Le 14/11/2016 à 00:48, deloptes a écrit :
Pascal Hambourg wrote:
Well then, all I can suggest is to run a packet capture and try to see
what's going on.
I guess you mean on the firewall?
Yes.
Henning Follmann wrote:
> Last time I chime in here.
> I understand growth and chaos, believe me. However sometimes we need a
> nudge or a kick in the but to clean up. Maybe this is your call..
It is kicking me and calling me since some time but I can not do this before
next summer. I have to sit
On Mon, Nov 14, 2016 at 12:45:20AM +0100, deloptes wrote:
> Henning wrote:
>
> > And usually there is no reason for two separate rfc1918 address ranges.
> > Pick one matching your address space needs and design subnets.
> > There is only one single reason for nat: you have more hosts than routable
deloptes wrote:
> Igor Cicimov wrote:
>
>> Run tcpdump and check whats happening
>
> That is strange - I will look into this direction - let me know if you
> have any ideas
>
> regards
>
>
> tcpdump -vvv dst 10.0.0.7
> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
> 65
Igor Cicimov wrote:
> Run tcpdump and check whats happening
That is strange - I will look into this direction - let me know if you have
any ideas
regards
tcpdump -vvv dst 10.0.0.7
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535
bytes
08:07:11.591763 ARP, Ethernet (l
On 13 Nov 2016 11:20 am, "deloptes" wrote:
>
> Joe wrote:
>
> > On Sat, 12 Nov 2016 22:15:45 +0100
> > deloptes wrote:
> >
> >> Hi,
> >> I need some help and I'll appreciate it.
> >>
> >> I have a firewall with iptables behind the modem.
> >> on this firewall I have
> >> eth0 with ip 10..
On 14 Nov 2016 12:50 am, "Pascal Hambourg" wrote:
>
> Le 13/11/2016 à 13:37, Joe a écrit :
>>>
>>>
>>> PPTP rather falls into the "complex protocols" described below.
>>
>>
>> Exactly so. You wouldn't believe how many routers of ten years ago or
>> so didn't handle it properly, at least with their
Pascal Hambourg wrote:
> Well then, all I can suggest is to run a packet capture and try to see
> what's going on.
I guess you mean on the firewall? I am not even sure I can install tcpdump
there, but I will try and ask again for help here for sure
thanks
Henning wrote:
> And usually there is no reason for two separate rfc1918 address ranges.
> Pick one matching your address space needs and design subnets.
> There is only one single reason for nat: you have more hosts than routable
> ip addresses. I guess 10.0.0.0 meets even the biggest organizatio
> On Nov 13, 2016, at 5:19 PM, Pascal Hambourg wrote:
>
>> Le 13/11/2016 à 22:27, Henning a écrit :
>> I followed this thread and i wonder if there is a sane reason why you do nat
>> inside your network. Why don't you just route between different subnets i.e.
>> 10.0.1.0/24 and 10.0.2.0/24
>
Le 13/11/2016 à 21:43, deloptes a écrit :
Pascal Hambourg wrote:
replace 10.0.0.1/32 with 10.0.0.0/24 it does not work
You should double check that.
I checked replaced 10.0.0.1/32 with 10.0.0.0/24.
Just insert this rule and check whether it changes anything :
iptables -I FORWARD -j ACCEP
Le 13/11/2016 à 22:27, Henning a écrit :
I followed this thread and i wonder if there is a sane reason why you do nat
inside your network. Why don't you just route between different subnets i.e.
10.0.1.0/24 and 10.0.2.0/24
Probably because the modem and hosts in 10.0.0.0/24 don't know about
I followed this thread and i wonder if there is a sane reason why you do nat
inside your network. Why don't you just route between different subnets i.e.
10.0.1.0/24 and 10.0.2.0/24
you still can have a firewall between those subnets
-H
Pascal Hambourg wrote:
>> replace 10.0.0.1/32 with 10.0.0.0/24 it does not work
>
> You should double check that.
>
I checked replaced 10.0.0.1/32 with 10.0.0.0/24.
>>> This ruleset does not need improvements but a total rewrite.
>>
>> Yes I was thinking the same, I'll put it on the TODO. I ev
Le 13/11/2016 à 20:40, deloptes a écrit :
Pascal Hambourg wrote:
Did you check the routing table on the firewall and the targets ? Do
they have a route to all the 10.0.0.0/24 range ?
the one I posted is on the firewall - firewall is the one I am trying to
modify.
