From: Jack Coates <jrcoates@pacbell.net> To: Daniel Didier <didierd@sunyit.edu> Subject: Re: [LRP] LRP made easier by.... Date: Thu, 9 Sep 1999 21:45:29 -0700 CC: LRP List <linux-router@linuxrouter.org> On Thu, 09 Sep 1999, you wrote: > Sending me information, or where to find information on LRP. > > If you or anyone else > reading this list knows of LRP information/documentation that is readable > and useable please let me know, I want to build a long lasting reliable > site for LRP info. As the info I recieve and post gets to be considerable > I will update the site for easy navigation, for now it will do. You don't > have to do a darn thing except send me the url or files. That is it. I > do all the web stuff, everyone is happy, and LRP will work for more > people. Thanx guys. > > The current address of the LRP INFO page is > http://207.10.56.35/linuxrouter/ > > > > Dan Didier, Student @ SUNYIT > > > I've been rewriting the Cable-Modem HOWTO with the intention of turning it into a 2.9.4 based xDSL HOWTO. Here's what I have so far, still needs: xDSL-specific information what to do if you can't use modmaker better ipfwadm stuff DHCP client (and server cuz I need one and might as well write down what I do to make it go) HTH -- Linux is only free if your time has no value. -- Jamie Zawinski
xDSL LRP HOWTO --------------------------------------- Written by: Gary J. <gary@inet.net> and Jack Coates <jrcoates@pacbell.net> Last Revised: 9/9/1999 --------------------------------------- Intro: I wanted a simple way to connect several PC's to the internet using a single fulltime connection. I couldn't get RedHat to install on the Compaq 486 I planned to use, and found LRP while looking for RH fixes. It is a far better solution, and actually quite simple if you take the time to read the documentation. It is hoped that this document helps a few others in similar situations. These are instructions for installing and configuring a masquerading network firewall with LRP. In my example I cover a static IP internet connection. DHCP on LRP also works just fine, and I will cover that in Section XXX. These instructions assume that you have an existing connection to the internet and are running MS-DOS or Win95/98/NT on another PC. We will refer to the box that is going to be the router as the RPC or Router PC, and the other machine as the Windows box. ================================================================== 1. Set up hardware on the Router PC - Install 2 NIC's and at least 8MB of RAM in an old PC. While you have the case open, write down the MAC address of the cards (typically something like 0b03a10c0001 or 0b:03:a1:0c:00:01) usually written on the card or a chip. This information will come in handy later. If you are using ISA network cards, write down the irq and memory settings for the cards that you have installed. ISA ethernet cards need to be set to non conflicting irq and memory settings, and PnP must be disabled. If you don't have the settings or need to disable PnP, you will need to boot the PC using a dos floppy and run the configuration tool on the disk that came with the network card. You don't even need a hard drive installed in this PC as everything in LRP is installed from the floppy disk. This is a great way to recycle all those useless PC's you've got lying around. For example, I used an old 486-33 with 12MB and two cheap NE2000 clone network cards - total investment, one evening of helping a relative upgrade, plus $10 for a second NIC. 2. Obtain the latest version of LRP Using your windows machine download the "idiot image" from ftp://ftp.linuxrouter.org/linux-router/dists/stable/ or a mirror. Be careful when downloading the file using Netscape. The file may be corrupted if it does not download as a binary file. Try right-clicking and choosing "save as." MS Internet Explorer usually properly detects binaries. Currently the latest stable version is 2.9.4. Open a command prompt and rename the file in MS-DOS 8.3 naming convention. For instance: RENAME IDIOT-~1.IMG IDIOT.IMG 3. Download rawrite2.exe from the ftp site. You will need rawrite to write the "idiot image" to the boot floppy. This can be found at ftp://ftp.linuxrouter.org/linux-router/utils/ or a mirror. 