Hi, -----Original Message----- From: Jim Hoepner [SMTP:jhoepner@tvsw.org] Sent: Thursday, March 30, 2000 10:19 AM
When I was working on IPCHAINS (a couple of weeks ago) I created (I was following some HowTo - not sure which one) a /sbin/init.d/packetfilter script to setup my IPCHAINS and made a symbolic link to /etc/rc.d/rcS.d/S39packetfilter. I was seeing that this script was never being accessed on bootup. I forgot about it until today when I I tried (for the first time ever) to enter LILO boot: linux single
I noticed that when booting it accessed my packetfilter script.
Can anyone tell me why this made a difference?
Sure, You only set the symlink in that runlevel. You will notice there are other directories all having the form rc<X>.d. The <X> indicates the runlevel, S (single), 2 (console default), 3 (X default), etc. Also note that /etc/rc.d is also a symlink. Tim
Thanks! jrh
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
Thanks. I just learned something about run levels. Could this be why my browser times out and I can't send email: I see these errors in /var/log/messages "pppd[288]: Received bad configure-nak/rej: 12 06 00 00 00 01" "pppd[401]: Cannot determine ethernet address for proxy ARP" "pppd[401]: CCP: timeout sending Config-Requests" What do I need to do to fix these errors? I think I'm getting out thru the firewall cause I see it says "Website found" and displays the IP address but sits there "waiting for reply" Thanks again, jrh -----Original Message----- From: Tim Duggan [mailto:tduggan@dekaresearch.com] Sent: Thursday, March 30, 2000 9:26 AM To: suse-linux-e@suse.com Subject: RE: [SLE] Firewall/Masq box Hi, -----Original Message----- From: Jim Hoepner [SMTP:jhoepner@tvsw.org] Sent: Thursday, March 30, 2000 10:19 AM
When I was working on IPCHAINS (a couple of weeks ago) I created (I was following some HowTo - not sure which one) a /sbin/init.d/packetfilter script to setup my IPCHAINS and made a symbolic link to /etc/rc.d/rcS.d/S39packetfilter. I was seeing that this script was never being accessed on bootup. I forgot about it until today when I I tried (for the first time ever) to enter LILO boot: linux single
I noticed that when booting it accessed my packetfilter script.
Can anyone tell me why this made a difference?
Sure, You only set the symlink in that runlevel. You will notice there are other directories all having the form rc<X>.d. The <X> indicates the runlevel, S (single), 2 (console default), 3 (X default), etc. Also note that /etc/rc.d is also a symlink. Tim
Thanks! jrh
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/ -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
On Thu, 30 Mar 2000, Jim Hoepner wrote:
I think I'm getting out thru the firewall cause I see it says "Website found" and displays the IP address but sits there "waiting for reply"
I struggled with this early on, and eventually realized I had set a trap for myself and was being misled by it. Are you using the firewall box as a nameserver as well? If so, it's quite possible that you could look up a name and then not be able to do anything with the resulting address. Because when it doesn't know an address, *it* - the nameserver/firewall - originates a request up the DNS hierarchy. The reply doesn't have to go through your firewall, it only has to be accepted back into the nameserver. Then your nameserver, having learned the address, sends it to your workstation. This packet, also, doesn't have to go through the firewall. So you THINK your firewall is sort of working, when it might not be working at all. Start on the firewall itself. Can you, from there, see your other machines? Can you, from there, see the rest of the world? If so, then the machine is networking correctly on both sides. So switch to one of your other machines. You should see the firewall, no problem. Can you see through it to the outside world, by IP address? I'm guessing you can't. This would indicate a problem with the forwarding scripts. The main problem I tripped over with ipchains is that an incoming packet is ALWAYS subject to the input and output chains. If it passes those, a packet that is a reply on a masqueraded connection automatically gets through, and a packet that is actually for the firewall machine is of course already there, and anything else must also pass through the forward chain. I was trying to secure my firewall, rejecting all incoming packets except a few explicitly permitted ports. This had the effect that while I could initiate an outgoing connection, the incoming acknowledgement would be dropped by the firewall. The input rules have to let practically everything in. -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
-----Original Message----- From: Warrl [mailto:warrl@blarg.net] Sent: Thursday, March 30, 2000 11:24 PM To: jhoepner@tvsw.org; Jim Hoepner; suse-linux-e@suse.com Subject: RE: [SLE] Firewall/Masq box On Thu, 30 Mar 2000, Jim Hoepner wrote:
I think I'm getting out thru the firewall cause I see it says "Website found" and displays the IP address but sits there "waiting for reply"
Are you using the firewall box as a nameserver as well? I *don't* think so. I set START_NAMED="no" in /etc/rc.config but when I boot I see the NAME SERVICE CACHE DAEMON is starting?
Start on the firewall itself. Can you, from there, see your other machines? Can you, from there, see the rest of the world? I can see my other machines/world. I can ping to my network and out to the world by IPaddr and hostname.
Can you see through it to the outside world, by IP address? I can telnet, ping, ftp and receive mail (outlook 98 if that matters) thru my firewall both by IPaddr and hostname. I just tried to ping thru the firewall when my ppp was down and it said "response from <myfirewall> network is unreachable" so it sure looks like it's going thru instead of around.
I have some /var/log/message entries that might have something to do with the problem: ent [LCP ConfRej id=ox1 < 11 04 05 ea> < 13 09 03 00 c0 49 0d bd 83>] rcvd [CCP ConfRej id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>] sent [CCP ConfRej id=0x6 < 12 06 00 00 00 01> < 11 05 00 00 03> < 11 06 00 00 01 01>] Cannot determine ethernet address for proxyArp CCP: timeoutsending Config-Requests Might these errors (I assume their errors) have something to do with my problem? Thanks! jrh -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
participants (3)
-
jhoepner@tvsw.org -
tduggan@dekaresearch.com -
warrl@blarg.net