Mark,
thanks, that really helped. The box is a gateway between internal net and
internet,mainly masquerading,but I do have some filters especially on the
input side,. I think I 'll work that out.
again, tkuvm
dan
-----Ursprüngliche Nachricht-----
Von: Mark Lutz <luma@nikocity.de>
An: Dan <wdlists@webdirekt.de>
Cc: suse-security@suse.com <suse-security@suse.com>
Datum: Freitag, 13. August 1999 18:49
Betreff: Re: [suse-security] ipfwadm on a 6.1
* Dan <wdlists@webdirekt.de> writes:
'ipfwadm' refused to work with 6.1 telling me 'service not
available' and the 'file not found',
First thing after updating the kernel is to read
"/usr/src/linux/Documentation/Changes". There it says:
| As of 2.1.102, the IP firewalling code has been replaced; ipfwadm
| will no longer work. You need to obtain "ipchains," available from
| http://www.rustcorp.com/linux/ipchains/ , and use that instead of
| ipfwadm.
You'll find "ipchains" in series "n". After you have installed it, you
should read "/usr/doc/packages/ipchains/HOWTO.txt".
You might be able to use "/sbin/ipfwadm-wrapper" and keep your "old"
scripts. But I am sure SuSE offers ipchains scripts. So mabye you can
just rename "/sbin/init.d/firewall" and "/sbin/init.d/masquerade" and
reinstall the firewall and ipchains packages.
Do you use firewalling at all? If it's just masquerading you are
concered with add/change these lines in "/sbin/init.d/masquerade"
# the "old" lines are commented out, i.e., "#"
# IPFWADM="/sbin/ipfwadm"
IPFWADM="/sbin/ipchains"
# START
# the next line is new and you don't want to miss it!
echo 1 > /proc/sys/net/ipv4/ip_forward
# ${IPFWADM} -F -a accept -P all -S $i -D 0/0 -m -W ${MSQ_DEV}
${IPFWADM} -A forward -j MASQ -p all -s $i -d 0/0 -i ${MSQ_DEV}
# STOP
# ${IPFWADM} -F -d accept -P all -S $i -D 0/0 -m -W ${MSQ_DEV}
${IPFWADM} -D forward -j MASQ -p all -s $i -d 0/0 -i ${MSQ_DEV}
# LIST
# ${IPFWADM} -lFnex
${IPFWADM} -L forward -n -v -x
#${IPFWADM} -lMnex
${IPFWADM} -L -M -n -v -x
As you can see, I simply translated the old ipfwadm rules to ipchains
rules. Hope I didn't make any mistake.
Hope that helps
--
Mark Lutz
Accept German and English
Dan