4. Create the boot floppy Using your windows box: Format a 1.44 floppy disk as a blank, (it does not need to be formatted as bootable, as rawriting the image file will take care of that). Don't use the /q quick switch, as that will not catch errors that will prevent rawrite from working. Assuming that the "idiot Image" that you downloaded was saved as IDIOT.IMG Place a blank, 1.44MB formatted floppy in the A: drive. Type in: RAWRITE IDIOT.IMG A: [press enter] You might not be able to see anything on the floppy after it is finished. don't worry! 5. Boot the floppy for the first time. Insert the boot floppy into the "Router PC" (RPC) and boot. If the boot fails simply try a different floppy disk and downloading a fresh copy of the "idiot image". On some RPC's you may need to change some bios settings so that the machine boots from the floppy and not the harddrive. On a RPC that you don't have a hard disk installed the system might also complain that it can't find a hard disk. This happens on some RPC's and is not big deal. Just ignore it. Floppy drives are inexpensive and not the most accurately aligned devices in the world. Linux is more picky about hardware than Microsoft software. If you just can't get the RPC to boot no matter how many floppies you try, try changing floppy drives in one or both machines. Once the RPC has booted and you get the login: prompt just take the floppy out and turn the RPC off again. Now it's time to use your windows machine to put the appropriate modules for your ethernet cards on the boot disk. 6. Insert the floppy back into the Windows PC. You should now be able to see the contents of the floppy disk. 7. Obtain the appropriate modules needed for your NIC's. The idiot image of LRP comes with NO NIC support so you have to create a new modules.lrp as well as a new linux kernel. This is not as scary as it sounds since it can all be done for you at http://www.linuxrouter.org/modmaker/ (click 2.0.36 final). Simply choose the module(s) you need, (e.g.: ne for ne2000). Note that modmaker was designed for LRP version 2.9.3 and hasn't been updated yet. Some things seem to work with 2.9.4 anyway, but 3Com cards definitely don't. You'll need to read the instruction on making your own modules.lrp at XXX. The modules and what they do: Filesystem ext2 -- Linux filesystem Filesystem vfat -- Win32 filesystem Filesystem isofs -- CDROM filesystem Filesystem nfs -- Unix network filesystem Filesystem smbfs -- Microsoft network filesystem IPv4 rarp -- reverse arp, used for booting diskless workstations IPv4 ipip -- a routing protocol used in tunnelling IPv4 ip_masq_ftp -- firewall module which allows ftp to work IPv4 ip_masq_irc -- firewall module which allows irc to work IPv4 ip_masq_raudio -- firewall module which allows RealAudio to work IPv4 ip_masq_cuseeme -- firewall module which allows CUSeeMe to work IPv4 ip_masq_vdolive -- firewall module which allows VDOLive to work IPv4 ip_masq_quake -- firewall module which allows quake to work IPv4 ip_alias -- allows multiple IP addresses on a single interface Misc. appletalk -- AppleTalk protocol support Misc. ax25 -- amateur radio support Misc. b1pci -- AVM B1 ISDN PCI-card support Misc. capi -- Common ISDN API support Misc. capidrv -- Common ISDN API support Misc. capiutil -- Common ISDN API support Misc. cyclades -- multiport serial card support Misc. icn -- Thinking Objects ICN-ISDN-card support Misc. ipx -- IPX/SPX protocol support Misc. isdn -- support for ISDN terminal adapters Misc. isdnloop -- ISDN loopback interface Misc. istallion -- multiport serial card support Misc. kernelcapi -- Common ISDN API support Misc. lp -- printer support Misc. netrom -- Amateur radio support Misc. pcbit -- PCBIT ISDN support Misc. riscom8 -- multiport serial card support Misc. rose -- PERL Misc. router -- routing functionality Misc. sc -- PERL Misc. scc -- PERL Misc. serial -- serial port support Misc. specialix -- multiport serial card support Misc. stallion -- multiport serial card support Network dummy -- bit-bucket Network ppp -- point to point protocol, required for analog users Network slhc -- tcp packet compression/uncompression Network hdlcdrv -- a point to point protocol used by Cisco routers Network ibmtr -- IBM Token Ring support Network shaper -- QoS traffic shaping Network new_tunnel -- protocol tunnelling support Network hp100 -- NIC driver Network smc9194 -- NIC driver Network wd -- NIC driver Network 3c503 -- NIC driver Network ne -- NIC driver Network hp -- NIC driver Network hp-plus -- NIC driver Network smc-ultra -- NIC driver Network smc-ultra32 -- NIC driver Network e2100 -- NIC driver Network plip -- parallel port network driver Network bsd_comp -- NIC driver Network slip -- the predecessor of ppp, may be required by old systems Network strip -- Starmode Radio IP support Network lance -- NIC driver Network at1700 -- NIC driver Network fmv18x -- NIC driver Network 3c501 -- NIC driver Network 3c507 -- NIC driver Network 3c509 -- NIC driver Network 3c515 -- NIC driver Network 3c59x -- NIC driver Network via-rhine -- NIC driver Network eexpress -- NIC driver Network eepro -- NIC driver Network eepro100 -- NIC driver Network epic100 -- NIC driver Network ne2k-pci -- NIC driver Network pcnet32 -- NIC driver Network rtl8139 -- NIC driver Network yellowfin -- wireless NIC driver Network wavelan -- wireless NIC driver Network depca -- NIC driver Network ewrk3 -- NIC driver Network de4x5 -- NIC driver Network ni52 -- NIC driver Network ni65 -- NIC driver Network 3c505 -- NIC driver Network tulip -- NIC driver Network tlan -- NIC driver Network arcnet -- ARC-Net NIC driver Network eth16i -- NIC driver Network mkiss -- HAM radio (AX.25) support Network pi2 -- Ottawa Amateur Radio Club PI and PI2 interface support Network pt -- Gracilis PackeTwin support Network bpqether -- NIC driver Network baycom -- NIC driver Network 8390 -- ISA driver (required by ne.o) Network eql -- provides load-balancing across multiple lines to the same destination Network sdla -- Sangoma Frame Relay card support Network dlci -- frame relay support Network dgrs -- Digi RightSwitch SE-X support Network sdladrv -- Sangoma Frame Relay card support Network wanpipe -- CSU/DSU driver If you don't know what it is then you probably don't need it! You don't want to just select everything because it won't all fit on the floppy! Let modmaker generate the modules.lrp file, and download them (again windows users may find this easier using IE). Don't forget to download a new kernel as well or nothing will work. If you have a system with a co-processor (i.e. a pentuim, 486dx, 386dx) then you can download the kernel without co-processor support, sx owners need to download the one with co-processor support. 8. Copy the new "module.lrp" and "linux"(the kernel) files to the boot floppy. You will notice that these files already exist on the boot floppy, and you can overwrite them. 9. Reboot the RPC with the updated floppy disk. If your boot fails, you probably forgot to download the new files as binaries, or have the wrong co-processor kernel. After the RPC boots you will notice a message telling you to configure your NIC's. 10. Log onto the RPC. Type "root" at the login: prompt. No password is required for this system since no remote access is allowed and should not really be allowed in the future as well. Once logged in you will see the LRP configuration menu. Almost everything you need to do, you can do from here. 11. Make any "cosmetic" changes you like to the system. More experienced users may comment out the menu program from /root/.profile To get a clean login, but that's up to you. Be careful not to mess with anything you don't understand. 