hi all, >Ray Olszewski writes:
> they both resolve, as follows: > > inf.uajy.ac.id = 202.149.81.61 > mail.uajy.ac.id = 202.149.81.55 yes it's true. > collier:/usr/src/linux# host 202.149.81.61 > 202.149.81.61 does not exist, try again > collier:/usr/src/linux# host 202.149.81.55 > 202.149.81.55 does not exist, try again > > This is a DNS problem that should be fixed. It might be causing some of your i have asked the person in charge about this problem but still no answer yet. > inf=61 *is* ping'able from here, but mail=55 is *not (times out) hmmm that's strange.... mail=55 should be ping'able. after reading your review I was then gave it a try using my dial-up connection and the result, mail=55 was ping'able. > My browser returns home pages of both addresses: > > http://202.149.81.61/ = "Teknik Informatika" > http://202.149.81.55/ = "UAJYWebmail" these are also right. > Given the differences between my results and yours, I can only suggest that > you report the conditions of your tests more completely. > right now 202.149.81.61 and 202.149.81.55 are running behind a seperated firewall. I'm saying that each of them have their own firewall.I want to have only one firewall box for all of my servers, so I'm doing experiment with DCD. Sometimes to find out wheter my DCD is working or not, i switch the cables between the old firewall and my experiment DCD. If the DCD doesn't seems to work properly I switch back the cables to the old firewall. The following is my latest network.conf configuration based on Bela's and charles' advice. But I think there's something wrong with it. after reloading network, no ipmasqadm rules were listed when I did *svi network ipfilter list portfw* and in the ipchains input list, there's a rule to deny packets that coming from my external IP range (202.149.81.48/28). That's not good, how do stop it from showing? which line in ipfilter.conf should I comment? ############################################################################ ### # Extended firewall configruation scripts # By Charles Steinkuehler # Version 1.3.2 # September 29, 2001 ############################################################################ ### # Brief instructions for this file ############################################################################ ### # # VERBOSE=(YES/NO) Default: Yes # Be verbose about settings. # # MAX_LOOP=(int) Default: 10 # Maximum number of incrementable entries to search for. # IE: If you create a DNS7=, and MAX_LOOP=7, it will not be reached. # (DNS0 - DNS7 == 8 entires) # Setting this value too high will decrease the speed of the configuation # system. # # IPFWDING_KERNEL=(YES/NO/FILTER_ON) Default: NO # Enable IP forwarding in the kernel. FILTER_ON means forwarding will # only happen when IP filtering rules are loaded # # IPALWAYSDEFRAG_KERNEL=(YES/NO) Default: NO # Enable IP Global defragmentation in the kernel. # # **WARNING** - If this was turned on everywhere in a network of routers, # it can result in TCP connections failing and TCP connection resets. # # ONLY turn this on if the box is a firewall or the single point of # entry for a network, or an endpoint for port forwarding or a load # balancer for a WWW server farm. DO NOT turn this on if the box is a # conventional router as it breaks the TCP/IP RFCes. This option is # needed when using IP NAT, IP masquerading, IP autofw, IP portfw, # transperent proxying or other kernel operations that intercept a # packet flow and redirect it. # # It is a usful tool when using a packet filtering router to protect # directly attached ethernet networks of servers as it stops fragment # attacks on the servers in behind the router. Another use is packet # filtering router to protect dial-in Internet users on NASes # (Portmasters, TC racks etc) from various SMB and fragment attacks # and to redirect all WWW connections into a WWW proxy-caching server. # # CONFIG_HOSTNAME=(YES/NO) Default: NO # Create /etc/hostname file using HOSTNAME