RE: [leaf-user] Dachstein-CD eth3 / DMZ error
actually I'd like to make a correction to this last e-mail. I did some double checking and a lot of rebooting. I *can* access the DMZ from both my internal nets (eth1 and eth3). I can type the private IP address of the DMZ server into the web browser and I have pages come back. But, entering in the Public IP address of the DMZ server into the web browser yeilds no response (from the internal nets). I can ping the public IP from inside the internal net(s). But computers outside my own network(s) can not ping the public IP. The router can ping the additinal IP on the external interface. I replicated this on another Dachstein-CD boot box on another DSL and had line same problem only this one has just the DMZ and the eth1 internal interfaces. sorry for the mis-information but I didn't find this out until I put together a brand new Dachstein CD 1.02 and loaded it on diff computer that I am building. Thanks Alec -Original Message- From: Charles Steinkuehler [mailto:[EMAIL PROTECTED]] Sent: Sunday, August 11, 2002 10:47 AM To: Alec Miller; [EMAIL PROTECTED] Subject: Re: [leaf-user] Dachstein-CD eth3 / DMZ error ahhh... this is the part that I didn't understand.how to push the packets into the DMZ via the exta eth0 ip addy. sweet thanks.. but now i am finding another issue (hehkeeps getting better and better though) The traffic is going in but not coming back out from within my own private nets (see below). The public can get in...but not me. I am guessing this is another multi-internal net scripting issue?? Hmm...I'm not sure what's going on...what IP are you trying to use to get to the web-server? The public port-forwarded IP (66.93.80.148 ), or the private IP (192.168.2.1)? Exactly what happens when you try connecting with either IP? You may have to wait until I can get a test network setup again, switch to a proxy-ARP based DMZ, or gather some detailed diagnostic information (since my test network is still sitting in the garage, disconnected after my office move at the end of last month). If you want to do the latter, please try the following: - Reboot your firewall to provide a clean slate...you might want even to even dis-connect your upstream link (if you're not using dhclient to configure the external interface) - Log in and manually add some packet tracing ipchains rules: ipchains -I input -l ipchains -I forward -l ipchains -I output -l - Try connecting to your DMZ web-server from both internal networks, using both IP's above (for a total of four different connection attempts). - Run net ipfilter list /tmp/ipfilter.list - Send me the results of the above command, as well as the contents of /var/log/syslog, and the files /etc/network.conf and /etc/ipfilter.conf - Clear your manually added ipchains rules (change the -I to -D in the commands above) or just re-boot. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Dachstein-CD eth3 / DMZ error
On Wednesday 14 August 2002 14:51, Alec Miller wrote: actually I'd like to make a correction to this last e-mail. I did some double checking and a lot of rebooting. I *can* access the DMZ from both my internal nets (eth1 and eth3). I can type the private IP address of the DMZ server into the web browser and I have pages come back. But, entering in the Public IP address of the DMZ server into the web browser yeilds no response (from the internal nets). The standard ipspoofing rules included in our stock firewalls block internal machines from using the public ip address of the router. If this was not this way, anyone on the internet could spoof your router's external ip address and access everything as if they were your router on internal machines, use the internal ip address. I can ping the public IP from inside the internal net(s). But computers outside my own network(s) can not ping the public IP. The router can ping the additinal IP on the external interface. OK, but can you access the DMZ service??? Have you opened the port(s) on the firewall and port-forwarded them to the DMZ??? See the FAQ: http://sourceforge.net/docman/display_doc.php?docid=10418group_id=13751 I hope this helps! -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Dachstein-CD eth3 / DMZ error