12. Set up the NIC's in the RPC This is done most easily from the menu. If the menu is not displayed type "lrcfg" to bring it up. Select "3) Package Settings" from the menu. Then select "1) modules" and then "1) modules.." again. This will bring up the "ae" editor which is not that bad since it is small but has features friendly to windows people. You can also get ae by typing the name of your favorite editor, it's probably been aliased already. Under the 8390 line you need to specify the device settings for your NIC's. I used two ne2000 cards so my settings looked like this: ne io=300,340 irq=5,10 That's all we have to do with this file. Press CTRL W to save and CTRL C to exit. Press 'q' twice to get you back to the main menu. 13. Set up the IP's of the NIC's. This is also done from the menu. Press "1) Network Settings" from the menu and then press "1) IP's .." This edits a script that gets run at boot time. See the note that says "All network and routing settings are placed in this file" ??? You really only have to do a few things here. I suggest using "eth1" as your "trusted" interface and "eth0" for the internet interface. The scripts work better this way. You can have it the other way but it may not forward traffic properly without some minor tinkering. This example assumes fixed IP addresses supplied by your ISP. DHCP also works great, and that will be covered in another document because it requires a little more explanation. Note: 13.1 and 13.2 are required only for fixed IP addresses supplied by your ISP. (If you have read the DHCP documentation and have the dhcp.lrp installed skip to 13.3 13.1 Un-comment the "Gateway" item and set this to the Gateway IP supplied by your ISP. 13.2 Un-comment the IF0 interface and edit the IP's for eth0 to match the IP info supplied by your ISP. Be really careful with the "Network" "Broadcast", and Subnet "Mask" entries. You might want to check with your ISP to make sure you don't put anything here that might cause problems later. 13.3 Un-comment the IF1 interface and edit the IP's for eth1 to match your internal "trusted" network. You can really pick any IP addresses you are authorized to route for, but the ones already there are okay unless you really need to change them. The defaults provide you with a subnet that is suitable for running NAT. 13.4 Look down the file until you find the section called "IP Masquerade (aka NAT)". Un-comment the first line here. This allows traffic from IF1 (eth1) to be forwarded. THIS IS IMPORTANT! If you don't do this, your system will not forward traffic and you will be left wondering why it doesn't seem to work. This is where almost everyone makes their mistakes. 13.5 Save this file and exit the editor (CTRL W CTRL C). 14. That's really all the configuration you really need to get LRP working as a masquerading firewall. You might want to edit the file /etc/resolv.conf to allow DNS from the RPC, but it is not really needed except to test the internet connection and DNS from the RPC. 15. Write the changes to the floppy. >From the menu select "b" for backup and write everything except logs to the floppy. Actually you only need to write "etc" and "modules" but I always feel better writing everything, just in case. 16. Reboot the machine. Watch to see if the RPC loads the network cards correctly. login as root and quit from the menu to the command line. type: ifconfig -a to see the interfaces. type: dmesg to look at the boot up messages. If you see errors in either ifconfig -a or dmesg check the mailing list archive for people with similar problems or mail them to the list at linux-router@linuxrouter.org. Using the MAC addresses that you wrote down earlier and the output of these two commands you can figure out which card is interface 0 and interface 1. This is also a convenient time to change the root password. Type: passwd root and set the password to something a bit more secure! 