Ethan's Retrocomputing Corner


lrp: xDSL tutorial

From: Jack Coates <jrcoates@pacbell.net>
To: Daniel Didier <didierd@sunyit.edu>
Subject: Re: [LRP] LRP made easier by....
Date: Thu, 9 Sep 1999 21:45:29 -0700
CC: LRP List <linux-router@linuxrouter.org>

On Thu, 09 Sep 1999, you wrote:
> Sending me information, or where to find information on LRP.
> 
> If you or anyone else
> reading this list knows of LRP information/documentation that is readable
> and useable please let me know, I want to build a long lasting reliable
> site for LRP info.  As the info I recieve and post gets to be considerable
> I will update the site for easy navigation, for now it will do.  You don't
> have to do a darn thing except send me the url or files.  That is it.  I
> do all the web stuff, everyone is happy, and LRP will work for more
> people.  Thanx guys.
> 
> The current address of the LRP INFO page is
> http://207.10.56.35/linuxrouter/
> 
>   
> 
> Dan Didier, Student @ SUNYIT
> 
> 
> 


I've been rewriting the Cable-Modem HOWTO with the intention of turning it into
a 2.9.4 based xDSL HOWTO. Here's what I have so far, still needs:
xDSL-specific information
what to do if you can't use modmaker
better ipfwadm stuff
DHCP client (and server cuz I need one and might as well write down what I do
to make it go)

HTH
  -- 
Linux is only free if your time has no value.
                                        -- Jamie Zawinski

xDSL LRP HOWTO
---------------------------------------
Written by:
Gary J. <gary@inet.net> and Jack Coates <jrcoates@pacbell.net>
Last Revised: 9/9/1999
---------------------------------------

Intro:
I wanted a simple way to connect several PC's to the internet using a single
fulltime connection.  I couldn't get RedHat to install on the Compaq 486 I
planned to use, and found LRP while looking for RH fixes. It is a far better
solution, and actually quite simple if you take the time to read the
documentation.  It is hoped that this document helps a few others in similar
situations.

These are instructions for installing and configuring a masquerading 
network firewall with LRP.  In my example I cover a static IP internet 
connection.  DHCP on LRP also works just fine,  and I will cover that in Section
XXX.

These instructions assume that you have an existing connection to the 
internet and are running MS-DOS or Win95/98/NT on another PC.
We will refer to the box that is going to be the router as the RPC or 
Router PC, and the other machine as the Windows box.

==================================================================

1.  Set up hardware on the Router PC -

Install 2 NIC's and at least 8MB of RAM in an old PC.  While you have 
the case open, write down the MAC address of the cards (typically 
something like 0b03a10c0001 or 0b:03:a1:0c:00:01) usually written on 
the card or a chip.  This information will come in handy later. If you 
are using ISA network cards, write down the irq and memory settings 
for the cards that you have installed.  ISA ethernet cards need to be set to
non conflicting irq and memory settings, and PnP must be disabled. If
you don't have the  settings or need to disable PnP, you will need to boot the
PC using a dos floppy and run the  configuration tool on the disk that came
with the network card. You  don't even need a hard drive installed in this PC
as everything in LRP  is installed from the floppy disk. This is a great way to
recycle all  those useless PC's you've got lying around.  For example, I used
an  old 486-33 with 12MB and two cheap NE2000 clone network cards - total
investment, one evening of helping a relative upgrade, plus $10 for a second NIC.

2.  Obtain the latest version of LRP 

Using your windows machine download the "idiot image" from
ftp://ftp.linuxrouter.org/linux-router/dists/stable/ or a mirror. Be careful when
downloading the file using Netscape. The file may be corrupted if it does not
download as a binary file.  Try right-clicking and choosing "save as." MS
Internet Explorer usually properly detects binaries. Currently the latest stable
version is 2.9.4.


Open a command prompt and rename the file in MS-DOS 8.3 naming convention. For
instance:
RENAME IDIOT-~1.IMG IDIOT.IMG

3.  Download rawrite2.exe from the ftp site.

You will need rawrite to write the "idiot image" to the boot floppy. This can be
found at ftp://ftp.linuxrouter.org/linux-router/utils/ or a mirror.