The one you posted ? I didn
Pascal Hambourg wrote:
> Le 13/11/2016 à 16:05, deloptes a écrit :
>>
>> These are the rules - a friend created this like 10y ago. I added few
>> rules to forward ports from outside to the intranet and to be able to
>> handle VPN.
>> You can ignore 192.168.60.1 on eth2 - not used.
>
> IMO, this
Le 13/11/2016 à 16:05, deloptes a écrit :
These are the rules - a friend created this like 10y ago. I added few rules
to forward ports from outside to the intranet and to be able to handle VPN.
You can ignore 192.168.60.1 on eth2 - not used.
IMO, this ruleset is totally insane.
However, afte
Michael Milliman wrote:
> Again, posting the exact ruleset would be helpful.
These are the rules - a friend created this like 10y ago. I added few rules
to forward ports from outside to the intranet and to be able to handle VPN.
You can ignore 192.168.60.1 on eth2 - not used.
Another important
Le 13/11/2016 à 13:37, Joe a écrit :
PPTP rather falls into the "complex protocols" described below.
Exactly so. You wouldn't believe how many routers of ten years ago or
so didn't handle it properly, at least with their initial firmware. But
Why wouldn't I ? Knowing how NAT is tricky, I am
On Sun, 13 Nov 2016 11:29:48 +0100
Pascal Hambourg wrote:
> Le 13/11/2016 à 11:09, Joe a écrit :
> > Pascal Hambourg wrote:
> >
> >> Le 12/11/2016 à 23:32, Joe a écrit :
> >>>
> >>> The SNAT should not be an issue, it can handle all protocols
> >>> transparently
> >>
> >> No it cannot. NAT
On 11/12/2016 06:19 PM, deloptes wrote:
Joe wrote:
On Sat, 12 Nov 2016 22:15:45 +0100
deloptes wrote:
Hi,
I need some help and I'll appreciate it.
I have a firewall with iptables behind the modem.
on this firewall I have
eth0 with ip 10..1 to the modem ip: 10..12
eth1 wi
Le 13/11/2016 à 11:09, Joe a écrit :
Pascal Hambourg wrote:
Le 12/11/2016 à 23:32, Joe a écrit :
The SNAT should not be an issue, it can handle all protocols
transparently
No it cannot. NAT is not possible with some IP protocols. Plain IPSec
(without NAT-T encapsulation) is the first one t
On Sun, 13 Nov 2016 10:35:29 +0100
Pascal Hambourg wrote:
> Le 12/11/2016 à 23:32, Joe a écrit :
> >
> > The SNAT should not be an issue, it can handle all protocols
> > transparently
>
> No it cannot. NAT is not possible with some IP protocols. Plain IPSec
> (without NAT-T encapsulation) is
Le 13/11/2016 à 01:19, deloptes a écrit :
Yes, it is not working
How is it not working ? What do you do and what happens ?
From one computer ip 10..6 I can ssh to 10..7 and vv.
That does not concern the firewall between the modem and the LAN.
I also see that iptables forwards to the outp
Le 12/11/2016 à 23:32, Joe a écrit :
The SNAT should not be an issue, it can handle all protocols
transparently
No it cannot. NAT is not possible with some IP protocols. Plain IPSec
(without NAT-T encapsulation) is the first one that comes in mind.
Also many complex protocols such as FTP or
Joe wrote:
> On Sat, 12 Nov 2016 22:15:45 +0100
> deloptes wrote:
>
>> Hi,
>> I need some help and I'll appreciate it.
>>
>> I have a firewall with iptables behind the modem.
>> on this firewall I have
>> eth0 with ip 10..1 to the modem ip: 10..12
>> eth1 with ip 192..1 to the i
On Sat, 12 Nov 2016 22:15:45 +0100
deloptes wrote:
> Hi,
> I need some help and I'll appreciate it.
>
> I have a firewall with iptables behind the modem.
> on this firewall I have
> eth0 with ip 10..1 to the modem ip: 10..12
> eth1 with ip 192..1 to the intranet
>
> iptables is
Hi,
I need some help and I'll appreciate it.
I have a firewall with iptables behind the modem.
on this firewall I have
eth0 with ip 10..1 to the modem ip: 10..12
eth1 with ip 192..1 to the intranet
iptables is doing SNAT from 192..1 to 10..1
I wonder how I can ssh from 192..NN t
Erwan David wrote:
>Le 09/11/2013 23:06, Shawn Wilson a écrit :
>> Redhat has something called firewalld which generates rules based on
>zones. I don't use it because using dbus to help manage rules scares
>me. But it's there and could be what you want.
