openSUSE Security April 2001

security@lists.opensuse.org

192 participants
198 discussions

by Reckhard, Tobias

Check out the contents of /usr/share/doc/packages/bind8. BIND's logging config is way beyond the scope of this list. Good luck, Tobias > -----Original Message----- > From: Hipolito A. Gonzalez M. [SMTP:hgonzale@celularshow.com] > Sent: Monday, April 02, 2001 2:58 PM > To: Reckhard, Tobias; suse-security(a)suse.de > Subject: Re: [suse-security] Bind > > Reckhard, Tobias wrote: > > > > > Have you tried more extensive logging or perhaps execution in debug mode? > That will give you many more hints than are available from the default > logging. > > > How can I put the extensive logging? Thank you. > > > -- > www.geekcode.com <http://www.geekcode.com> > -----BEGIN GEEK CODE BLOCK----- > Version: 3.1 > GCS/cc/e/it d++ s+:+ a-- C++$ UL+++$ E++ W+++$ w--- O---- > M V- PS PE+++ Y+ PGP- t+ 5 X++ R tv+ b++ DI-- D+ G e++$ > h! r++ y++ > ------END GEEK CODE BLOCK------ > - A veces creo que hay vida en otros planetas, y a veces creo que > no. En cualquiera de los dos casos, la conclusión es asombrosa > (Carl Sagan) > ----------------------------------------------------------------- >

21 years, 4 months

re bind

by webmaster

Tobias, would you give hints how to run named in debug mode ? I am having the same problem It logs however: Apr 2 06:00:41 mand sshd2[10183]: DNS lookup failed for "x..x.42.2". Apr 2 06:01:11 mand sshd[10183]: fatal: Read from socket failed: Connection reset by peer Antal -------------------------- webmaster Kreorg Oktatóközpont Tel/Fax: 321-0031 email: webmaster(a)kreorg.hu

21 years, 4 months

SuSEfirewall question

by Michael Long

When running 'SuSEfirewall check' I get the following output: /sbin/SuSEfirewall: split-brained.: command not found /sbin/SuSEfirewall: host/network.: No such file or directory /sbin/SuSEfirewall: dmz/intern: No such file or directory /sbin/SuSEfirewall: addesses!: command not found ipchains produced errors, no default routing set up? ipchains produced errors, no default routing set up? ipchains produced errors, no default routing set up? What is this telling me? The firewall appears to be working. --Thanks, Mike

21 years, 4 months

RE: [suse-security] firewalling

by Reckhard, Tobias

> following i want to use for internet topology: > I'm snipping your ASCII art for brevity. > Internet -- eth0 62.153.xxx.190/255.255.255.192 (= /26) > Router outside [DMZ: 62.153.xxx.134/255.255.255.224 (= /27) > Router inside/Firewall > eth0 (local Lan) 192.168.2.29 > > It's only an Idea from me, is it possible to set up the DMZ like this, > I've an ip-range of 64 addresses ( network 62.153.xxx.128/255.255.255.192) > OK, you've got an official 26-bit network. You can subnet that into two 27-bit networks, yes. However, you should apply that mask to the outside interface as well and have your ISP modify his interface accordingly and add a route to the DMZ subnet, pointing at your router. This is the most straightforward and hard to mess up solution. Alternatively you can fake the non-existence of your DMZ by mucking around with Linux' IP capabilities. The two alternatives I can think off right now are proxy arp and a combination of IP aliasing, IP masquerading and port forwarding. Proxy arp is the less dirty of the two, it makes your outside router answer arp requests for the machines in the DMZ and is thereby addressed by machines in the network between it and your ISP's router. See http://www.linuxdoc.org/HOWTO/mini/Proxy-ARP-Subnet/index.html for details. The other possibilty is to add the DMZ server's IP addresses to the the exterior router's eth0 interface with IP aliasing and to use RFC1918 addresses in the DMZ. Using port forwarding, you can redirect traffic from the router to the DMZ and masquerade the return traffic. Both of these alternatives are hacks, more or less, to circumvent the need for your ISP to do anything or, in fact, notice any change. However, they are administratively much more complicated. It's your call. > Outside of the DMZ there are more WWW-Server, only one of these should > be in the DMZ, because on this host are running some special software. > Why shouldn't all of your public servers go into a DMZ? I'd probably advise you to get an additional 30-bit or 29-bit subnet from your ISP to place the exterior router and the ISP's router in and use your 26-bit network in one or more DMZs. > If i try it like this, i've problems with the routing, the DMZ is pingable > from > the "Router outside" but i can't reach the Internet from this Router. > Hmm, your routing is probably mucked up. > Perhaps some people can help me set up the routing correctly and perhaps > could > tell (explain) me the mistakes i make! > The following should work on the exterior router: /sbin/route add -net 62.153.xxx.128 netmask 255.255.255.224 dev eth1 /sbin/route add -net 62.153.xxx.128 netmask 255.255.255.192 dev eth0 You need to add both routes to the machines in front of the exterior router as well as in the DMZ for routing between these networks to function. These need to specify the exterior router as the gateway to use, of course. HTH, Tobias