4.  Create the boot floppy

Using your windows box:
Format a 1.44 floppy disk as a blank, (it does not need to be formatted as
bootable, as rawriting the image file will take care of that). Don't use the /q
quick switch, as that will not catch errors that will prevent rawrite from
working. 

Assuming that the "idiot Image" that you downloaded was saved as 
IDIOT.IMG
Place a blank,
1.44MB formatted floppy in the A:  drive.  
Type in:

RAWRITE  IDIOT.IMG A: [press enter]

You might not be able to see anything on the floppy after it is 
finished. don't worry!

5.  Boot the floppy for the first time.

Insert the boot floppy into the "Router PC" (RPC) and boot. If the 
boot fails simply try a different floppy disk and downloading a fresh 
copy of the "idiot image".  On some RPC's you may need to change some 
bios settings so that the machine boots from the floppy and not the 
harddrive.  On a RPC that you don't have a hard disk installed the 
system might also complain that it can't find a hard disk.  This  
happens on some RPC's and is not big deal.  Just ignore it.

Floppy drives are inexpensive and not the most accurately aligned devices in the
world. Linux is more picky about hardware than Microsoft software. If you just
can't get the RPC to boot no matter how many floppies you try, try changing
floppy drives in one or both machines.

Once the RPC has booted and you get the login: prompt just take  
the floppy out and turn the RPC off again.  Now it's time to use your 
windows machine to put the appropriate modules for your ethernet cards 
on the boot disk.

6.  Insert the floppy back into the Windows PC. You should now be able 
to see the contents of the floppy disk.

7.  Obtain the appropriate modules needed for your NIC's. The idiot 
image of LRP comes with NO NIC support so you have to create a new 
modules.lrp as well as a new linux kernel. This is not as scary as it 
sounds since it can all be done  for you at http://www.linuxrouter.org/modmaker/
(click 2.0.36 final).
Simply choose the module(s) you need, (e.g.: ne for ne2000). Note that modmaker
was designed for LRP version 2.9.3 and hasn't been updated yet. Some things seem
to work with 2.9.4 anyway, but 3Com cards definitely don't. You'll need to read
the instruction on making your own modules.lrp at XXX.