>>
>>
>I use fwbuilder which helps to def
Le 09/11/2013 23:06, Shawn Wilson a écrit :
> Redhat has something called firewalld which generates rules based on zones. I
> don't use it because using dbus to help manage rules scares me. But it's
> there and could be what you want.
>
>
I use fwbuilder which helps to define elaborated rules ;
Shawn Wilson a écrit :
>
> Pascal Hambourg wrote:
>>
>> Unless recent change I am not aware of, you cannot specify an address
>> range in -s or -d. You must use the "iprange" match instead (or ipset if
>> your kernel supports it).
>
> Also, idk any way to match interface with ipset
I did not su
Pascal Hambourg wrote:
>Hello,
>
>Bill.M a écrit :
>>
>> In IPTables one can specify multiple addresses, and multiple ports,
>but
>> is there anyway to specify multiple interfaces.
>>
>> For example, -m multiport --destination-port 22,25,80
>>
>> Or -s 1.2.3.4,1.2.3.5,1.2.3.7 or -s
Hello,
Bill.M a écrit :
>
> In IPTables one can specify multiple addresses, and multiple ports, but
> is there anyway to specify multiple interfaces.
>
> For example, -m multiport --destination-port 22,25,80
>
> Or -s 1.2.3.4,1.2.3.5,1.2.3.7 or -s 1.2.3.4:1.2.3.10
In addition to Dav
Redhat has something called firewalld which generates rules based on zones. I
don't use it because using dbus to help manage rules scares me. But it's there
and could be what you want.
David F wrote:
>On 11/09/2013 12:47 PM, Bill.M wrote:
>> But is there anyway to specify both eth0 and wlan0 a
On 11/09/2013 12:47 PM, Bill.M wrote:
> But is there anyway to specify both eth0 and wlan0 as equally valid
> interfaces on my laptop depending on whether it's in my dock or on the road?
>
> For example, -i wlan0,eth0 or -o wlan0,eth0
> Is something like these possible?
* You can avoid specifying
Hi folks,
In IPTables one can specify multiple addresses, and multiple ports, but
is there anyway to specify multiple interfaces.
For example, -m multiport --destination-port 22,25,80
Or-s 1.2.3.4,1.2.3.5,1.2.3.7 or -s 1.2.3.4:1.2.3.10
But is there anyway to specify both eth0 an
Hilco Wijbenga wrote at 2011-05-03 18:21 -0500:
> On a related note, the logging only logs the packet, but no timestamp.
> Is that configurable somewhere?
/etc/rsyslog.conf I suppose?
signature.asc
Description: Digital signature
On 3 May 2011 16:21, Hilco Wijbenga wrote:
> Hi all,
>
> I'm attempting to set up a simple firewall on a virtual server. I have
> the following:
>
> iptables --flush
> iptables -t nat --flush
> iptables -t mangle --flush
> iptables --policy INPUT DROP
> iptables --policy OUTPUT ACCEPT
> iptables -
Hi all,
I'm attempting to set up a simple firewall on a virtual server. I have
the following:
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i venet0 -m state --s
> From: I Rattan [mailto:ratt...@cps.cmich.edu]
> Sent: Thursday, September 10, 2009 2:03 PM
>
> I asked about a modem dialin server problem. I saw
> no response, so, I rephrase it.
>
> The Linux box is connected to Internet on 141.209.169.x
>
> The dialin ppp (Linux end) ipaddr is 192.168.0.10
For firewall relative question there's another, more specific, mail list:
debian-firew...@lists.debian.org
Anyway, if you are using ppp to connect to your ISP, the ppp0 interface
should have a public IP address not a private one like 192.168.0.10. In
order to enable kernel ipv4 fowarding you must
I asked about a modem dialin server problem. I saw
no response, so, I rephrase it.
The Linux box is connected to Internet on 141.209.169.x
The dialin ppp (Linux end) ipaddr is 192.168.0.10
The dialing client gets ipaddr 192.168.0.11
How do I make iptables to forward form 192.168.x.x
to 1
On 2009-08-26 10:36 (-0400), I. Rattan wrote:
> Is it possible to restrict access by user-id
> under iptables firewall?
>
> If so, pointers to the info/example will be appreciated.
Does "man iptables" qualify as a pointer? In "owner" module there is
--uid-owner option.
--
To UNSUBSCRIBE, email
Is it possible to restrict access by user-id
under iptables firewall?
If so, pointers to the info/example will be appreciated.
-ishwar
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
On Mon,12.Jan.09, 14:50:48, Paul Cartwright wrote:
> I used to be able to ssh to my desktop, then.. I couldn't ( sounds like my
> K3B
> issue:).