21 years, 4 months

RE: [suse-security] bind-update-attempt

by Reckhard, Tobias

> in the last weeks i often got the syslog-message > that somebody wanted to update my bind-server > for somedomain which was of course denied by > my bind-system by default. > Are you sure an attempt to update your server software and not the database is being made? > are there any problems in the software i have > to think about with regard to a worst case > scenario...;-) > Well, BIND isn't considered to be very reliable with respect to security. djbdns is, on the other hand, but isn't and probably won't be distributed by SuSE, due to DJB's, umm.., unusual licensing policy. It's pretty easy to compile, install and configure, though. HTH, Tobias

21 years, 4 months

RE: [suse-security] Re: [Fwd: [suse-security] many nic's]

by Reckhard, Tobias

> For example it would be possible to install 4 nics in my box an then use > one nic for isp A and one for isp B. Would it be also possible to set up > firewalling so that isp A provides internet access to network C and B for > network D. > Box > ISP A (eth0) -----> Network C (eth1) > ISP B (eth2) -----> Network D (eth3) > > But it should not be possile to access ISP B from Network C and visa verse > for ISP A. > This is possible with a 2.4 (or late 2.2?) kernel with the advanced routing options. You need to perform routing based on source address. I expect it to be pretty easy to muddle up in setup and maintenance, so I'd probably advise against it and urge you to set up another box to properly separate both networks. If we're talking about WAN uplinks any old box will be able to handle the traffic easily. > I think it should be possible with the SuSEfirewall. You only have to set > up > the > right routing configuration. > I barely know SuSEFirewall myself, but generic iptables/ipchains aren't your problem. The routing is, as you correctly assume. Cheers, Tobias

21 years, 4 months

Re: [Fwd: [suse-security] many nic's]

by office

For example it would be possible to install 4 nics in my box an then use one nic for isp A and one for isp B. Would it be also possible to set up firewalling so that isp A provides internet access to network C and B for network D. Box ISP A (eth0) -----> Network C (eth1) ISP B (eth2) -----> Network D (eth3) But it should not be possile to access ISP B from Network C and visa verse for ISP A. I think it should be possible with the SuSEfirewall. You only have to set up the right routing configuration. Any comments? ----- Original Message ----- From: Bernhard Pavdi <bernhard.pavdi(a)tride.net> To: <office(a)tride.net> Sent: Monday, April 02, 2001 8:39 AM Subject: [Fwd: [suse-security] many nic's] > >

21 years, 4 months

netscreen 5 and ftp

by Philipp Snizek

For evaluation I received a netscreen 5a. I'm a little bit unhappy with it because it seems not to support pasv ftp. Moreover if it runs only in active mode I have to open all hi-ports for ftp which is a fact I really hate. If somebody knows how to set up pasv ftp on netscreen 5a please let me know. TIA Philipp

21 years, 4 months

Jump to page:

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

openSUSE Security April 2001