Hi, I have a SuSE 6.3 box running as a firewall at school. It has an ISDN dialup, and I protect it using ipchains. I've made a script that loads the rules, and everything works fine.... Until the IP number changes. When the box dials in again, it gets a different IP number. The ipchains-rules however, remain on the other, obsolete address. How can I fix this? Now I have to make a choice. Either I resubmit the rules on the new IP, or I skip the firewalling stuff, thus letting others in... Can anyone help me with this? Is there a script I can run *before* the dialing? Thanks, Rogier Maas -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
Rogier Maas wrote:
Hi,
I have a SuSE 6.3 box running as a firewall at school. It has an ISDN dialup, and I protect it using ipchains. I've made a script that loads the rules, and everything works fine....
Until the IP number changes.
When the box dials in again, it gets a different IP number. The ipchains-rules however, remain on the other, obsolete address. How can I fix this? Now I have to make a choice. Either I resubmit the rules on the new IP, or I skip the firewalling stuff, thus letting others in...
Can anyone help me with this? Is there a script I can run *before* the dialing?
Thanks,
Rogier, Take a look at the new firewals package (yes, that's spelled right!) in the sec group. There is an update on SuSE's web page. It is a script called /sbin.init.d/firewall (and yes, this too is spelled right!) that builds up a nice set of ipchains rules based on the actual state of the networking, taking into acount dynamically assigned IP addresses. It is controlled by a config file: /etc/rc.firewall I run the script in /etc/ppp/ip-up.local and ip-down.local ____________________________________________________________________ Robert Paulsen http://paulsen.home.texas.net -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
On Sat, 1 Jan 2000, Robert C. Paulsen, Jr. wrote: rp> Rogier Maas wrote: rp> > rp> > Hi, rp> > rp> > When the box dials in again, it gets a different IP number. The rp> > ipchains-rules however, remain on the other, obsolete address. How can I rp> > fix this? Now I have to make a choice. Either I resubmit the rules on rp> > the new IP, or I skip the firewalling stuff, thus letting others in... rp> > rp> > Can anyone help me with this? Is there a script I can run *before* the rp> > dialing? rp> > rp> > Thanks, rp> > rp> rp> Rogier, rp> rp> Take a look at the new firewals package (yes, that's spelled right!) rp> in the sec group. There is an update on SuSE's web page. It is a rp> script called /sbin.init.d/firewall (and yes, this too is spelled rp> right!) that builds up a nice set of ipchains rules based on the rp> actual state of the networking, taking into acount dynamically rp> assigned IP addresses. It is controlled by a config file: rp> rp> /etc/rc.firewall rp> rp> I run the script in /etc/ppp/ip-up.local and ip-down.local rp> I'm not sure if that will work for all instances though, what if the person is using an ethernet card out to an external isdn box say a ascend pipeline or similar. In which case an isdn connection doesn't trigger the ip-up and ip-down routines thus eliminating that as an option. For a modem or an isdn card, that will work as you can select the appropriate device in the network configuration menu of yast, but when it goes through an ethernet card, you need to setup the device as ethernet which won't trigger the routines. Or has someone worked around that which I'm not aware of at this time? rp> -- S.Toms - tomas@primenet.com - homepage is in the works SuSE Linux v6.2+ - Kernel 2.2.13 "In order to make an apple pie from scratch, you must first create the universe." -- Carl Sagan, Cosmos -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
"S.Toms" wrote:
rp> rp> I run the script in /etc/ppp/ip-up.local and ip-down.local rp>
I'm not sure if that will work for all instances though, what if the person is using an ethernet card out to an external isdn box say a ascend pipeline or similar. In which case an isdn connection doesn't trigger the ip-up and ip-down routines thus eliminating that as an option. For a modem or an isdn card, that will work as you can select the appropriate device in the network configuration menu of yast, but when it goes through an ethernet card, you need to setup the device as ethernet which won't trigger the routines. Or has someone worked around that which I'm not aware of at this time?