> I noticed someone else with a message about iptables, and I basically copied
> his script:
> # iptables -I INPUT -p tcp -m state --state NEW --dport
I used to be able to ssh to my desktop, then.. I couldn't ( sounds like my K3B
issue:).
I noticed someone else with a message about iptables, and I basically copied
his script:
# iptables -I INPUT -p tcp -m state --state NEW --dport 22 -i eth0 -j ACCEPT
except changed it to my ssh port 22. Now I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Koh Choon Lin wrote:
>>> Be careful with IMAP, though. One of my users has well over 500MB of
>>> mail on my server that she apparently doesn't know how to delete (I
>>> know, I know).
>> How can you not know how to delete? (No, seriously, I'm not tr
On Sat, 03 Jan 2009 20:49:35 -0500, Napoleon wrote:
> Justin Piszcz wrote:
>>
>>
>> On Thu, 1 Jan 2009, Napoleon wrote:
>>
>>> I'll admit I'm still pretty green at a lot of this (lots of experience
>>> in computers, little in Linux) and don't understand everything. But
>>> I'm trying to learn,
>> Be careful with IMAP, though. One of my users has well over 500MB of
>> mail on my server that she apparently doesn't know how to delete (I
>> know, I know).
>
> How can you not know how to delete? (No, seriously, I'm not trying to be
> sarcastic...)
Maybe they are trying to take after Gmail -
On 01/03/09 21:58, ghe wrote:
[snip]
Be careful with IMAP, though. One of my users has well over 500MB of
mail on my server that she apparently doesn't know how to delete (I
know, I know).
How can you not know how to delete? (No, seriously, I'm not trying
to be sarcastic...)
--
Ron Johnson
ghe writes:
> Be careful with IMAP, though. One of my users has well over 500MB of mail
> on my server that she apparently doesn't know how to delete (I know, I
> know).
Heh. My "user" (my wife) has about 150MB (text only) in /var/mail. Some
of it is 20 years old.
--
John Hasler
--
To UNSUBS
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Boyd Stephen Smith Jr. wrote:
> I've recently had good luck with dovecot, which handles a pop3 and pop3s.
> I'll also echo Ron's suggestion to move to IMAP, if possible, which is how I
> set up dovecot.
Dovecot also does SASL authentication for P
On Saturday 2009 January 03 19:49:35 Napoleon wrote:
> I also tried to find the support forums for qpopper, but the only ones I
> found hadn't had a post in over 2 years. So maybe I need to change pop3
> servers.
I've recently had good luck with dovecot, which handles a pop3 and pop3s.
I'll als
On 01/03/09 19:49, Napoleon wrote:
[snip]
I also tried to find the support forums for qpopper, but the only ones I
found hadn't had a post in over 2 years. So maybe I need to change pop3
servers.
Unless you are running an ISP, you should really ditch POP and move
your mail to an IMAP "stor
Justin Piszcz wrote:
On Thu, 1 Jan 2009, Napoleon wrote:
I'll admit I'm still pretty green at a lot of this (lots of experience
in computers, little in Linux) and don't understand everything. But
I'm trying to learn, so please go easy on me :-)
I've been having a problem with dictionary h
On Thu, Jan 1, 2009 at 5:44 PM, David Schmidt wrote:
> Here is how I implemented it, coincidentially today :)
>
>
># Allow already established traffic
>$IPTABLES -A INPUT -p TCP -m state --state ESTABLISHED -j ACCEPT
>
># No more than 2 connection attempts per 2
>#
Here is how I implemented it, coincidentially today :)
# Allow already established traffic
$IPTABLES -A INPUT -p TCP -m state --state ESTABLISHED -j ACCEPT
# No more than 2 connection attempts per 2
# minutes to prevent brute force attacks
# log blocked at
On Thu, 1 Jan 2009, Napoleon wrote:
I'll admit I'm still pretty green at a lot of this (lots of experience in
computers, little in Linux) and don't understand everything. But I'm trying
to learn, so please go easy on me :-)
I've been having a problem with dictionary hacker attempts on my s
Napoleon a écrit :
> I'll admit I'm still pretty green at a lot of this (lots of experience
> in computers, little in Linux) and don't understand everything. But I'm
> trying to learn, so please go easy on me :-)
>
> I've been having a problem with dictionary hacker attempts on my system
> (hundr
I'll admit I'm still pretty green at a lot of this (lots of experience
in computers, little in Linux) and don't understand everything. But I'm
trying to learn, so please go easy on me :-)
I've been having a problem with dictionary hacker attempts on my system
(hundreds or even thousands a day
Hi Ann,
On 6/13/07, ann kok <[EMAIL PROTECTED]> wrote
I just install new debian.
but it seems nothing iptable in the default installation
how can I install?
