Ethan's Retrocomputing Corner
lrp: xDSL tutorial
From: Jack Coates <jrcoates@pacbell.net>
To: Daniel Didier <didierd@sunyit.edu>
Subject: Re: [LRP] LRP made easier by....
Date: Thu, 9 Sep 1999 21:45:29 -0700
CC: LRP List <linux-router@linuxrouter.org>
On Thu, 09 Sep 1999, you wrote:
> Sending me information, or where to find information on LRP.
>
> If you or anyone else
> reading this list knows of LRP information/documentation that is readable
> and useable please let me know, I want to build a long lasting reliable
> site for LRP info. As the info I recieve and post gets to be considerable
> I will update the site for easy navigation, for now it will do. You don't
> have to do a darn thing except send me the url or files. That is it. I
> do all the web stuff, everyone is happy, and LRP will work for more
> people. Thanx guys.
>
> The current address of the LRP INFO page is
> http://207.10.56.35/linuxrouter/
>
>
>
> Dan Didier, Student @ SUNYIT
>
>
>
I've been rewriting the Cable-Modem HOWTO with the intention of turning it into
a 2.9.4 based xDSL HOWTO. Here's what I have so far, still needs:
xDSL-specific information
what to do if you can't use modmaker
better ipfwadm stuff
DHCP client (and server cuz I need one and might as well write down what I do
to make it go)
HTH
--
Linux is only free if your time has no value.
-- Jamie Zawinski
xDSL LRP HOWTO
---------------------------------------
Written by:
Gary J. <gary@inet.net> and Jack Coates <jrcoates@pacbell.net>
Last Revised: 9/9/1999
---------------------------------------
Intro:
I wanted a simple way to connect several PC's to the internet using a single
fulltime connection. I couldn't get RedHat to install on the Compaq 486 I
planned to use, and found LRP while looking for RH fixes. It is a far better
solution, and actually quite simple if you take the time to read the
documentation. It is hoped that this document helps a few others in similar
situations.
These are instructions for installing and configuring a masquerading
network firewall with LRP. In my example I cover a static IP internet
connection. DHCP on LRP also works just fine, and I will cover that in Section
XXX.
These instructions assume that you have an existing connection to the
internet and are running MS-DOS or Win95/98/NT on another PC.
We will refer to the box that is going to be the router as the RPC or
Router PC, and the other machine as the Windows box.
==================================================================
1. Set up hardware on the Router PC -
Install 2 NIC's and at least 8MB of RAM in an old PC. While you have
the case open, write down the MAC address of the cards (typically
something like 0b03a10c0001 or 0b:03:a1:0c:00:01) usually written on
the card or a chip. This information will come in handy later. If you
are using ISA network cards, write down the irq and memory settings
for the cards that you have installed. ISA ethernet cards need to be set to
non conflicting irq and memory settings, and PnP must be disabled. If
you don't have the settings or need to disable PnP, you will need to boot the
PC using a dos floppy and run the configuration tool on the disk that came
with the network card. You don't even need a hard drive installed in this PC
as everything in LRP is installed from the floppy disk. This is a great way to
recycle all those useless PC's you've got lying around. For example, I used
an old 486-33 with 12MB and two cheap NE2000 clone network cards - total
investment, one evening of helping a relative upgrade, plus $10 for a second NIC.
2. Obtain the latest version of LRP
Using your windows machine download the "idiot image" from
ftp://ftp.linuxrouter.org/linux-router/dists/stable/ or a mirror. Be careful when
downloading the file using Netscape. The file may be corrupted if it does not
download as a binary file. Try right-clicking and choosing "save as." MS
Internet Explorer usually properly detects binaries. Currently the latest stable
version is 2.9.4.
Open a command prompt and rename the file in MS-DOS 8.3 naming convention. For
instance:
RENAME IDIOT-~1.IMG IDIOT.IMG
3. Download rawrite2.exe from the ftp site.
You will need rawrite to write the "idiot image" to the boot floppy. This can be
found at ftp://ftp.linuxrouter.org/linux-router/utils/ or a mirror.