Exactly! -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
Rogier Maas wrote:
"S.Toms" wrote:
rp> rp> I run the script in /etc/ppp/ip-up.local and ip-down.local rp>
I'm not sure if that will work for all instances though, what if the person is using an ethernet card out to an external isdn box say a ascend pipeline or similar. In which case an isdn connection doesn't trigger the
Exactly!
Again: I was mistaken: My box is using an ISDN-card, so those scripts should work. But indeed: At home I have the same problem: I use DHCP and a cable modem. What if I get a new IP? Maybe I could do a cronjob to check the IP. If changed, reinit the firewall. Greetings, Rogier Maas -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
On Sun, 2 Jan 2000, Rogier Maas wrote: rm> "S.Toms" wrote: rm> > rp> rm> > rp> I run the script in /etc/ppp/ip-up.local and ip-down.local rm> > rp> rm> > rm> > I'm not sure if that will work for all instances though, what if the rm> > person is using an ethernet card out to an external isdn box say a ascend rm> > pipeline or similar. In which case an isdn connection doesn't trigger the rm> > ip-up and ip-down routines thus eliminating that as an option. For a modem rm> > or an isdn card, that will work as you can select the appropriate device rm> > in the network configuration menu of yast, but when it goes through an rm> > ethernet card, you need to setup the device as ethernet which won't rm> > trigger the routines. rm> > Or has someone worked around that which I'm not aware of at this time? rm> > rm> Exactly! rm> Is this 6.2 or 6.3? and if its 6.3, Lenz, do you know when a 6.2 update will be made available? -- S.Toms - tomas@primenet.com - homepage is in the works SuSE Linux v6.2+ - Kernel 2.2.13 Look out! Behind you! -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
Hi, On Sat, 1 Jan 2000, S.Toms wrote:
Is this 6.2 or 6.3? and if its 6.3, Lenz, do you know when a 6.2 update will be made available?
I am pretty sure, that these scripts work on 6.2, too. Just use the updated package for 6.3 and give it a try :) Bye, LenZ -- ------------------------------------------------------------------ Lenz Grimmer SuSE GmbH mailto:grimmer@suse.de Schanzaeckerstr. 10 http://www.suse.de/~grimmer 90443 Nuernberg, Germany -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
"Robert C. Paulsen, Jr." wrote:
Rogier Maas wrote:
Hi,
I have a SuSE 6.3 box running as a firewall at school. It has an ISDN dialup, and I protect it using ipchains. I've made a script that loads the rules, and everything works fine....
Until the IP number changes.
When the box dials in again, it gets a different IP number. The ipchains-rules however, remain on the other, obsolete address. How can I fix this? Now I have to make a choice. Either I resubmit the rules on the new IP, or I skip the firewalling stuff, thus letting others in...
Can anyone help me with this? Is there a script I can run *before* the dialing?
Thanks,
Rogier,
Take a look at the new firewals package (yes, that's spelled right!) in the sec group. There is an update on SuSE's web page. It is a script called /sbin.init.d/firewall (and yes, this too is spelled right!) that builds up a nice set of ipchains rules based on the actual state of the networking, taking into acount dynamically assigned IP addresses. It is controlled by a config file:
/etc/rc.firewall
I run the script in /etc/ppp/ip-up.local and ip-down.local
That's the problem: I don't do ppp. I have a cable modem which uses dhcp. So no scripts ar beeing run as far as I know. Rogier -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
Rogier Maas wrote:
That's the problem: I don't do ppp. I have a cable modem which uses dhcp. So no scripts ar beeing run as far as I know.
Rogier
Sorry: my mistake. I here was talking about my box at home. I was questioning something of a box at school. (I'm confused, would I have a millennium-bug? lol) Right. So those scripts actually are run before and after the dialups. I'll try that, thaks for helping! Greetings and sorry for the confusion! Rogier Rogier Maas wrote:
"Robert C. Paulsen, Jr." wrote:
Rogier Maas wrote:
Hi,
I have a SuSE 6.3 box running as a firewall at school. It has an ISDN dialup, and I protect it using ipchains. I've made a script that loads the rules, and everything works fine....