entry. # Any current hostname file will be **OVERWRITTEN** # # CONFIG_HOSTSFILE=(YES/NO) Default: NO # Create /etc/hosts file using HOSTSx entries. # Any current hosts file will be **OVERWRITTEN** # # CONFIG_DNS=(YES/NO) Default: NO # Create /etc/resolv.conf file using DOMAINS and DNSx entries. # Any current resolv.conf file will be **OVERWRITTEN** # # IF_LIST Default: "$IF_AUTO" # A space seperated list of interfaces that can be ACTIVE on this machine # This controls which interfaces can be brought up and down manually. # # IF_AUTO Default: "eth0" # A space seperated list of interfaces that get started on boot. Tunneling # interfaces like CIPE should be after the raw interfaces they depend on. # The interfaces are started in the order they occur on the list, and are # shutdown in the reverse order of IF_LIST. # # IPFILTER_SWITCH=(none|router|firewall) Default: "none" # Selects the basic IP filtering/firewalling setup of the router. "None" # is used for a straight through router, "router" for a filtering router with # IP spoof protection and Martian protection and "firewall" for a basic IP # masquerading/NAT firewall. The basic filter types are provided in # /etc/ipfilter.conf. If you want more than what is provided read the man # pages for ipchains or ipfwadm and BE CAREFUL when you edit this! # ############################################################################ ### # General Settings ############################################################################ ### VERBOSE=YES MAX_LOOP=10 IPFWDING_KERNEL=FILTER_ON IPALWAYSDEFRAG_KERNEL=YES CONFIG_HOSTNAME=YES CONFIG_HOSTSFILE=YES CONFIG_DNS=YES ############################################################################ ### # Interfaces ############################################################################ ### # Start pppd PPP interfaces first as pppd's use of DNS can delay startup. # # Interfaces to start on boot go here - ie "ppp0 eth0" # Do NOT include interfaces configured by dhcp! IF_AUTO="eth0 eth1 eth2" # List of all configured interfaces, manual start and boot start IF_LIST="$IF_AUTO" # Accept ICMP Redirects on ALL interfaces, also depends on /proc # per interface IP forwarding flag. - YES/NO ALLIF_ACCEPT_REDIRECTS=NO # Need these both for interfaces run by daemons - ie PPP, CIPE, some # WAN interfaces # IP spoofing protection by default for interfaces - YES/NO DEF_IP_SPOOF=YES # Kernel logging of spoofed packets by default for interfaces - YES/NO DEF_IP_KRNL_LOGMARTIANS=YES # Bridge Setup - Global stuff # # Enable bridging - YES/NO BRG_SWITCH=NO # Exempt ethernet protocol types - type "brcfg list" to find out allowed # values BRG_EXEMPT_PROTOS="" ############################################################################ ### eth0_IPADDR=202.149.81.55 eth0_MASKLEN=28 eth0_BROADCAST=202.149.81.63 # Use this to set the default route if required - ONLY one to be set. # routed or gated could be used to set this so only use if not running these. eth0_DEFAULT_GW=202.149.81.49 # Secondary IP addresses/networks on same wire - add them here eth0_IP_EXTRA_ADDRS="202.149.81.61/28 202.149.81.57/28" # Additional routes for this interface, if any # Space seperated list: <PREFIX>[_<more ip route options>] #eth0_ROUTES="1.1.1.13 2.2.2.0/24_via_1.1.1.18" # IP spoofing protection on this interface - YES/NO eth0_IP_SPOOF=YES # Kernel logging of spoofed packets on this interface - YES/NO eth0_IP_KRNL_LOGMARTIANS=YES # This setting affects the processing of ICMP redirects. Setting it to NO # makes this more secure. Don't turn this off if you have two IP # networks/subnets on the same media - YES/NO eth0_IP_SHARED_MEDIA=NO # Bridge this interface - YES/NO eth0_BRIDGE=NO # Proxy-arp from this interface, no other config required to turn on proxy ARP! # - YES/NO eth0_PROXY_ARP=NO # Simple QoS/fair queueing support # Turn on Stochastic Fair Queueing - useful on busy DDS links - YES/NO eth0_FAIRQ=NO # Ethernet Transmit Queue Length # eth0_TXQLEN=100 # Complex QoS - Enable all of these + above to turn it on #eth0_BNDWIDTH=10Mbit # Device bandwidth #eth0_HNDL=2 # Queue Handle - must be unique #eth0_IABURST=100 # Interactive Burst #eth0_IARATE=1Mbit # Interactive Rate #eth0_PXMTU=1514 # Physical MTU - includes Link Layer header ############################################################################ ### eth1_IPADDR=192.168.1.250 eth1_MASKLEN=24 eth1_BROADCAST=+ eth1_IP_SPOOF=YES eth1_IP_KRNL_LOGMARTIANS=YES eth1_IP_SHARED_MEDIA=NO eth1_BRIDGE=NO eth1_PROXY_ARP=NO eth1_FAIRQ=NO ############################################################################ ### eth2_IPADDR=192.168.15.5 eth2_MASKLEN=24 eth2_BROADCAST=+ #eth2_ROUTES= eth2_IP_SPOOF=YES eth2_IP_KRNL_LOGMARTIANS=YES eth2_IP_SHARED_MEDIA=NO eth2_BRIDGE=NO eth2_PROXY_ARP= eth2_FAIRQ=NO ############################################################################ ### # NAT 'virtual' interface (optional: required only for static-NAT DMZ systems) ############################################################################ ### # Configured as an interface to allow flexible handling of bringing the # routing rules up/down in conjunction with the physical interfaces # interface spec is an indexed list of IP address pairs and a base priority # number for ip rule creation #nat0_BASE_PRI=100 # Unique base value for ip rules # Indexed list: <public IP> <private DMZ IP> #nat0_PAIR0="1.1.2.3 192.168.2.13" #nat0_PAIR1="1.1.2.4 192.168.2.14" #nat0_PAIR2="1.1.2.5 192.168.2.15" # Sangoma FR example #fr498_IPADDR=10.0.10.1 #fr498_PTPADDR=10.0.10.2 #fr498_IP_SPOOF=YES #fr498_IP_KRNL_LOGMARTIANS=YES # Simple QoS support #fr498_FAIRQ=YES #fr498_TXQLEN=50 # Complex FR QoS - Enable ALL of these + above to turn it on #fr498_FRBURST=960Kbit # FR Burst capacity (a rate) #fr498_BULKRATE=320Kbit # Usually you set this to the CIR #fr498_BULKBURST=50 # Number of packets that can burst in bulk class #fr498_BNDWIDTH=1920Kbit # The bandwidth of the interface #fr498_IABURST=512 # No of Interactive Burst packets #fr498_IARATE=640Kbit # Burst capicity bandwith between # BURST and CIR #fr498_HNDL=2 # The queue handle - must be unique Dialup PPP is 1000+ #fr498_PXMTU=1508 # The Physical MTU of the interface (data + MAC header) # PPP interface stuff - these apply to all ASYNC ppp interfaces, options # same as ethernet above. #ppp_BNDWIDTH=30Kbit #ppp_FAIRQ=YES #ppp_TXQLEN=30 #ppp_IABURST=20 #ppp_IARATE=10Kbit #ppp_PXMTU=1500 ############################################################################ ### # IP Filter setup - can pull in settings from above ############################################################################ ### # Set up the basic type of filtering. Can be one of (none|router|firewall) # You must load the ip_masq_* modules to enable full IP masquerading, and # ip_masq_portfw if you want to forward external ports pop-3, mtp, www # to internal machines below. IPFILTER_SWITCH=firewall # This set of variables is used with both sets of filters SNMP_BLOCK=YES # Block all SNMP (YES/NO) # List of IP Nos used for SNMP management #SNMP_MANAGER_IPS="10.100.1.2" # Fair Queuing support # List of Mark values MRK_CRIT=1 # Critical traffic, routing, DNS MRK_IA=2 # Interactive traffic - telnet, ssh, IRC # List of traffic types and maps to mark values # Setting this variable turns on the # fairq chain CLS_FAIRQ="${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route ${MRK_CRIT}_tcp_0/0_bgp ${MRK_CRIT}_tcp_0/0_domain ${MRK_CRIT}_udp_0/0_domain ${MRK_IA}_tcp_0/0_telnet ${MRK_IA}_tcp_0/0_ssh" # NOTE: Do NOT turn on the DMZ network or ANY external port masquerading/ # port forwarding when EXTERN_DYNADDR is on because some security # leaks will result. You may also want to limit the external open # ports to domain (UDP) for DNS. Anyhow, these features are not that # usable unless you have a static external address # EXTERN_IF="eth0" # External Interface # Added for DHCP support # Setting this to YES causes the dhcp client to try to configure