4. Create the boot floppy
Using your windows box:
Format a 1.44 floppy disk as a blank, (it does not need to be formatted as
bootable, as rawriting the image file will take care of that). Don't use the /q
quick switch, as that will not catch errors that will prevent rawrite from
working.
Assuming that the "idiot Image" that you downloaded was saved as
IDIOT.IMG
Place a blank,
1.44MB formatted floppy in the A: drive.
Type in:
RAWRITE IDIOT.IMG A: [press enter]
You might not be able to see anything on the floppy after it is
finished. don't worry!
5. Boot the floppy for the first time.
Insert the boot floppy into the "Router PC" (RPC) and boot. If the
boot fails simply try a different floppy disk and downloading a fresh
copy of the "idiot image". On some RPC's you may need to change some
bios settings so that the machine boots from the floppy and not the
harddrive. On a RPC that you don't have a hard disk installed the
system might also complain that it can't find a hard disk. This
happens on some RPC's and is not big deal. Just ignore it.
Floppy drives are inexpensive and not the most accurately aligned devices in the
world. Linux is more picky about hardware than Microsoft software. If you just
can't get the RPC to boot no matter how many floppies you try, try changing
floppy drives in one or both machines.
Once the RPC has booted and you get the login: prompt just take
the floppy out and turn the RPC off again. Now it's time to use your
windows machine to put the appropriate modules for your ethernet cards
on the boot disk.
6. Insert the floppy back into the Windows PC. You should now be able
to see the contents of the floppy disk.
7. Obtain the appropriate modules needed for your NIC's. The idiot
image of LRP comes with NO NIC support so you have to create a new
modules.lrp as well as a new linux kernel. This is not as scary as it
sounds since it can all be done for you at http://www.linuxrouter.org/modmaker/
(click 2.0.36 final).
Simply choose the module(s) you need, (e.g.: ne for ne2000). Note that modmaker
was designed for LRP version 2.9.3 and hasn't been updated yet. Some things seem
to work with 2.9.4 anyway, but 3Com cards definitely don't. You'll need to read
the instruction on making your own modules.lrp at XXX.
The modules and what they do:
Filesystem ext2 -- Linux filesystem
Filesystem vfat -- Win32 filesystem
Filesystem isofs -- CDROM filesystem
Filesystem nfs -- Unix network filesystem
Filesystem smbfs -- Microsoft network filesystem
IPv4 rarp -- reverse arp, used for booting diskless workstations
IPv4 ipip -- a routing protocol used in tunnelling
IPv4 ip_masq_ftp -- firewall module which allows ftp to work
IPv4 ip_masq_irc -- firewall module which allows irc to work
IPv4 ip_masq_raudio -- firewall module which allows RealAudio to work
IPv4 ip_masq_cuseeme -- firewall module which allows CUSeeMe to work
IPv4 ip_masq_vdolive -- firewall module which allows VDOLive to work
IPv4 ip_masq_quake -- firewall module which allows quake to work
IPv4 ip_alias -- allows multiple IP addresses on a single interface
Misc. appletalk -- AppleTalk protocol support
Misc. ax25 -- amateur radio support
Misc. b1pci -- AVM B1 ISDN PCI-card support
Misc. capi -- Common ISDN API support
Misc. capidrv -- Common ISDN API support
Misc. capiutil -- Common ISDN API support
Misc. cyclades -- multiport serial card support
Misc. icn -- Thinking Objects ICN-ISDN-card support
Misc. ipx -- IPX/SPX protocol support
Misc. isdn -- support for ISDN terminal adapters
Misc. isdnloop -- ISDN loopback interface
Misc. istallion -- multiport serial card support
Misc. kernelcapi -- Common ISDN API support
Misc. lp -- printer support
Misc. netrom -- Amateur radio support
Misc. pcbit -- PCBIT ISDN support
Misc. riscom8 -- multiport serial card support
Misc. rose -- PERL
Misc. router -- routing functionality
Misc. sc -- PERL
Misc. scc -- PERL
Misc. serial -- serial port support
Misc. specialix -- multiport serial card support
Misc. stallion -- multiport serial card support
Network dummy -- bit-bucket
Network ppp -- point to point protocol, required for analog users