The modules and what they do:
Filesystem  ext2 -- Linux filesystem
Filesystem  vfat -- Win32 filesystem
Filesystem  isofs -- CDROM filesystem
Filesystem  nfs -- Unix network filesystem
Filesystem  smbfs -- Microsoft network filesystem
IPv4  rarp -- reverse arp, used for booting diskless workstations
IPv4  ipip -- a routing protocol used in tunnelling
IPv4  ip_masq_ftp -- firewall module which allows ftp to work
IPv4  ip_masq_irc -- firewall module which allows irc to work
IPv4  ip_masq_raudio -- firewall module which allows RealAudio to work
IPv4  ip_masq_cuseeme -- firewall module which allows CUSeeMe to work
IPv4  ip_masq_vdolive -- firewall module which allows VDOLive to work
IPv4  ip_masq_quake -- firewall module which allows quake to work
IPv4  ip_alias -- allows multiple IP addresses on a single interface
Misc.  appletalk -- AppleTalk protocol support
Misc.  ax25 -- amateur radio support
Misc.  b1pci -- AVM B1 ISDN PCI-card support
Misc.  capi -- Common ISDN API support
Misc.  capidrv -- Common ISDN API support
Misc.  capiutil -- Common ISDN API support
Misc.  cyclades -- multiport serial card support
Misc.  icn -- Thinking Objects ICN-ISDN-card support
Misc.  ipx -- IPX/SPX protocol support
Misc.  isdn -- support for ISDN terminal adapters
Misc.  isdnloop -- ISDN loopback interface
Misc.  istallion -- multiport serial card support
Misc.  kernelcapi -- Common ISDN API support
Misc.  lp -- printer support
Misc.  netrom -- Amateur radio support
Misc.  pcbit -- PCBIT ISDN support
Misc.  riscom8 -- multiport serial card support
Misc.  rose -- PERL
Misc.  router -- routing functionality
Misc.  sc -- PERL
Misc.  scc -- PERL
Misc.  serial -- serial port support
Misc.  specialix -- multiport serial card support
Misc.  stallion -- multiport serial card support
Network  dummy -- bit-bucket
Network  ppp -- point to point protocol, required for analog users
Network  slhc -- tcp packet compression/uncompression
Network  hdlcdrv -- a point to point protocol used by Cisco routers
Network  ibmtr -- IBM Token Ring support
Network  shaper -- QoS traffic shaping
Network  new_tunnel -- protocol tunnelling support
Network  hp100 -- NIC driver
Network  smc9194  -- NIC driver
Network  wd  -- NIC driver
Network  3c503  -- NIC driver
Network  ne  -- NIC driver
Network  hp  -- NIC driver
Network  hp-plus  -- NIC driver
Network  smc-ultra  -- NIC driver
Network  smc-ultra32  -- NIC driver
Network  e2100  -- NIC driver
Network  plip  -- parallel port network driver
Network  bsd_comp  -- NIC driver
Network  slip  -- the predecessor of ppp, may be required by old systems
Network  strip -- Starmode Radio IP support
Network  lance  -- NIC driver
Network  at1700  -- NIC driver
Network  fmv18x  -- NIC driver
Network  3c501  -- NIC driver
Network  3c507  -- NIC driver
Network  3c509  -- NIC driver
Network  3c515  -- NIC driver
Network  3c59x  -- NIC driver
Network  via-rhine  -- NIC driver
Network  eexpress  -- NIC driver
Network  eepro  -- NIC driver
Network  eepro100  -- NIC driver
Network  epic100  -- NIC driver
Network  ne2k-pci  -- NIC driver
Network  pcnet32  -- NIC driver
Network  rtl8139  -- NIC driver
Network  yellowfin  -- wireless NIC driver
Network  wavelan  -- wireless NIC driver
Network  depca  -- NIC driver
Network  ewrk3  -- NIC driver
Network  de4x5  -- NIC driver
Network  ni52  -- NIC driver
Network  ni65  -- NIC driver
Network  3c505  -- NIC driver
Network  tulip  -- NIC driver
Network  tlan  -- NIC driver
Network  arcnet  -- ARC-Net NIC driver
Network  eth16i  -- NIC driver
Network  mkiss  -- HAM radio (AX.25) support
Network  pi2  -- Ottawa Amateur Radio Club PI and PI2 interface support
Network  pt  -- Gracilis PackeTwin support
Network  bpqether  -- NIC driver
Network  baycom  -- NIC driver
Network  8390  -- ISA driver (required by ne.o)
Network  eql  -- provides load-balancing across multiple lines to the same
destination
Network  sdla -- Sangoma Frame Relay card support
Network  dlci -- frame relay support
Network  dgrs -- Digi RightSwitch SE-X support
Network  sdladrv -- Sangoma Frame Relay card support
Network  wanpipe -- CSU/DSU driver

If you don't know what it is then you probably don't need it!  You don't want 
to just select everything because it won't all fit on the floppy! Let 
modmaker generate the modules.lrp file, and download them (again 
windows users may find this easier using IE).  Don't forget to 
download a new kernel as well or nothing will work.  If you have a 
system with a co-processor (i.e. a pentuim, 486dx, 386dx) then you can 
download the kernel without co-processor support, sx owners need to 
download the one with co-processor support. 

8.  Copy the new "module.lrp" and "linux"(the kernel) files to the 
boot floppy.  You will notice that these files already exist on the 
boot floppy, and you can overwrite them.

9.  Reboot the RPC with the updated floppy disk.

If your boot fails, you probably forgot to download the new files 
as binaries, or have the wrong co-processor kernel.  After the RPC 
boots you will  notice a message telling you to configure your NIC's.

10. Log onto the RPC.

Type "root" at the login: prompt.  No password is required for this 
system since no remote access is allowed and should not really be 
allowed in the future as well. Once logged in you will see the LRP 
configuration menu. Almost everything you need to do, you can do from 
here.

11. Make any "cosmetic" changes you like to the system. More 
experienced users may comment out the menu program from /root/.profile 
To get a clean login, but that's up to you. Be careful not to mess 
with anything you don't understand.