the # interfaces listed in IF_DHCP, and causes EXTERN_IP to be read directly # from the interfaceB EXTERN_DHCP=NO # YES/NO # The interface(s) to configure via dhcp IF_DHCP=$EXTERN_IF # If YES, your firewall filters use 0/0 for your IP address, instead of your # actual IP address. Set this to NO for typical ethernet setups, even if you # are using DHCP EXTERN_DYNADDR=NO # YES/NO # - or - # External Interface IP number...the default should be fine for most folks eval EXTERN_IP=\"\${"$EXTERN_IF"_IPADDR:-""}\" # Set EXTERN_IP to "DYNAMIC" if you need the rules to read the IP from the # interface, but you arn't using DHCP (ie PPPoE and dialup users) #EXTERN_IP=DYNAMIC # If external interface IP is dynamic, read the configured IP address # This should probably be moved to the init.d network script, but I put it # here for now, as it is more obvious what it is doing, in case it # messes something else up. if [ "$EXTERN_DHCP" = "YES" -o \ "$EXTERN_DHCP" = "Yes" -o \ "$EXTERN_DHCP" = "yes" -o \ "$EXTERN_IP" = "DYNAMIC" ] ; then # This computes the IP address of $EXTERN_IF EXTERN_IP=`ip addr list label $EXTERN_IF | \ grep inet | sed '1!d' | \ sed 's/^[^.0-9]*\([.0-9]*\).*$/\1/'` # If the external address is not configured, use a bogus address for the # external interface to prevent a bunch of (harmless) errors that spit out # when the IPCHAINS script is called. if [ x$EXTERN_IP = x ]; then EXTERN_IP=192.168.254.254 fi fi # Traffic to completely ignore...define here to prevent filling your logs # Space seperated list: protocol_srcip[/mask][_dstport] #SILENT_DENY="udp_207.235.84.1_route udp_207.235.84.0/24_37" # Extra rule scripts added by Charles Steinkuehler to more easily support # non-standard extentions of the pre-configured ipchains rules IPCH_IN=/etc/ipchains.input IPCH_FWD=/etc/ipchains.forward IPCH_OUT=/etc/ipchains.output # ICMP types to open # Indexed list: "SrcAddr/Mask type [ DestAddr[/DestMask] ]" #EXTERN_ICMP_PORT0="0/0 : 1.1.1.12" ## UDP Services open to outside world # Space seperated list: srcip/mask_dstport # NOTE: bootpc port is used for dhcp client EXTERN_UDP_PORTS="0/0_domain" # -or- # Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]" #EXTERN_UDP_PORT0="0/0 domain" #EXTERN_UDP_PORT1="5.6.7.8 500 1.1.1.12" # TCP services open to outside world # Space seperated list: srcip/mask_dstport EXTERN_TCP_PORTS="0/0_www 0/0_110 0/0_25" # -or- # Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]" #EXTERN_TCP_PORT0="5.6.7.8 domain 1.1.1.12" #EXTERN_TCP_PORT1="0/0 www" # Generic Services open to outside world # Space seperated list: protocol_srcip/mask_dstport #EXTERN_PORTS="50_5.6.7.8 51_5.6.7.8" # -or- # Indexed list: "Protocol SrcAddr/Mask [ DestAddr[/DestMask] ]" #EXTERN_PROTO0="50 5.6.7.8/32" #EXTERN_PROTO1="51 5.6.7.8/32" ############################################################################ ### # Internal Interface ############################################################################ ### # Comment 3 settings below for no internal network (DMZ only configuration) INTERN_IF="eth1" # Internal Interface INTERN_NET=192.168.1.0/24 # One (or more) Internal network(s) INTERN_IP=192.168.1.250 # IP number of Internal Interface # (to allow forwarding to external IP) MASQ_SWITCH=YES # Masquerade internal network to outside # world - YES/NO # These services are not masqueraded from int to ext/DMZ, preventing access # Space seperated list: proto_destIP/mask_port #NOMASQ_DEST="tcp_0/0_ssh" # Override for above...only the listed dest IP's can be accessed # Space seperated list: proto_destIP/mask_port #NOMASQ_DEST_BYPASS="tcp_10.0.0.1_ssh" ############################################################################ ### # Port Forwarding ############################################################################ ### # Remember to open appropriate holes in the firewall rules, above # Uncomment following for port-forwarded internal services. # The following is an example of what should be put here. # Tuples