Network slhc -- tcp packet compression/uncompression
Network hdlcdrv -- a point to point protocol used by Cisco routers
Network ibmtr -- IBM Token Ring support
Network shaper -- QoS traffic shaping
Network new_tunnel -- protocol tunnelling support
Network hp100 -- NIC driver
Network smc9194 -- NIC driver
Network wd -- NIC driver
Network 3c503 -- NIC driver
Network ne -- NIC driver
Network hp -- NIC driver
Network hp-plus -- NIC driver
Network smc-ultra -- NIC driver
Network smc-ultra32 -- NIC driver
Network e2100 -- NIC driver
Network plip -- parallel port network driver
Network bsd_comp -- NIC driver
Network slip -- the predecessor of ppp, may be required by old systems
Network strip -- Starmode Radio IP support
Network lance -- NIC driver
Network at1700 -- NIC driver
Network fmv18x -- NIC driver
Network 3c501 -- NIC driver
Network 3c507 -- NIC driver
Network 3c509 -- NIC driver
Network 3c515 -- NIC driver
Network 3c59x -- NIC driver
Network via-rhine -- NIC driver
Network eexpress -- NIC driver
Network eepro -- NIC driver
Network eepro100 -- NIC driver
Network epic100 -- NIC driver
Network ne2k-pci -- NIC driver
Network pcnet32 -- NIC driver
Network rtl8139 -- NIC driver
Network yellowfin -- wireless NIC driver
Network wavelan -- wireless NIC driver
Network depca -- NIC driver
Network ewrk3 -- NIC driver
Network de4x5 -- NIC driver
Network ni52 -- NIC driver
Network ni65 -- NIC driver
Network 3c505 -- NIC driver
Network tulip -- NIC driver
Network tlan -- NIC driver
Network arcnet -- ARC-Net NIC driver
Network eth16i -- NIC driver
Network mkiss -- HAM radio (AX.25) support
Network pi2 -- Ottawa Amateur Radio Club PI and PI2 interface support
Network pt -- Gracilis PackeTwin support
Network bpqether -- NIC driver
Network baycom -- NIC driver
Network 8390 -- ISA driver (required by ne.o)
Network eql -- provides load-balancing across multiple lines to the same
destination
Network sdla -- Sangoma Frame Relay card support
Network dlci -- frame relay support
Network dgrs -- Digi RightSwitch SE-X support
Network sdladrv -- Sangoma Frame Relay card support
Network wanpipe -- CSU/DSU driver
If you don't know what it is then you probably don't need it! You don't want
to just select everything because it won't all fit on the floppy! Let
modmaker generate the modules.lrp file, and download them (again
windows users may find this easier using IE). Don't forget to
download a new kernel as well or nothing will work. If you have a
system with a co-processor (i.e. a pentuim, 486dx, 386dx) then you can
download the kernel without co-processor support, sx owners need to
download the one with co-processor support.
8. Copy the new "module.lrp" and "linux"(the kernel) files to the
boot floppy. You will notice that these files already exist on the
boot floppy, and you can overwrite them.
9. Reboot the RPC with the updated floppy disk.
If your boot fails, you probably forgot to download the new files
as binaries, or have the wrong co-processor kernel. After the RPC
boots you will notice a message telling you to configure your NIC's.
10. Log onto the RPC.
Type "root" at the login: prompt. No password is required for this
system since no remote access is allowed and should not really be
allowed in the future as well. Once logged in you will see the LRP
configuration menu. Almost everything you need to do, you can do from
here.
11. Make any "cosmetic" changes you like to the system. More
experienced users may comment out the menu program from /root/.profile
To get a clean login, but that's up to you. Be careful not to mess
with anything you don't understand.
12. Set up the NIC's in the RPC
This is done most easily from the menu. If the menu is not displayed
type "lrcfg" to bring it up.
Select "3) Package Settings" from the menu.
Then select "1) modules" and then "1) modules.."
again. This will bring up the "ae" editor which is not that bad since
it is small but has features friendly to windows people. You can also get ae by
typing the name of your favorite editor, it's probably been aliased already.