12. Set up the NIC's in the RPC

This is done most easily from the menu.  If the menu is not displayed 
type "lrcfg" to bring it up.
 Select "3) Package Settings"  from the menu.  
Then select "1) modules" and then "1) modules.."
again.  This will bring up the "ae" editor which is not that bad since 
it is small but has features friendly to windows people.  You can also get ae by
typing the name of your favorite editor, it's probably been aliased already.  
Under the 8390 line you need  to specify the device 
settings for your NIC's.  I used two ne2000 cards so my settings 
looked like this:
ne io=300,340  irq=5,10 
That's all we have to do with this file.  Press CTRL W to save and  
CTRL C to exit. Press 'q' twice to get you back to the main menu.

13.  Set up the IP's of the NIC's.

This is also done from the menu.  Press "1) Network Settings" from  
the menu and then press "1) IP's .."  This edits a script that gets  
run at boot time.  See the note that says "All network and routing 
settings are placed in this file" ???

You really only have to do a few things here.  I suggest using "eth1" 
as your "trusted" interface and "eth0" for the internet 
interface.  The scripts work better this way.  You can have it the 
other way but it may not forward traffic properly without some minor 
tinkering.  This example assumes fixed IP addresses supplied by your 
ISP.  DHCP also works great, and that will be covered in another 
document because it requires  a little more explanation.

Note: 13.1 and 13.2 are required only for fixed IP addresses supplied 
by your ISP.  (If you have read the DHCP documentation and have the 
dhcp.lrp installed skip to 13.3

13.1  Un-comment the "Gateway" item and set this to the Gateway IP 
supplied by your ISP.

13.2  Un-comment the IF0 interface and edit the IP's for eth0 to match 
the IP info supplied by your ISP.  Be
really careful with the  "Network" "Broadcast", and  Subnet "Mask" entries. 
You might want to  check with your ISP to make sure you don't put anything here
that  might cause problems later.

13.3  Un-comment the IF1 interface and edit the IP's for eth1 to match 
your internal "trusted" network.  You can really pick any IP addresses 
you are authorized to route for, but the ones already there are okay 
unless you really need to change them.  The defaults provide you with a subnet
that is suitable for running NAT.

13.4  Look down the file until you find the section called
"IP Masquerade (aka NAT)".  Un-comment the first line here.  This 
allows traffic from IF1 (eth1) to be forwarded.  THIS IS IMPORTANT! If 
you don't do this, your system will not forward traffic and you
will be left wondering why it doesn't seem to work.  This is where 
almost everyone makes their mistakes.

13.5  Save this file and exit the editor (CTRL W CTRL C).

14.  That's really all the configuration you really need to get  LRP 
working as a masquerading firewall.  You might want to edit the file 
/etc/resolv.conf to allow DNS from the RPC, but it is not really 
needed except to test the internet connection and DNS from the RPC.

15.  Write the changes to the floppy.

>From the menu select "b" for backup and write everything except logs 
to the floppy.  Actually you only need to write "etc" and "modules" 
but I always feel better writing everything, just in case.

16.  Reboot the machine.
Watch to see if the RPC loads the network cards correctly. login as 
root and quit from the menu to the command line.
type:
ifconfig -a 
to see the interfaces.
type:
dmesg
to look at the boot up messages.  
If you see errors in either ifconfig -a or dmesg check the mailing list
archive for people with similar problems or mail them to the list at
linux-router@linuxrouter.org.
Using the MAC addresses that you  wrote down
earlier and the output of these two commands you can figure  out which card is
interface 0 and interface 1. This is also a convenient time to change the root
password.   Type:
passwd root 
and set the password to something a bit more secure!

17.  Configure your client PC's and your networking equipment to use 
the IP address you specified  for eth1 as the default gateway.  Of 
course, make sure the client's IP is on the same subnet as eth1 or 
nothing will work at all. Make sure you have the DNS entries on the 
client set to the ones 
provided by your ISP.

17.1 example: I have 2 client machines on the hub:

        machine 1:
        IP:             192.168.2.2
        Netmask:        255.255.255.0
        Gateway:        192.168.2.1
        Name Server:    (the one supplied by your ISP, or the gateway if
running cacheing dns)

        Machine 2:
        IP:             192.168.2.3
        Netmask:        255.255.255.0
        Gateway:        192.168.2.1
        Name Server:    (the one supplied by your ISP)

18.  You should now be able to ping both the trusted interface (eth1)  
and the external interface (eth0) from the client.  You should also be 
able to ping the ISP's Gateway address.  Once you have done this 
everything should work just great!

