routable IPs or private ones? > it possible to set > one of the LRP dists up as a firewall only? DHCP is already > setup on another > machine and I cannot start changing the IP's of the office > computers. There I don't understand. DHCP provides dynamic IPs, so the office computers may be changing IPs willy-nilly. DHCP clients are agnostic about the source of their DHCP services. In fact, they broadcast requests for those services to all (255.255.255.255). If one of the machines on your side of the router is providing DHCP service, the LEAF box could replace that DHCP server, or not, as you wish. If the DHCP server will be outside the router and LEAF boxes, you can use dhcrelay to pass DHCP requests and responses to the DHCP server. I can provide a copy of dhcrelay.lrp if you like, but you have bigger questions to answer before that package would be of any use to you. > isn't much mention of setting up a firewall solely in the > documentation that > I have seen, is there an example of what needs to be > configured for a LRP dist? > > > Any help is greatly appreciated, > > Cheers, > Brian -Richard ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Firewall setup Questions, Newbie
> I need to setup a firewall for my office. There is already a > router/gateway box > but we dont have access to it in order to put a firewall on. > I would like to > use a LEAF box as a firewall directly behind the router. Is You should provide lots more information about your existing setup. I'll focus on DHCP. Does the DHCP server live behind the existing router/gateway? Does the office network use real, routable IPs or private ones? > it possible to set > one of the LRP dists up as a firewall only? DHCP is already > setup on another > machine and I cannot start changing the IP's of the office > computers. There I don't understand. DHCP provides dynamic IPs, so the office computers may be changing IPs willy-nilly. DHCP clients are agnostic about the source of their DHCP services. In fact, they broadcast requests for those services to all (255.255.255.255). If one of the machines on your side of the router is providing DHCP service, the LEAF box could replace that DHCP server, or not, as you wish. If the DHCP server will be outside the router and LEAF boxes, you can use dhcrelay to pass DHCP requests and responses to the DHCP server. I can provide a copy of dhcrelay.lrp if you like, but you have bigger questions to answer before that package would be of any use to you. > isn't much mention of setting up a firewall solely in the > documentation that > I have seen, is there an example of what needs to be > configured for a LRP dist? > > > Any help is greatly appreciated, > > Cheers, > Brian -Richard - Apologies, I'll be clearer. All the machines reside behind router.The DHCP box assigns real routable IP's. There are also several machines with set IP's in the same range which cannot change. The LEAF box could do the DHCP job but I'd prefer to leave the current machine as is. What I'm looking to do is put the LEAF box immediatly behind the router/gateway and infront of all machines in the network. As the gateway is already set up and DHCP is taken care of I just need to configure a LEAF to be a transparent firewall. Thanks again. Brian. *** ADVERTISEMENT ** For ALL the latest Soccer news on your club, GAA sports results and the latest on your F1 stars plus much more check out http://sport.iol.ie/sport. Sport On-Line It's a passion ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Sendto usage (was Re: [Leaf-user] Firewall Setup)
On Mon, 14 Jan 2002, Dr. Richard W. Tibbs wrote: > > I have sporadically had the same problem, probably due to network > misconfig on my end. > What I am still curious about --- maybe someone can explain this --- is > why a unix socket system call, sendto(), is being invoked by ping --- > which assumedly would be using inet calls like listen() and accept(). > Sendto() should only be used for IPC on the same machine, right? No. I haven't done much network programming, but I am pretty sure sendto should be used whenever you want to send a connectionless message. [...] --- Jeff NewmillerThe . . Go Live... DCN:<[EMAIL PROTECTED]>Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