Under the 8390 line you need to specify the device
settings for your NIC's. I used two ne2000 cards so my settings
looked like this:
ne io=300,340 irq=5,10
That's all we have to do with this file. Press CTRL W to save and
CTRL C to exit. Press 'q' twice to get you back to the main menu.
13. Set up the IP's of the NIC's.
This is also done from the menu. Press "1) Network Settings" from
the menu and then press "1) IP's .." This edits a script that gets
run at boot time. See the note that says "All network and routing
settings are placed in this file" ???
You really only have to do a few things here. I suggest using "eth1"
as your "trusted" interface and "eth0" for the internet
interface. The scripts work better this way. You can have it the
other way but it may not forward traffic properly without some minor
tinkering. This example assumes fixed IP addresses supplied by your
ISP. DHCP also works great, and that will be covered in another
document because it requires a little more explanation.
Note: 13.1 and 13.2 are required only for fixed IP addresses supplied
by your ISP. (If you have read the DHCP documentation and have the
dhcp.lrp installed skip to 13.3
13.1 Un-comment the "Gateway" item and set this to the Gateway IP
supplied by your ISP.
13.2 Un-comment the IF0 interface and edit the IP's for eth0 to match
the IP info supplied by your ISP. Be
really careful with the "Network" "Broadcast", and Subnet "Mask" entries.
You might want to check with your ISP to make sure you don't put anything here
that might cause problems later.
13.3 Un-comment the IF1 interface and edit the IP's for eth1 to match
your internal "trusted" network. You can really pick any IP addresses
you are authorized to route for, but the ones already there are okay
unless you really need to change them. The defaults provide you with a subnet
that is suitable for running NAT.
13.4 Look down the file until you find the section called
"IP Masquerade (aka NAT)". Un-comment the first line here. This
allows traffic from IF1 (eth1) to be forwarded. THIS IS IMPORTANT! If
you don't do this, your system will not forward traffic and you
will be left wondering why it doesn't seem to work. This is where
almost everyone makes their mistakes.
13.5 Save this file and exit the editor (CTRL W CTRL C).
14. That's really all the configuration you really need to get LRP
working as a masquerading firewall. You might want to edit the file
/etc/resolv.conf to allow DNS from the RPC, but it is not really
needed except to test the internet connection and DNS from the RPC.
15. Write the changes to the floppy.
>From the menu select "b" for backup and write everything except logs
to the floppy. Actually you only need to write "etc" and "modules"
but I always feel better writing everything, just in case.
16. Reboot the machine.
Watch to see if the RPC loads the network cards correctly. login as
root and quit from the menu to the command line.
type:
ifconfig -a
to see the interfaces.
type:
dmesg
to look at the boot up messages.
If you see errors in either ifconfig -a or dmesg check the mailing list
archive for people with similar problems or mail them to the list at
linux-router@linuxrouter.org.
Using the MAC addresses that you wrote down
earlier and the output of these two commands you can figure out which card is
interface 0 and interface 1. This is also a convenient time to change the root
password. Type:
passwd root
and set the password to something a bit more secure!
17. Configure your client PC's and your networking equipment to use
the IP address you specified for eth1 as the default gateway. Of
course, make sure the client's IP is on the same subnet as eth1 or
nothing will work at all. Make sure you have the DNS entries on the
client set to the ones
provided by your ISP.
17.1 example: I have 2 client machines on the hub:
machine 1:
IP: 192.168.2.2
Netmask: 255.255.255.0
Gateway: 192.168.2.1
Name Server: (the one supplied by your ISP, or the gateway if
running cacheing dns)
Machine 2:
IP: 192.168.2.3
Netmask: 255.255.255.0
Gateway: 192.168.2.1
Name Server: (the one supplied by your ISP)
18. You should now be able to ping both the trusted interface (eth1)
and the external interface (eth0) from the client. You should also be
able to ping the ISP's Gateway address. Once you have done this
everything should work just great!
19. Configure ipfwadm.
If your Linux router still does not work, check the mailing list
archive (http://www.linuxrouter.org/listarch/linux-router/) for people with
similar problems or mail them to the list at linux-router@linuxrouter.org.