I have used Guarddog to config my iptables.
It's very easy to use and it will take only about 15 - 30
mins reading the manual and setti
On Wed, 2007-06-13 at 15:47 -0700, ann kok wrote:
> Hi all
>
> I just install new debian.
> but it seems nothing iptable in the default
> installation
>
> how can I install?
1) you can use a pre-written script like this one:
http://www.hermann-uwe.de/files/fw_laptop
Getting it going is discusse
Hi all
I just install new debian.
but it seems nothing iptable in the default
installation
how can I install?
and
how can I install new kernel?
can you show me steps?
Thank you
Got a little couch pot
Glenn English wrote:
I'm updating a RH ipchains packet filter script from the dim past to
iptables on Debian stable.
I noticed that when I specified the network the host is on (by IP/mask),
the iptables listing called it "localnet." So I tried using localnet in
the rule, and iptables seems to
I'm updating a RH ipchains packet filter script from the dim past to
iptables on Debian stable.
I noticed that when I specified the network the host is on (by IP/mask),
the iptables listing called it "localnet." So I tried using localnet in
the rule, and iptables seems to take it, and the chain s
On Mon, Apr 05, 2004 at 12:09:31PM -0500, hugo vanwoerkom wrote:
> + iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
[ ... ]
> + iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j
> REJECT
>
> Now I know nothing of iptables, but why can he do d
On Mon, Apr 05, 2004 at 02:08:35PM -0500, hugo vanwoerkom wrote:
> I'm trying it now with multiport + eject enabled in netfilter.
Check REJECT in /proc/net/ip_tables_targets and check for multiport
in /proc/net/ip_tables_matches. Using either loaded netfilter
modules or built in netfilter support
hugo vanwoerkom wrote:
Hi World!
The lokkit question yesterday by Faheem Mitha prompted me to install
lokkit on Sarge.
As Dircha pointed out: it don't work.
All lokkit does is create a little iptables script that sits in
/etc/default/lokkit.
Then upon boot lokkit in /etc/init.d executes that
Hi World!
The lokkit question yesterday by Faheem Mitha prompted me to install
lokkit on Sarge.
As Dircha pointed out: it don't work.
All lokkit does is create a little iptables script that sits in
/etc/default/lokkit.
Then upon boot lokkit in /etc/init.d executes that script.
As Dircha also
techlists wrote:
I have a box that I use for routing, it's running sid, with ipmaq on
it. It works fine for the most part. For a while I had an internal
axis webcam that was port forwarded. I use to put in the following at
the command prompt
iptables -t nat -A PREROUTING -j DNAT --proto tcp --dp
I have a box that I use for routing, it's running sid, with ipmaq on
it. It works fine for the most part. For a while I had an internal
axis webcam that was port forwarded. I use to put in the following at
the command prompt
iptables -t nat -A PREROUTING -j DNAT --proto tcp --dport
--to-d
I'd like to use pop3vscan to run clamscan. I added the following
iptables rule:
# /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 110 -j
REDIRECT --to-port 8110
I then went through the procedures in /etc/default/iptables so that the
rule would remain after rebooting, but that doesn't se
> I´m using Debian 3.0r1 with kernel 2.4.19 as a iptables firewall
>
> I have internal webservers that I need to publish as Internet Sites For
this
> manipulation I´m using Apache ProxyPass. The site works perfectly under
> apache.. even when the internal host is an ISS.
>
> 1. How can I do it with
Firstly: iptables is the firewalling system built into the 2.4 kernel.
ipchains is the system from 2.2 (and an unsupported legacy option in
2.4). iptables is better in nearly every way, so use it if you can.
On Mon, Oct 28, 2002 at 07:18:39PM +, Alan Chandler wrote:
> On Monday 28 October 200
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Monday 28 October 2002 12:01 pm, [EMAIL PROTECTED] wrote:
> Hi,
>
> i successfuly installed my new debian server instead of the suse 7.2 that
> was on it. It was a lot easier to install and i knew what i was doing or at
> least i thought i was :-)
>
Hi,
i successfuly installed my new debian server instead of the suse 7.2 that
was on it. It was a lot easier to install and i knew what i was doing or at
least i thought i was :-)
I have installed the ipmasq package to share my internet connection.
All works ok. However, how does one customize the
76 matches
Mail list logo