List added back in...comments in-line. ok good fix no more ipchains errors when reloading the net configs no more denys from the internal nets I now only get denys from the outside trying to access the DMZ. And I can't access the DMZ (nothing gets denied. just no response back). Now, all you need to do is allow packets from the internet through the firewall for the services you're port-forwarding to the DMZ...more below. so here is my config: VERBOSE=YES MAX_LOOP=10 IPFWDING_KERNEL=FILTER_ON IPALWAYSDEFRAG_KERNEL=YES CONFIG_HOSTNAME=YES CONFIG_HOSTSFILE=YES CONFIG_DNS=YES IF_AUTO=eth0 eth1 eth2 eth3 IF_LIST=$IF_AUTO ALLIF_ACCEPT_REDIRECTS=NO DEF_IP_SPOOF=YES DEF_IP_KRNL_LOGMARTIANS=NO BRG_SWITCH=NO eth0_IPADDR=66.93.80.54 eth0_MASKLEN=24 eth0_BROADCAST=66.93.80.255 eth0_DEFAULT_GW=66.93.80.1 eth0_IP_EXTRA_ADDRS=66.93.80.148 ++ Do I need to use this??? #eth0_ROUTES=1.1.1.13 2.2.2.0/24_via_1.1.1.18 You don't need to use any of the iface_ROUTES variables unless your network architecture includes networks that are *NOT* directly attached to the Dachstein box, *AND* these networks are *NOT* reached via the default gateway. This setting also comes in handy if you're running a proxy-arp DMZ, which uses routing tables to split up a single subnet connected to two physical interfaces. Most users can safely leave this commented (undefined). eth0_IP_SPOOF=YES eth0_IP_KRNL_LOGMARTIANS=NO eth0_IP_SHARED_MEDIA=NO eth0_BRIDGE=NO eth1_IPADDR=192.168.65.254 eth1_MASKLEN=24 eth1_BROADCAST=192.168.65.255 eth1_IP_SPOOF=YES eth1_IP_KRNL_LOGMARTIANS=NO eth2_IPADDR=192.168.2.254 eth2_MASKLEN=24 eth2_BROADCAST=192.168.2.255 #eth2_ROUTES= eth2_IP_SPOOF=YES eth2_IP_KRNL_LOGMARTIANS=NO eth3_IPADDR=10.72.104.97 eth3_MASKLEN=28 eth3_BROADCAST=10.72.104.111 eth3_IP_SPOOF=YES eth3_IP_KRNL_LOGMARTIANS=NO IPFILTER_SWITCH=firewall EXTERN_IF=eth0 EXTERN_DHCP=NO EXTERN_DYNADDR=NO EXTERN_UDP_PORT0=0/0 domain EXTERN_TCP_PORT0=0/0 domain EXTERN_TCP_PORT1=0/0 www EXTERN_TCP_PORT2=0/0 25 EXTERN_TCP_PORT3=0/0 110 EXTERN_TCP_PORT4=0/0 143 INTERN_IF=eth1 INTERN_NET=192.168.65.0/24 10.72.104.96/28 INTERN_IP=192.168.65.254 MASQ_SWITCH=YES INTERN_SMTP_SERVER=192.168.65.4 INTERN_POP3_SERVER=192.168.65.4 INTERN_IMAP_SERVER=192.168.65.4 DMZ_SWITCH=PRIVATE DMZ_IF=eth2 DMZ_NET=192.168.2.0/24 DMZ_SERVER0=tcp 66.93.80.148 www 192.168.2.1 www DMZ_SERVER1=tcp 66.93.80.148 ftp 192.168.2.1 ftp DMZ_OUTBOUND_ALL=YES The DMZ_SERVER entries only create the port-forwarding...you still have to allow the traffic through the firewall filters. You can do this using the EXTERN_TCP_PORTS indexed list, ie: # Indexed list: SrcAddr/Mask port [ DestAddr[/DestMask] ] EXTERN_TCP_PORT5=0/0 www 66.93.80.148 EXTERN_TCP_PORT6=0/0 ftp 66.93.80.148 Note if you don't specify the optional destination address, EXTERN_IP is used by default. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Dachstein-CD eth3 / DMZ error
Now here is the error I get when i run 'svi network reload'. I have tracked it down to the DMZ_SERVERx list. When I comment them out the error list shrinks. IP filters: /sbin/ipchains: can only specify ports for icmp, tcp or udp Try `/sbin/ipchains -h' or '/sbin/ipchains --help' for more information. /sbin/ipchains: invalid port/service `10.72.104.96/28' specified Try `/sbin/ipchains -h' or '/sbin/ipchains --help' for more information. /sbin/ipchains: invalid port/service `10.72.104.96/28' specified Try `/sbin/ipchains -h' or '/sbin/ipchains --help' for more information. /etc/init.d/network: [B/sbin/ipchains: not found firewall [IP Forwarding: ENABLED] And When I turn the DMZ=NO I have this error: Starting Network: [IP Always Defrag: ENABLED] IP filters: /etc/init.d/network: [B/sbin/ipchains: not found I've been staring at this for hours and can't figure out what is causing it. Thanks In advance It's hard to say exactly what's wrong, but I think one (or more) of the files used to configure networking firewall rules has gotten corrupted...possibly a dos/unix EOL mis-match, or perhaps an incorrect/unrecognized eschape character sequence in a remote editor window (it sure looks like the [B got accidentally added before /sbin/ipchains, to create the last error above, and there could be other hidden problems). It looks like you've got the DMZ configuration variables set correctly, so I'd try running a DOS-unix EOL converter, looking through the configuration files manually, and/or possibly copying them from a fresh Dachstein image and re-configuring network.conf. FYI, files involved in setting up networking/firewalls, and hence possibly causing errors if corrupted include: /etc/init.d/network /etc/network.conf /etc/ipfilter.conf /etc/ipchains.* You can do the dos2unix conversion with your favorite tool/editor on a remote system (move files via ssh/scp/floppy/whatever), or directly on the firewall with sed (requires crafty shell quoting) or something like charconv (available from my site: http://lrp.steinkuehler.net/files/packages/Utilities/charconv ). Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Dachstein-CD eth3 / DMZ error