Other documents of interest:
http://cesdis.gsfc.nasa.gov/linux/misc/multicard.html
http://metalab.unc.edu/pub/Linux/docs/HOWTO/Ethernet-HOWTO
http://metalab.unc.edu/pub/Linux/docs/HOWTO/NET-3-HOWTO
http://metalab.unc.edu/pub/Linux/docs/HOWTO/Firewall-HOWTO
Working 2.9.4 Configs:
###############################################################################
# Auto configuration bypass (Say NO to use this file)
###############################################################################
DIRECT_SETTINGS_ONLY=NO
###############################################################################
# Default Settings
###############################################################################
VERBOSE=YES
MAX_LOOP=6
IPFWDING_KERNEL=YES
IPFWDING_FW=YES
CONFIG_HOSTNAME=YES
CONFIG_HOSTSFILE=YES
CONFIG_DNS=YES
###############################################################################
# Interfaces
###############################################################################
IF0_IFNAME=eth0
IF0_IPADDR= your ip
IF0_NETMASK= your netmask
IF0_BROADCAST= your broadcast
IF0_IP_SPOOF=YES
IF1_IFNAME=eth1
IF1_IPADDR=192.168.1.254
IF1_NETMASK=255.255.255.0
IF1_BROADCAST=192.168.1.255
IF1_IP_SPOOF=YES
###############################################################################
# Hosts
###############################################################################
###############################################################################
# Networks
###############################################################################
NET0_NETADDR= your network
NET0_NETMASK= your netmask
NET0_GATEWAY_IF=eth0
NET0_GATEWAY_IP=default
NET0_IPMASQ=NO
NET0_IPMASQ_IF=default
NET1_NETADDR=192.168.1.0
NET1_NETMASK=255.255.255.0
NET1_GATEWAY_IF=eth1
NET1_GATEWAY_IP=default
NET1_IPMASQ=YES
NET1_IPMASQ_IF=eth1
###############################################################################
# Gateways (Default Routes)
###############################################################################
GW0_IPADDR= your gateway
GW0_IFNAME=eth0
GW0_METRIC=1
###############################################################################
# Hostname Requires:
CONFIG_HOSTNAME=YES
###############################################################################
HOSTNAME=myrouter
###############################################################################
# Hosts file (Static domainname entires) Requires:
CONFIG_HOSTSFILE=YES
###############################################################################
# IP FQDN hostname alias1 alias2..
#Make sure that your internal network name is either registered
#to you or unused -- otherwise the canonical name of the registered name
#will be appended to your LRP's name.
HOSTS0="$IF0_IPADDR foobar.isp.net foobar"
HOSTS1="$IF1_IPADDR $HOSTNAME.private.org myrouter"
###############################################################################
# Domain Search Order and Name Servers Requires: CONFIG_DNS=YES
###############################################################################
DOMAINS="isp.net private.org"
DNS0= your dns
DNS1= your dns
DNS2= your dns
###############################################################################
# Direct Network Settings
###############################################################################
#Extensive firewall rules
# By default, deny all forwarding
ipfwadm -F -p deny
# Flush all rules
echo "Flushing rules..."
ipfwadm -F -f
ipfwadm -I -f
ipfwadm -O -f
ipfwadm -A -f
ipfwadm -F -a masq -S 192.168.1.0/24 -D 0.0.0.0/0 -W eth0
#Avoid MS NetBIOS over IP passing out of LAN
echo "Denying Microsoft NetBIOS..."
ipfwadm -F -a deny -P tcp -S 0/0 137:139
ipfwadm -F -a deny -P udp -S 0/0 137:139
# Block SMB (windows sharing) ports from coming in to the LAN
# eg, deny all incoming packets that have destination port 137 for
# all protocols (udp and tcp).
echo "Blocking SMB Traffic..."
ipfwadm -I -i deny -S 0.0.0.0/0 -D 0.0.0.0/0 137 -P all
#Forward Quake connections to an IP Masq'ed machine
echo "Enabling Quake..."