19. Configure ipfwadm.

        If your Linux router still does not work, check the mailing list
archive (http://www.linuxrouter.org/listarch/linux-router/) for people with
similar problems or mail them to the list at linux-router@linuxrouter.org.

Other documents of interest:
http://cesdis.gsfc.nasa.gov/linux/misc/multicard.html
http://metalab.unc.edu/pub/Linux/docs/HOWTO/Ethernet-HOWTO
http://metalab.unc.edu/pub/Linux/docs/HOWTO/NET-3-HOWTO
http://metalab.unc.edu/pub/Linux/docs/HOWTO/Firewall-HOWTO

Working 2.9.4 Configs:
###############################################################################
# Auto configuration bypass  (Say NO to use this file)
###############################################################################
DIRECT_SETTINGS_ONLY=NO
###############################################################################
# Default Settings
###############################################################################
VERBOSE=YES
MAX_LOOP=6
IPFWDING_KERNEL=YES
IPFWDING_FW=YES
CONFIG_HOSTNAME=YES
CONFIG_HOSTSFILE=YES
CONFIG_DNS=YES
###############################################################################
# Interfaces
###############################################################################
IF0_IFNAME=eth0
IF0_IPADDR= your ip
IF0_NETMASK= your netmask
IF0_BROADCAST= your broadcast
IF0_IP_SPOOF=YES
IF1_IFNAME=eth1
IF1_IPADDR=192.168.1.254   
IF1_NETMASK=255.255.255.0  
IF1_BROADCAST=192.168.1.255
IF1_IP_SPOOF=YES
###############################################################################
# Hosts
###############################################################################
###############################################################################
# Networks
###############################################################################
NET0_NETADDR= your network
NET0_NETMASK= your netmask
NET0_GATEWAY_IF=eth0
NET0_GATEWAY_IP=default
NET0_IPMASQ=NO
NET0_IPMASQ_IF=default
NET1_NETADDR=192.168.1.0
NET1_NETMASK=255.255.255.0
NET1_GATEWAY_IF=eth1
NET1_GATEWAY_IP=default
NET1_IPMASQ=YES
NET1_IPMASQ_IF=eth1
###############################################################################
# Gateways (Default Routes)
###############################################################################
GW0_IPADDR= your gateway
GW0_IFNAME=eth0
GW0_METRIC=1   
###############################################################################
# Hostname                                      Requires:
CONFIG_HOSTNAME=YES  
###############################################################################
HOSTNAME=myrouter
###############################################################################
# Hosts file (Static domainname entires)        Requires:
CONFIG_HOSTSFILE=YES 
###############################################################################
#       IP              FQDN               hostname alias1 alias2..
#Make sure that your internal network name is either registered
#to you or unused -- otherwise the canonical name of the registered name
#will be appended to your LRP's name.
HOSTS0="$IF0_IPADDR     foobar.isp.net            foobar"
HOSTS1="$IF1_IPADDR     $HOSTNAME.private.org     myrouter"
###############################################################################
# Domain Search Order and Name Servers          Requires: CONFIG_DNS=YES
###############################################################################
DOMAINS="isp.net private.org"
DNS0= your dns
DNS1= your dns
DNS2= your dns