are as follows: # <protocol>_<local-ip>_<local-port>_<remote-ip>_<remote-port> #INTERN_SERVERS="tcp_${EXTERN_IP}_ftp_192.168.1.1_ftp tcp_${EXTERN_IP}_smtp_192.168.1.1_smtp" # These lines use the primary external IP address...if you need to port-forward # an aliased IP address, use the INTERN_SERVERS setting above #INTERN_FTP_SERVER=192.168.1.1 # Internal FTP server to make available #INTERN_WWW_SERVER=192.168.1.1 # Internal WWW server to make available #INTERN_SMTP_SERVER=192.168.1.1 # Internal SMTP server to make available #INTERN_POP3_SERVER=192.168.1.1 # Internal POP3 server to make available #INTERN_IMAP_SERVER=192.168.1.1 # Internal IMAP server to make available #INTERN_SSH_SERVER=192.168.1.1 # Internal SSH server to make available #EXTERN_SSH_PORT=24 # External port to use for internal SSH access # Advanced settings: parameters passed directly to portfw and autofw # Indexed list: "<ipmasqadm portfw options>" #INTERN_SERVER0="-a -P PROTO -L LADDR LPORT -R RADDR RPORT [-p PREF]" #INTERN_SERVER1="" # Indexed list: "<ipmasqadm autofw options>" #INTERN_AUTOFW0="-A -r tcp 20000 20050 -h 192.168.1.1" #INTERN_AUTOFW1="" ############################################################################ ### # DMZ setup (optional) ############################################################################ ### # Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO) DMZ_SWITCH=PRIVATE DMZ_IF="eth2" DMZ_NET=192.168.15.0/24 # DMZ switches for all flavors except PRIVATE ############################################################################ ### # For NAT DMZ's: # DMZ_NET, above is likely a private IP range...DMZ_SRC should encompass the # public IP range being NAT'd to DMZ_NET. Any systems DMZ_SRC=202.149.81.48/28 # For Proxy-Arp or NAT DMZ's only: # For security, any IP's within the DMZ_NET (PROXY) or DMZ_SRC (NAT) # specification, above, that are NOT remote systems reached via DMZ_IF must # be listed here. This potentially includes IP's of this LRP system, your # gateway, and systems connected to your external interface. DMZ_EXT_ADDRS="$eth0_DEFAULT_GW $EXTERN_IP" ## Both of the following should be used together - ie if you turn on ## DMZ_HIGH_TCP_CONNECT - DO specify DMZ_CLOSED_DEST! # Allows inbound connections to high tcp ports (>1023) # You can also allow to specific machines using 1024: (or a smaller range) # as the dest port range in DMZ_OPEN_DEST (RECOMMENDED) DMZ_HIGH_TCP_CONNECT=NO ## 3306 MySQL, 6000 X, 2049 NFS, 7100 xfs DMZ_CLOSED_DEST="tcp_${DMZ_NET}_6000:6004 tcp_${DMZ_NET}_7100" # Inbound services to allow to the DMZ # <protocol>_<destination IP/network>_<destination port or range> DMZ_OPEN_DEST="udp_192.168.15.0/24_domain tcp_0/0_domain icmp_0/0_: tcp_${DMZ_NET}_www tcp_0/0_25 tcp_0/0_110" # PRIVATE DMZ switches ############################################################################ ### # Services port-forwarded to the DMZ network # Indexed list: "Protocol LocalIP LocalPort RemoteIP [ RemotePort ]" #DMZ_SERVER0="udp $EXTERN_IP domain 192.168.15.1 domain" #DMZ_SERVER1="tcp $EXTERN_IP domain 192.168.15.1 domain" DMZ_SERVER2="tcp 202.149.81.55 www 192.168.15.200 www" DMZ_SERVER3="tcp 202.149.81.55 smtp 192.168.15.200 smtp" DMZ_SERVER4="tcp 202.149.81.55 110 192.168.15.200 110" DMZ_SERVER5="tcp 202.149.81.61 www 192.168.15.25 www" DMZ_SERVER6="tcp 202.149.81.61 smtp 192.168.15.16 smtp" DMZ_SERVER7="tcp 202.149.81.61 110 192.168.15.16 110" DMZ_SERVER8="tcp 202.149.81.57 www 192.168.15.200 www" # Allow all outbound traffic from DMZ (YES) # or just traffic from port-forwarded servers (NO) DMZ_OUTBOUND_ALL=YES -----cut regards, Gregor +Gregor Gede W. +CENTER FOR INFORMATION SYSTEM +ATMA JAYA YOGYAKARTA UNIVERSITY [EMAIL PROTECTED] +62 81 2271 0583 +62 81 7467 518 WATCHOUT! 3RD INTERNATIONAL SEMINAR ON SUSTAINABLE ENVIRONTMENTAL ARCHITECTURE + DIGITAL ARCHITECTURE, 9-10 MARCH 2002, YOGYAKARTA http://senvar.virtue.nu or http://senvar.uajy.web.id _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