ipautofw -A -r tcp 26000 26999 -h 192.168.1.1
ipautofw -A -r udp 26000 26999 -h 192.168.1.1
#Foward RealAudio behind IP Masq (requires ip_masq_raudio.o module)
echo "Enabling RealAudio..."
ipautofw -A -r udp 6970 7170 -c tcp 7070
#Forward FTP to an IP Masq'ed machine
echo "Enabling FTP..."
ipautofw -A -r 216.103.209.127/21 -R 192.168.1.1/21
ipautofw -A -r 216.103.209.127/22 -R 192.168.1.1/22
# Block telnet to outside interface
echo "Blocking telnet..."
ipfwadm -I -i deny -S 0.0.0.0/0 -D 216.103.209.127 23 -P all
# Deny unregistered addresses
# This prevents any IP numbers from leaking out when they accidently
bypass
# NAT due to some other configuration problem.
#echo "Blocking private addresses..."
#ipfwadm -O -i deny -S 192.168.1.0/24 -D 0.0.0.0/0 -o
Date: Mon, 13 Sep 1999 09:43:33 +0200 (MET DST)
From: "Jacek M. Holeczek" <holeczek@us.edu.pl>
To: linux-router@linuxrouter.org
Subject: Re: [LRP] LRP made easier by....
Hi,
There was a preliminary xDSL LRP HOWTO published for the 2.9.4 with a
script containing "Direct Network Settings", with some problems :
1. explicit adresses/names are used
2. the command to block SMB traffic does not work
3, the port 22 is not ftp, but ssh ( don't forward )
Please find below a slighly modified script.
It assumes that IF0 is the external interface and IF1 is the internal,
trusted one. The only explicit internal addresses present in this script
are machines to which quake, ftp, http are forwarded.
--------------------------------------------
# Extensive firewall rules
# MASQ timeouts
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users)
echo "Setting MASQ timeouts..."
ipfwadm -M -s 7200 10 160
# By default, deny all forwarding
#echo "Denying forwarding..."
#ipfwadm -F -p deny
# Flush all rules
#echo "Flushing rules..."
#ipfwadm -F -f
#ipfwadm -I -f
#ipfwadm -O -f
#ipfwadm -A -f
#ipfwadm -F -a masq -S NET1_NETADDR/NET1_NETMASK -D 0.0.0.0/0 -W IF0_IFNAME
# Avoid MS NetBIOS over IP passing out of LAN
echo "Denying Microsoft NetBIOS..."
ipfwadm -F -a deny -P tcp -S 0/0 137:139
ipfwadm -F -a deny -P udp -S 0/0 137:139
# Block SMB (windows sharing) ports from coming in to the LAN
# eg, deny all incoming packets that have destination port 137 for
# all protocols (udp and tcp).
echo "Blocking SMB Traffic..."
ipfwadm -I -i deny -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 137
ipfwadm -I -i deny -P udp -S 0.0.0.0/0 -D 0.0.0.0/0 137
# Forward Quake connections to an IP Masq'ed machine
#echo "Enabling Quake..."
ipautofw -A -r tcp 26000 26999 -h 192.168.1.2
ipautofw -A -r udp 26000 26999 -h 192.168.1.2
# Foward RealAudio behind IP Masq (requires ip_masq_raudio.o module)
echo "Enabling RealAudio..."
ipautofw -A -r udp 6970 7170 -c tcp 7070
# Forward FTP to an IP Masq'ed machine
echo "Enabling FTP..."
ipautofw -A -r IF0_IPADDR/21 -R 192.168.1.2/21
# Forward HTTP to an IP Masq'ed machine
echo "Enabling HTTP..."
ipportfw -A -t IF0_IPADDR/80 -R 192.168.1.2/80
# Block telnet to outside interface
echo "Blocking telnet..."
ipfwadm -I -i deny -S 0.0.0.0/0 -D IF0_IPADDR 23 -P all
# Deny unregistered addresses
# This prevents any IP numbers from leaking out when they accidently
# bypass NAT due to some other configuration problem.
echo "Blocking private addresses..."
ipfwadm -O -i deny -S NET1_NETADDR/NET1_NETMASK -D 0.0.0.0/0 -o
--------------------------------------------
Note that in 2.9.4 the default forwarding policy, flushing rules and
masquerading are managed by the "main" network script ( commented above ).