17. Configure your client PC's and your networking equipment to use the IP address you specified for eth1 as the default gateway. Of course, make sure the client's IP is on the same subnet as eth1 or nothing will work at all. Make sure you have the DNS entries on the client set to the ones provided by your ISP. 17.1 example: I have 2 client machines on the hub: machine 1: IP: 192.168.2.2 Netmask: 255.255.255.0 Gateway: 192.168.2.1 Name Server: (the one supplied by your ISP, or the gateway if running cacheing dns) Machine 2: IP: 192.168.2.3 Netmask: 255.255.255.0 Gateway: 192.168.2.1 Name Server: (the one supplied by your ISP) 18. You should now be able to ping both the trusted interface (eth1) and the external interface (eth0) from the client. You should also be able to ping the ISP's Gateway address. Once you have done this everything should work just great! 19. Configure ipfwadm. If your Linux router still does not work, check the mailing list archive (http://www.linuxrouter.org/listarch/linux-router/) for people with similar problems or mail them to the list at linux-router@linuxrouter.org. Other documents of interest: http://cesdis.gsfc.nasa.gov/linux/misc/multicard.html http://metalab.unc.edu/pub/Linux/docs/HOWTO/Ethernet-HOWTO http://metalab.unc.edu/pub/Linux/docs/HOWTO/NET-3-HOWTO http://metalab.unc.edu/pub/Linux/docs/HOWTO/Firewall-HOWTO Working 2.9.4 Configs: ############################################################################### # Auto configuration bypass (Say NO to use this file) ############################################################################### DIRECT_SETTINGS_ONLY=NO ############################################################################### # Default Settings ############################################################################### VERBOSE=YES MAX_LOOP=6 IPFWDING_KERNEL=YES IPFWDING_FW=YES CONFIG_HOSTNAME=YES CONFIG_HOSTSFILE=YES CONFIG_DNS=YES ############################################################################### # Interfaces ############################################################################### IF0_IFNAME=eth0 IF0_IPADDR= your ip IF0_NETMASK= your netmask IF0_BROADCAST= your broadcast IF0_IP_SPOOF=YES IF1_IFNAME=eth1 IF1_IPADDR=192.168.1.254 IF1_NETMASK=255.255.255.0 IF1_BROADCAST=192.168.1.255 IF1_IP_SPOOF=YES ############################################################################### # Hosts ############################################################################### ############################################################################### # Networks ############################################################################### NET0_NETADDR= your network NET0_NETMASK= your netmask NET0_GATEWAY_IF=eth0 NET0_GATEWAY_IP=default NET0_IPMASQ=NO NET0_IPMASQ_IF=default NET1_NETADDR=192.168.1.0 NET1_NETMASK=255.255.255.0 NET1_GATEWAY_IF=eth1 NET1_GATEWAY_IP=default NET1_IPMASQ=YES NET1_IPMASQ_IF=eth1 ############################################################################### # Gateways (Default Routes) ############################################################################### GW0_IPADDR= your gateway GW0_IFNAME=eth0 GW0_METRIC=1 ############################################################################### # Hostname Requires: CONFIG_HOSTNAME=YES ############################################################################### HOSTNAME=myrouter ############################################################################### # Hosts file (Static domainname entires) Requires: CONFIG_HOSTSFILE=YES ############################################################################### # IP FQDN hostname alias1 alias2.. #Make sure that your internal network name is either registered #to you or unused -- otherwise the canonical name of the registered name #will be appended to your LRP's name. HOSTS0="$IF0_IPADDR foobar.isp.net foobar" HOSTS1="$IF1_IPADDR $HOSTNAME.private.org myrouter" ############################################################################### # Domain Search Order and Name Servers Requires: CONFIG_DNS=YES ############################################################################### DOMAINS="isp.net private.org" DNS0= your dns DNS1= your dns DNS2= your dns ############################################################################### # Direct Network Settings ############################################################################### #Extensive firewall rules # By default, deny all forwarding ipfwadm -F -p deny # Flush all rules echo "Flushing rules..." ipfwadm -F -f ipfwadm -I -f ipfwadm -O -f ipfwadm -A -f ipfwadm -F -a masq -S 192.168.1.0/24 -D 0.0.0.0/0 -W eth0 #Avoid MS NetBIOS over IP passing out of LAN echo "Denying Microsoft NetBIOS..." ipfwadm -F -a deny -P tcp -S 0/0 137:139 ipfwadm -F -a deny -P udp -S 0/0 137:139 # Block SMB (windows sharing) ports from coming in to the LAN # eg, deny all incoming packets that have destination port 137 for # all protocols (udp and tcp). echo "Blocking SMB Traffic..." ipfwadm -I -i deny -S 0.0.0.0/0 -D 0.0.0.0/0 137 -P all #Forward Quake connections to an IP Masq'ed machine echo "Enabling Quake..." ipautofw -A -r tcp 26000 26999 -h 192.168.1.1 ipautofw -A -r udp 26000 26999 -h 192.168.1.1 #Foward RealAudio behind IP Masq (requires ip_masq_raudio.o module) echo "Enabling RealAudio..." ipautofw -A -r udp 6970 7170 -c tcp 7070 #Forward FTP to an IP Masq'ed machine echo "Enabling FTP..." ipautofw -A -r 216.103.209.127/21 -R 192.168.1.1/21 ipautofw -A -r 216.103.209.127/22 -R 192.168.1.1/22 # Block telnet to outside interface echo "Blocking telnet..." ipfwadm -I -i deny -S 0.0.0.0/0 -D 216.103.209.127 23 -P all # Deny unregistered addresses # This prevents any IP numbers from leaking out when they accidently bypass # NAT due to some other configuration problem. #echo "Blocking private addresses..." #ipfwadm -O -i deny -S 192.168.1.0/24 -D 0.0.0.0/0 -o
Date: Mon, 13 Sep 1999 09:43:33 +0200 (MET DST) From: "Jacek M. Holeczek" <holeczek@us.edu.pl> To: linux-router@linuxrouter.org Subject: Re: [LRP] LRP made easier by.... Hi, There was a preliminary xDSL LRP HOWTO published for the 2.9.4 with a script containing "Direct Network Settings", with some problems : 1. explicit adresses/names are used 2. the command to block SMB traffic does not work 3, the port 22 is not ftp, but ssh ( don't forward ) Please find below a slighly modified script. It assumes that IF0 is the external interface and IF1 is the internal, trusted one. The only explicit internal addresses present in this script are machines to which quake, ftp, http are forwarded. -------------------------------------------- # Extensive firewall rules # MASQ timeouts # 2 hrs timeout for TCP session timeouts # 10 sec timeout for traffic after the TCP/IP "FIN" packet is received # 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users) echo "Setting MASQ timeouts..." ipfwadm -M -s 7200 10 160 # By default, deny all forwarding #echo "Denying forwarding..." #ipfwadm -F -p deny # Flush all rules #echo "Flushing rules..." #ipfwadm -F -f #ipfwadm -I -f #ipfwadm -O -f #ipfwadm -A -f #ipfwadm -F -a masq -S NET1_NETADDR/NET1_NETMASK -D 0.0.0.0/0 -W IF0_IFNAME # Avoid MS NetBIOS over IP passing out of LAN echo "Denying Microsoft NetBIOS..." ipfwadm -F -a deny -P tcp -S 0/0 137:139 ipfwadm -F -a deny -P udp -S 0/0 137:139 # Block SMB (windows sharing) ports from coming in to the LAN # eg, deny all incoming packets that have destination port 137 for # all protocols (udp and tcp). echo "Blocking SMB Traffic..." ipfwadm -I -i deny -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 137 ipfwadm -I -i deny -P udp -S 0.0.0.0/0 -D 0.0.0.0/0 137 # Forward Quake connections to an IP Masq'ed machine #echo "Enabling Quake..." ipautofw -A -r tcp 26000 26999 -h 192.168.1.2 ipautofw -A -r udp 26000 26999 -h 192.168.1.2 # Foward RealAudio behind IP Masq (requires ip_masq_raudio.o module) echo "Enabling RealAudio..." ipautofw -A -r udp 6970 7170 -c tcp 7070 # Forward FTP to an IP Masq'ed machine echo "Enabling FTP..." ipautofw -A -r IF0_IPADDR/21 -R 192.168.1.2/21 # Forward HTTP to an IP Masq'ed machine echo "Enabling HTTP..." ipportfw -A -t IF0_IPADDR/80 -R 192.168.1.2/80 # Block telnet to outside interface echo "Blocking telnet..." ipfwadm -I -i deny -S 0.0.0.0/0 -D IF0_IPADDR 23 -P all # Deny unregistered addresses # This prevents any IP numbers from leaking out when they accidently # bypass NAT due to some other configuration problem. echo "Blocking private addresses..." ipfwadm -O -i deny -S NET1_NETADDR/NET1_NETMASK -D 0.0.0.0/0 -o -------------------------------------------- Note that in 2.9.4 the default forwarding policy, flushing rules and masquerading are managed by the "main" network script ( commented above ). On this occasion, I'd like to ask you - is this "Enabling RealAudio..." above required for RealAudio to work, or is it sufficient to load the ip_masq_raudio.o module ? Thanks in advance, Jacek.
From: Jack Coates <jrcoates@pacbell.net> To: "Jacek M. Holeczek" <holeczek@us.edu.pl>, linux-router@linuxrouter.org Subject: Re: [LRP] LRP made easier by.... Date: Mon, 13 Sep 1999 07:29:15 -0700 On Mon, 13 Sep 1999, Jacek M. Holeczek wrote: > Hi, > There was a preliminary xDSL LRP HOWTO published for the 2.9.4 with a > script containing "Direct Network Settings", with some problems : > 1. explicit adresses/names are used myrouter/mynet is a default in 2.9.4 -- I just left it standing. I also used explicit 192.168.1.x addresses because 90% of the people using this will a) have a single IP address from an ISP and require masq'ing b) have enough knowledge to modify the internal addresses themselves. > 2. the command to block SMB traffic does not work very possible -- I copied it from someone else's FAQ and didn't look closely. > 3, the port 22 is not ftp, but ssh ( don't forward ) Typo! I was looking at http://www.isi.edu/in-notes/iana/assignments/port-numbers and saw two ports -- but typed the wrong ones in :-( > Please find below a slighly modified script. > It assumes that IF0 is the external interface and IF1 is the internal, > trusted one. The only explicit internal addresses present in this script > are machines to which quake, ftp, http are forwarded. Thanks! I'm hoping to add a few more documented firewall holes, so that a newbie user can just comment out the ones that should be blocked. Any ideas? Jack
Date: Tue, 14 Sep 1999 09:36:43 +0200 (MET DST) From: "Jacek M. Holeczek" <holeczek@us.edu.pl> To: linux-router@linuxrouter.org Subject: Re: [LRP] LRP made easier by.... > > 1. explicit adresses/names are used > myrouter/mynet is a default in 2.9.4 -- I just left it standing. I also used > explicit 192.168.1.x addresses because 90% of the people using this will I ment : - "216.103.209.127" instead of IF0_IPADDR - "192.168.1.0/24" instead of NET1_NETADDR/NET1_NETMASK - "eth0" instead of IF0_IFNAME One, probably, cannot escape from explicit addresses in forwarding rules, but it's not a good idea to forward to "192.168.1.1", as usually it's the router itself ( so I took "192.168.1.2" as an example ). > b) have enough knowledge to modify the internal addresses themselves. Why do you expect this ? Just compare "216.103.209.127/22" with "192.168.1.0/24". I dubt that for a new user it would be easy to note that in one case the "/22" means something different than "/24" in the other case ( I mean port_number, and mask ), and that in one case there is a machine's ip_address, and in the other case a network_address. Or take the "216.103.209.127 23" ( without "/" ). Now, assume you don't have man pages for ipfwadm/ipautofw/ipportfw, ( they don't come with LRP ) and you have to guess what these different parameters mean looking at examples ( in fact I only have the man page for ipfwadm ). >> 3, the port 22 is not ftp, but ssh ( don't forward ) > Typo! I was looking at Now I see the problem - I have one ftp port too few ( right ? ) Jacek. BTW. There was a cry what the "SIOCADDRT Error" means, some time ago. I also had to fight with this problem under LRP 2.9.4. In the end I have found that there is a bug in the "etc/network.conf", as it comes with the distribution - there is "GW0_IFNAME=$IF0_NAME", while it should be "GW0_IFNAME=$IF0_IFNAME". It took me some time to find it. Jacek.