Until the IP number changes.
When the box dials in again, it gets a different IP number. The ipchains-rules however, remain on the other, obsolete address. How can I fix this? Now I have to make a choice. Either I resubmit the rules on the new IP, or I skip the firewalling stuff, thus letting others in...
Can anyone help me with this? Is there a script I can run *before* the dialing?
Thanks,
Rogier,
Take a look at the new firewals package (yes, that's spelled right!) in the sec group. There is an update on SuSE's web page. It is a script called /sbin.init.d/firewall (and yes, this too is spelled right!) that builds up a nice set of ipchains rules based on the actual state of the networking, taking into acount dynamically assigned IP addresses. It is controlled by a config file:
/etc/rc.firewall
I run the script in /etc/ppp/ip-up.local and ip-down.local
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
Rogier Maas said:
Hi,
I have a SuSE 6.3 box running as a firewall at school. It has an ISDN dialup, and I protect it using ipchains. I've made a script that loads the rules, and everything works fine....
Until the IP number changes.
When the box dials in again, it gets a different IP number. The ipchains-rules however, remain on the other, obsolete address. How can I fix this? Now I have to make a choice. Either I resubmit the rules on the new IP, or I skip the firewalling stuff, thus letting others in...
Can anyone help me with this? Is there a script I can run *before* the dialing?
According to the ipchains man page, -i, --interface [!] name Optional name of an interface via which a packet is received, or via which is packet is going to be sent. When this option is omitted, the empty string is assumed, which has a special meaning and will match with any interface name. When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+", then any interface which begins with this name will match. so it looks like you could do something like: /sbin/ipchains -A input -i ppp+ -s 123.45.67.0/24 -j DENY -l (or whatever) I would think you should be able to reformulate your rules to use this method instead of specifying the IP of the interface itself. If that's not possible then you could always write yourself an ip-up script that rewrites the ipchains rules automatically. -John -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
Rogier Maas wrote:
Hi,
I have a SuSE 6.3 box running as a firewall at school. It has an ISDN dialup, and I protect it using ipchains. I've made a script that loads the rules, and everything works fine....
Until the IP number changes.
When the box dials in again, it gets a different IP number. The ipchains-rules however, remain on the other, obsolete address. How can I fix this? Now I have to make a choice. Either I resubmit the rules on the new IP, or I skip the firewalling stuff, thus letting others in...
Can anyone help me with this? Is there a script I can run *before* the dialing?
Thanks,
Rogier Maas
Hi Rogier, have a look at /etc/ppp/ip-up. this script is executed as soon as a new connect is made. there is an ip-up and ip-down "case" (the latter is executed after hangup) In this script the variable $LOCALIP (4th parameter) contains the new valid IP (last valid IP with ip-down), basicly to reset the routing (ip-down) to avoid some other dyn-ip caused ISDN trouble. I'd add / alter some rules from within that script. (In fact I do so, locking a "used" IP for some time to avoid redials by open sockets. Doesn't work in every case though...) Juergen -- =========================================== __ _ Juergen Braukmann juergen.braukmann@gmx.de| -o)/ / (_)__ __ ____ __ Tel: 0201-743648 dk4jb@db0qs.#nrw.deu.eu | /\\ /__/ / _ \/ // /\ \/ / ===========================================_\_v __/_/_//_/\_,_/ /_/\_\ -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
Hi everyone! Just wondering if its possible to change the default language, keyboard map, and timezone as used on the -initial- setup screen of YaST2? (I know that you can -proceed- the setup in a language/keymap/timezone of your choice). The default is a non-english language, which could confuse some english-speaking users.. Thanks in advance, Jason. -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
participants (7)
-
grimmer@suse.de -
icarus@guldennet.nl -
jebs@ozemail.com.au -
jmgrant@primenet.com -
juergen.braukmann@ruhr-west.de -
paulsen@texas.net -
tomas@primenet.com