On this occasion, I'd like to ask you - is this "Enabling RealAudio..."
above required for RealAudio to work, or is it sufficient to load the
ip_masq_raudio.o module ?
Thanks in advance,
Jacek.
From: Jack Coates <jrcoates@pacbell.net>
To: "Jacek M. Holeczek" <holeczek@us.edu.pl>, linux-router@linuxrouter.org
Subject: Re: [LRP] LRP made easier by....
Date: Mon, 13 Sep 1999 07:29:15 -0700
On Mon, 13 Sep 1999, Jacek M. Holeczek wrote:
> Hi,
> There was a preliminary xDSL LRP HOWTO published for the 2.9.4 with a
> script containing "Direct Network Settings", with some problems :
> 1. explicit adresses/names are used
myrouter/mynet is a default in 2.9.4 -- I just left it standing. I also used
explicit 192.168.1.x addresses because 90% of the people using this will
a) have a single IP address from an ISP and require masq'ing
b) have enough knowledge to modify the internal addresses themselves.
> 2. the command to block SMB traffic does not work
very possible -- I copied it from someone else's FAQ and didn't look closely.
> 3, the port 22 is not ftp, but ssh ( don't forward )
Typo! I was looking at
http://www.isi.edu/in-notes/iana/assignments/port-numbers and saw two ports --
but typed the wrong ones in :-(
> Please find below a slighly modified script.
> It assumes that IF0 is the external interface and IF1 is the internal,
> trusted one. The only explicit internal addresses present in this script
> are machines to which quake, ftp, http are forwarded.
Thanks! I'm hoping to add a few more documented firewall holes, so that a newbie
user can just comment out the ones that should be blocked. Any ideas?
Jack
Date: Tue, 14 Sep 1999 09:36:43 +0200 (MET DST)
From: "Jacek M. Holeczek" <holeczek@us.edu.pl>
To: linux-router@linuxrouter.org
Subject: Re: [LRP] LRP made easier by....
> > 1. explicit adresses/names are used
> myrouter/mynet is a default in 2.9.4 -- I just left it standing. I also used
> explicit 192.168.1.x addresses because 90% of the people using this will
I ment :
- "216.103.209.127" instead of IF0_IPADDR
- "192.168.1.0/24" instead of NET1_NETADDR/NET1_NETMASK
- "eth0" instead of IF0_IFNAME
One, probably, cannot escape from explicit addresses in forwarding rules,
but it's not a good idea to forward to "192.168.1.1", as usually it's the
router itself ( so I took "192.168.1.2" as an example ).
> b) have enough knowledge to modify the internal addresses themselves.
Why do you expect this ?
Just compare "216.103.209.127/22" with "192.168.1.0/24". I dubt that for a
new user it would be easy to note that in one case the "/22" means
something different than "/24" in the other case ( I mean port_number, and
mask ), and that in one case there is a machine's ip_address, and in the
other case a network_address.
Or take the "216.103.209.127 23" ( without "/" ).
Now, assume you don't have man pages for ipfwadm/ipautofw/ipportfw, ( they
don't come with LRP ) and you have to guess what these different
parameters mean looking at examples ( in fact I only have the man page for
ipfwadm ).
>> 3, the port 22 is not ftp, but ssh ( don't forward )
> Typo! I was looking at
Now I see the problem - I have one ftp port too few ( right ? )
Jacek.
BTW. There was a cry what the "SIOCADDRT Error" means, some time ago. I
also had to fight with this problem under LRP 2.9.4. In the end I
have found that there is a bug in the "etc/network.conf", as it comes
with the distribution - there is "GW0_IFNAME=$IF0_NAME", while it
should be "GW0_IFNAME=$IF0_IFNAME". It took me some time to find it.
Jacek.
To Ethan's Home Page
Last modified:
14 September 1999
Compilation © Copyright 1999, Ethan Dicks
<erd@infinet.com>.
All Rights Reserved.