###############################################################################
# Direct Network Settings
###############################################################################
#Extensive firewall rules
# By default, deny all forwarding
ipfwadm -F -p deny
# Flush all rules
echo "Flushing rules..."
ipfwadm -F -f
ipfwadm -I -f
ipfwadm -O -f
ipfwadm -A -f
ipfwadm -F -a masq -S 192.168.1.0/24 -D 0.0.0.0/0 -W eth0
#Avoid MS NetBIOS over IP passing out of LAN
echo "Denying Microsoft NetBIOS..."
ipfwadm -F -a deny -P tcp -S 0/0 137:139
ipfwadm -F -a deny -P udp -S 0/0 137:139
# Block SMB (windows sharing) ports from coming in to the LAN
# eg, deny all incoming packets that have destination port 137 for
# all protocols (udp and tcp).
echo "Blocking SMB Traffic..."
ipfwadm -I -i deny -S 0.0.0.0/0 -D 0.0.0.0/0 137 -P all
#Forward Quake connections to an IP Masq'ed machine
echo "Enabling Quake..."
ipautofw -A -r tcp 26000 26999 -h 192.168.1.1
ipautofw -A -r udp 26000 26999 -h 192.168.1.1
#Foward RealAudio behind IP Masq (requires ip_masq_raudio.o module)
echo "Enabling RealAudio..."
ipautofw -A -r udp 6970 7170 -c tcp 7070
#Forward FTP to an IP Masq'ed machine
echo "Enabling FTP..."
ipautofw -A -r 216.103.209.127/21 -R 192.168.1.1/21
ipautofw -A -r 216.103.209.127/22 -R 192.168.1.1/22
# Block telnet to outside interface
echo "Blocking telnet..."
ipfwadm -I -i deny -S 0.0.0.0/0 -D 216.103.209.127 23 -P all
# Deny unregistered addresses
# This prevents any IP numbers from leaking out when they accidently
bypass
# NAT due to some other configuration problem.
#echo "Blocking private addresses..."
#ipfwadm -O -i deny -S 192.168.1.0/24 -D 0.0.0.0/0 -o


Date: Mon, 13 Sep 1999 09:43:33 +0200 (MET DST)
From: "Jacek M. Holeczek" <holeczek@us.edu.pl>
To: linux-router@linuxrouter.org
Subject: Re: [LRP] LRP made easier by....

Hi,
There was a preliminary xDSL LRP HOWTO published for the 2.9.4 with a
script containing "Direct Network Settings", with some problems :
        1. explicit adresses/names are used
        2. the command to block SMB traffic does not work
        3, the port 22 is not ftp, but ssh ( don't forward )
Please find below a slighly modified script.
It assumes that IF0 is the external interface and IF1 is the internal,
trusted one. The only explicit internal addresses present in this script
are machines to which quake, ftp, http are forwarded.
--------------------------------------------
# Extensive firewall rules

# MASQ timeouts
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users)
echo "Setting MASQ timeouts..."
ipfwadm -M -s 7200 10 160

# By default, deny all forwarding
#echo "Denying forwarding..."
#ipfwadm -F -p deny

# Flush all rules
#echo "Flushing rules..."
#ipfwadm -F -f
#ipfwadm -I -f
#ipfwadm -O -f
#ipfwadm -A -f
#ipfwadm -F -a masq -S NET1_NETADDR/NET1_NETMASK -D 0.0.0.0/0 -W IF0_IFNAME

# Avoid MS NetBIOS over IP passing out of LAN
echo "Denying Microsoft NetBIOS..."
ipfwadm -F -a deny -P tcp -S 0/0 137:139
ipfwadm -F -a deny -P udp -S 0/0 137:139

# Block SMB (windows sharing) ports from coming in to the LAN
# eg, deny all incoming packets that have destination port 137 for
# all protocols (udp and tcp).
echo "Blocking SMB Traffic..."
ipfwadm -I -i deny -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 137
ipfwadm -I -i deny -P udp -S 0.0.0.0/0 -D 0.0.0.0/0 137

# Forward Quake connections to an IP Masq'ed machine
#echo "Enabling Quake..."
ipautofw -A -r tcp 26000 26999 -h 192.168.1.2
ipautofw -A -r udp 26000 26999 -h 192.168.1.2

# Foward RealAudio behind IP Masq (requires ip_masq_raudio.o module)
echo "Enabling RealAudio..."
ipautofw -A -r udp 6970 7170 -c tcp 7070

# Forward FTP to an IP Masq'ed machine
echo "Enabling FTP..."
ipautofw -A -r IF0_IPADDR/21 -R 192.168.1.2/21

# Forward HTTP to an IP Masq'ed machine
echo "Enabling HTTP..."
ipportfw -A -t IF0_IPADDR/80 -R 192.168.1.2/80

# Block telnet to outside interface
echo "Blocking telnet..."
ipfwadm -I -i deny -S 0.0.0.0/0 -D IF0_IPADDR 23 -P all

# Deny unregistered addresses
# This prevents any IP numbers from leaking out when they accidently
# bypass NAT due to some other configuration problem.
echo "Blocking private addresses..."
ipfwadm -O -i deny -S NET1_NETADDR/NET1_NETMASK -D 0.0.0.0/0 -o
--------------------------------------------
Note that in 2.9.4 the default forwarding policy, flushing rules and
masquerading are managed by the "main" network script ( commented above ).
On this occasion, I'd like to ask you - is this "Enabling RealAudio..."
above required for RealAudio to work, or is it sufficient to load the
ip_masq_raudio.o module ?
Thanks in advance,
Jacek.