I managed to get the 'IP filters: /etc/init.d/network: [B/sbin/ipchains: not found' error gone by replacing the ipfilter.conf and networks file with new ones. but am still have the invalid port service error.before I redo a new network.conf does this bug still exist?? Re: [Leaf-user] 4 NIC LRP -Dachstein CD- only one internal IP forwards to internet http://www.mail-archive.com/leaf-user@lists.sourceforge.net/msg05123.html Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Charles Steinkuehler Sent: Friday, August 09, 2002 1:19 PM To: Alec Miller; [EMAIL PROTECTED] Subject: Re: [leaf-user] Dachstein-CD eth3 / DMZ error Now here is the error I get when i run 'svi network reload'. I have tracked it down to the DMZ_SERVERx list. When I comment them out the error list shrinks. IP filters: /sbin/ipchains: can only specify ports for icmp, tcp or udp Try `/sbin/ipchains -h' or '/sbin/ipchains --help' for more information. /sbin/ipchains: invalid port/service `10.72.104.96/28' specified Try `/sbin/ipchains -h' or '/sbin/ipchains --help' for more information. /sbin/ipchains: invalid port/service `10.72.104.96/28' specified Try `/sbin/ipchains -h' or '/sbin/ipchains --help' for more information. /etc/init.d/network: [B/sbin/ipchains: not found firewall [IP Forwarding: ENABLED] And When I turn the DMZ=NO I have this error: Starting Network: [IP Always Defrag: ENABLED] IP filters: /etc/init.d/network: [B/sbin/ipchains: not found I've been staring at this for hours and can't figure out what is causing it. Thanks In advance It's hard to say exactly what's wrong, but I think one (or more) of the files used to configure networking firewall rules has gotten corrupted...possibly a dos/unix EOL mis-match, or perhaps an incorrect/unrecognized eschape character sequence in a remote editor window (it sure looks like the [B got accidentally added before /sbin/ipchains, to create the last error above, and there could be other hidden problems). It looks like you've got the DMZ configuration variables set correctly, so I'd try running a DOS-unix EOL converter, looking through the configuration files manually, and/or possibly copying them from a fresh Dachstein image and re-configuring network.conf. FYI, files involved in setting up networking/firewalls, and hence possibly causing errors if corrupted include: /etc/init.d/network /etc/network.conf /etc/ipfilter.conf /etc/ipchains.* You can do the dos2unix conversion with your favorite tool/editor on a remote system (move files via ssh/scp/floppy/whatever), or directly on the firewall with sed (requires crafty shell quoting) or something like charconv (available from my site: http://lrp.steinkuehler.net/files/packages/Utilities/charconv ). Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Dachstein-CD eth3 / DMZ error
I managed to get the 'IP filters: /etc/init.d/network: [B/sbin/ipchains: not found' error gone by replacing the ipfilter.conf and networks file with new ones. but am still have the invalid port service error.before I redo a new network.conf does this bug still exist?? Re: [Leaf-user] 4 NIC LRP -Dachstein CD- only one internal IP forwards to internet http://www.mail-archive.com/leaf-user@lists.sourceforge.net/msg05123.htm l Yes, I believe this bug still exists (at least it's still in the latest Dachstein release I'm running)...good job finding this on the mailing list...I'd forgotten about that bug, and my development server with the todo bug lists is still off-line after my big office move at the end of last month : Anyway, if you want to continue to use a private DMZ (your other option would be Static-NAT or Proxy-ARP), you can play guinea pig and try the following... You'll need to change the DMZ_reverse_masq procedure in /etc/ipfilter.conf...it's got the only reference to INTERN_IF in the whole file, so it's easy to find. Find the following lines which provide reverse-masquerading for port-forwarded DMZ connections when accessed from the internal network: # For internal connections $IPCH -A forward -j MASQ -p $1 -s $DMZ_NET $DST_PORT \ -d $INTERN_NET -i $INTERN_IF Change to the following to support multiple internal networks: # For internal connections for NET in $INTERN_NET; do $IPCH -A forward -j MASQ -p $1 -s $DMZ_NET $DST_PORT \ -d $NET done; unset NET This change should allow multiple internal networks with a private DMZ. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Dachstein-CD eth3 / DMZ error