From: Jack Coates <jrcoates@pacbell.net>
To: "Jacek M. Holeczek" <holeczek@us.edu.pl>, linux-router@linuxrouter.org
Subject: Re: [LRP] LRP made easier by....
Date: Mon, 13 Sep 1999 07:29:15 -0700

On Mon, 13 Sep 1999, Jacek M. Holeczek wrote:
> Hi,
> There was a preliminary xDSL LRP HOWTO published for the 2.9.4 with a
> script containing "Direct Network Settings", with some problems :
>    1. explicit adresses/names are used

myrouter/mynet  is a default in 2.9.4 -- I just left it standing. I also used
explicit 192.168.1.x addresses because 90% of the people using this will
        a) have a single IP address from an ISP and require masq'ing
        b) have enough knowledge to modify the internal addresses themselves.

>    2. the command to block SMB traffic does not work

very possible -- I copied it from someone else's FAQ and didn't look closely.

>    3, the port 22 is not ftp, but ssh ( don't forward )

Typo! I was looking at
http://www.isi.edu/in-notes/iana/assignments/port-numbers and saw two ports --
but typed the wrong ones in :-(

> Please find below a slighly modified script.
> It assumes that IF0 is the external interface and IF1 is the internal,
> trusted one. The only explicit internal addresses present in this script
> are machines to which quake, ftp, http are forwarded.

Thanks! I'm hoping to add a few more documented firewall holes, so that a newbie
user can just comment out the ones that should be blocked. Any ideas?

Jack

Date: Tue, 14 Sep 1999 09:36:43 +0200 (MET DST)
From: "Jacek M. Holeczek" <holeczek@us.edu.pl>
To: linux-router@linuxrouter.org
Subject: Re: [LRP] LRP made easier by....

> >  1. explicit adresses/names are used
> myrouter/mynet  is a default in 2.9.4 -- I just left it standing. I also used
> explicit 192.168.1.x addresses because 90% of the people using this will
I ment :
        - "216.103.209.127" instead of IF0_IPADDR
        - "192.168.1.0/24" instead of NET1_NETADDR/NET1_NETMASK
        - "eth0" instead of IF0_IFNAME
One, probably, cannot escape from explicit addresses in forwarding rules,
but it's not a good idea to forward to "192.168.1.1", as usually it's the
router itself ( so I took "192.168.1.2" as an example ).
>         b) have enough knowledge to modify the internal addresses themselves.
Why do you expect this ?
Just compare "216.103.209.127/22" with "192.168.1.0/24". I dubt that for a
new user it would be easy to note that in one case the "/22" means
something different than "/24" in the other case ( I mean port_number, and
mask ), and that in one case there is a machine's ip_address, and in the
other case a network_address.
Or take the "216.103.209.127 23" ( without "/" ).
Now, assume you don't have man pages for ipfwadm/ipautofw/ipportfw, ( they
don't come with LRP ) and you have to guess what these different
parameters mean looking at examples ( in fact I only have the man page for
ipfwadm ).
>>        3, the port 22 is not ftp, but ssh ( don't forward )
> Typo! I was looking at
Now I see the problem - I have one ftp port too few ( right ? )
Jacek.
BTW. There was a cry what the "SIOCADDRT Error" means, some time ago. I
     also had to fight with this problem under LRP 2.9.4. In the end I
     have found that there is a bug in the "etc/network.conf", as it comes
     with the distribution - there is "GW0_IFNAME=$IF0_NAME", while it
     should be "GW0_IFNAME=$IF0_IFNAME". It took me some time to find it.
     Jacek.

To Ethan's Home Page

HTML 2.0 Checked! Last modified: 14 September 1999
Compilation © Copyright 1999, Ethan Dicks <erd@infinet.com>. All Rights Reserved.