OK, That change seems to have removed the /sbin/ipchains: invalid port/service `10.72.104.96/28' error I am getting this error now: IP filters: /sbin/ipchains: can only specify ports for icmp, tcp or udp Try `/sbin/ipchains -h' or '/sbin/ipchains --help' for more information. and these denys: Packet log: forward DENY eth2 PROTO=6 10.72.104.98:1559 192.168.2.1:80 Packet log: forward DENY eth2 PROTO=6 192.168.65.12:3590 192.168.2.1:80 when I type in the URL to the host in the DMZ. I am guessing I have misconfig in the network.conf that blocks traffic into the DMZ from the eth0_IP_EXTRA_ADDRS? (which I never figured out from the start) Thanks again, Alec -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Charles Steinkuehler Sent: Friday, August 09, 2002 4:01 PM To: Alec Miller; [EMAIL PROTECTED] Subject: Re: [leaf-user] Dachstein-CD eth3 / DMZ error I managed to get the 'IP filters: /etc/init.d/network: [B/sbin/ipchains: not found' error gone by replacing the ipfilter.conf and networks file with new ones. but am still have the invalid port service error.before I redo a new network.conf does this bug still exist?? Re: [Leaf-user] 4 NIC LRP -Dachstein CD- only one internal IP forwards to internet http://www.mail-archive.com/leaf-user@lists.sourceforge.net/msg05123.htm l Yes, I believe this bug still exists (at least it's still in the latest Dachstein release I'm running)...good job finding this on the mailing list...I'd forgotten about that bug, and my development server with the todo bug lists is still off-line after my big office move at the end of last month : Anyway, if you want to continue to use a private DMZ (your other option would be Static-NAT or Proxy-ARP), you can play guinea pig and try the following... You'll need to change the DMZ_reverse_masq procedure in /etc/ipfilter.conf...it's got the only reference to INTERN_IF in the whole file, so it's easy to find. Find the following lines which provide reverse-masquerading for port-forwarded DMZ connections when accessed from the internal network: # For internal connections $IPCH -A forward -j MASQ -p $1 -s $DMZ_NET $DST_PORT \ -d $INTERN_NET -i $INTERN_IF Change to the following to support multiple internal networks: # For internal connections for NET in $INTERN_NET; do $IPCH -A forward -j MASQ -p $1 -s $DMZ_NET $DST_PORT \ -d $NET done; unset NET This change should allow multiple internal networks with a private DMZ. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Dachstein-CD eth3 / DMZ error
oh, and I started out from scratch with a new network.conf too. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Charles Steinkuehler Sent: Friday, August 09, 2002 4:01 PM To: Alec Miller; [EMAIL PROTECTED] Subject: Re: [leaf-user] Dachstein-CD eth3 / DMZ error I managed to get the 'IP filters: /etc/init.d/network: [B/sbin/ipchains: not found' error gone by replacing the ipfilter.conf and networks file with new ones. but am still have the invalid port service error.before I redo a new network.conf does this bug still exist?? Re: [Leaf-user] 4 NIC LRP -Dachstein CD- only one internal IP forwards to internet http://www.mail-archive.com/leaf-user@lists.sourceforge.net/msg05123.htm l Yes, I believe this bug still exists (at least it's still in the latest Dachstein release I'm running)...good job finding this on the mailing list...I'd forgotten about that bug, and my development server with the todo bug lists is still off-line after my big office move at the end of last month : Anyway, if you want to continue to use a private DMZ (your other option would be Static-NAT or Proxy-ARP), you can play guinea pig and try the following... You'll need to change the DMZ_reverse_masq procedure in /etc/ipfilter.conf...it's got the only reference to INTERN_IF in the whole file, so it's easy to find. Find the following lines which provide reverse-masquerading for port-forwarded DMZ connections when accessed from the internal network: # For internal connections $IPCH -A forward -j MASQ -p $1 -s $DMZ_NET $DST_PORT \ -d $INTERN_NET -i $INTERN_IF Change to the following to support multiple internal networks: # For internal connections for NET in $INTERN_NET; do $IPCH -A forward -j MASQ -p $1 -s $DMZ_NET $DST_PORT \ -d $NET done; unset NET This change should allow multiple internal networks with a private DMZ. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html