Re: Please help with lan problems

rkn@intellinet.com
Tue, 20 May 1997 12:54:06 -0500 (CDT)

I am running IP Masg and befor I went to v2.1.39 every thing work like a charm,
now the lan wont work and when I run ipfwadm it gives no errors, But if I also
run ipautofw (for cu-seeme) it says "setsockopt: Protocol not available". any
Ideas?, also I have included the ipfwadm script that I use to bring it up at
boot time.

#
# Firewall configuration file
# $Id$
# Generated by: dotfile ipfwadm
#

#---------->General Settings<----------
# General settings
# dialup ISP via PPP, dynamic IP address
# Initialization

# Define some variables to make things a bit clearer below
# Any system anywhere
export ANY="0.0.0.0/0"
# The Internet connection
export INET="-W ppp0"
# The local network port
export LETH="-V 192.168.124.4 -W eth0"
# The local network
export LNET="192.168.124.4/255.255.255.0"
# The firewall (this system on the local network)
export FWALL="192.168.124.4/32"
# The firewall's Internet address (if known or determinable)
export INET_IP="$ANY"
# Some ipfwadm flags for the TCP protocol
export OpenNewConn="-y"
export ConnEstablished="-k"

# Reset to known state
/sbin/ipfwadm -I -f # flush existing input rules
/sbin/ipfwadm -O -f # flush existing output rules
/sbin/ipfwadm -F -f # flush existing forwarding rules

# Set default policy
/sbin/ipfwadm -I -p accept
/sbin/ipfwadm -O -p accept
/sbin/ipfwadm -F -p accept

#---------->ISP Settings<----------
# ISP settings

# Anti-Spoofing
/sbin/ipfwadm -I -a deny $INET -S $LNET

# per RFC1597 (see http://andrew2.andrew.cmu.edu/rfc/rfc1597.html)
# the following network addresses must not be routed to the Internet:
/sbin/ipfwadm -O -a deny $INET -S 10.0.0.0/8
/sbin/ipfwadm -O -a deny $INET -D 10.0.0.0/8
/sbin/ipfwadm -I -a deny $INET -S 10.0.0.0/8
/sbin/ipfwadm -I -a deny $INET -D 10.0.0.0/8

/sbin/ipfwadm -O -a deny $INET -S 172.16.0.0/12
/sbin/ipfwadm -O -a deny $INET -D 172.16.0.0/12
/sbin/ipfwadm -I -a deny $INET -S 172.16.0.0/12
/sbin/ipfwadm -I -a deny $INET -D 172.16.0.0/12

/sbin/ipfwadm -O -a deny $INET -S 192.168.0.0/16
/sbin/ipfwadm -O -a deny $INET -D 192.168.0.0/16
/sbin/ipfwadm -I -a deny $INET -S 192.168.0.0/16
/sbin/ipfwadm -I -a deny $INET -D 192.168.0.0/16

#---------->IP Masquerade Settings<----------
# IP-Masq settings
# Load the masquerade support modules for certain services
#/usr/X11R6/bin/modprobe ip_masq_cuseeme
#/usr/X11R6/bin/modprobe ip_masq_ftp
#/usr/X11R6/bin/modprobe ip_masq_irc
#/usr/X11R6/bin/modprobe ip_masq_raudio
#/usr/X11R6/bin/modprobe ip_masq_vdolive

# Block forwarding certain traffic that shouldn't go out anyway
# reject rather than deny, to aid troubleshooting
/sbin/ipfwadm -F -a reject -S $LNET -D $LNET
/sbin/ipfwadm -F -a reject -S $LNET -D 10.0.0.0/8
/sbin/ipfwadm -F -a reject -S $LNET -D 172.16.0.0/12
/sbin/ipfwadm -F -a reject -S $LNET -D 192.168.0.0/16

# Masquerade 192.168.124.3
# Default masquerade policy is allow - block the listed services for 192.168.124
.3

# Masquerade 192.168.124.2
# Default masquerade policy is allow - block the listed services for 192.168.124
.2

# Global masquerade rules
# Default masquerade policy is allow - block the listed services for all compute
rs

# Global masquerade policy
# Default masquerade policy is allow
/sbin/ipfwadm -F -a masquerade $INET -S $LNET -D $ANY

#---------->Deny/Services (Per-Host, Internet Hosts)<----------

#---------->Deny/Services (Per-Host, Local Hosts)<----------
# Per-Local-Host Service Blocking
# Masquerading is in use. Hosts on the local net will be controlled through
# the masquerade options.

#---------->Allow/Services (Per-Host, Internet Hosts)<----------

#---------->Allow/Services (Per-Host, Local Hosts)<----------
# Per-Local-Host Services Allowed
# Masquerading is in use. Hosts on the local net will be controlled through
# the masquerade options.

#---------->Deny/Services (Global)<----------

#---------->Allow/Services (Global)<----------
# Global Services Allowed
# allow anyone on the local net to request any well-known tcp port from any Inte
rnet host
/sbin/ipfwadm -O -a accept $INET -P tcp -S $INET_IP -D $ANY 1:1024
/sbin/ipfwadm -I -a accept $INET -P tcp $ConnEstablished -D $INET_IP -S $ANY 1:1
024

#---------->Placeholder<----------
# Default Internet Policy
# allow traceroute to send packets to the Internet
/sbin/ipfwadm -O -a accept $INET -P udp -S $INET_IP -D $ANY 33434:33523
#
# End of Firewall Configuration
#/sbin/ipautofw -F # Clears out any old auto-forward entries
#/sbin/ipautofw -A -v -d udp 7648 7649 -c udp 7648
#/sbin/ipautofw -A -v -d udp 7648 7649 -h 192.168.124.3

____________________________________________________

Im not sure what the problem can be now.

Thanks Russell

On 20-May-97 Taner Halicioglu wrote:
>On Tue, 20 May 1997 rkn@intellinet.com wrote:
>
>> eth0 Link encap:Ethernet HWaddr 00:20:78:10:14:BE
>> inet addr:192.168.124.4 Bcast:192.168.124.255 Mask:255.255.255.0
>
>192.168.0.0 -> 192.168.255.0 are reserved nets (not routed by the
>outside world)...
>
>I'm assuming you are running IP Masq. on your linux box or somesuch?
>Otherwise I'm not in the least bit surprised she can't see the outside
>world :-)
>
> -Taner
>--
> D. Taner Halicioglu taner@isi.net
> Programmer/Engineer/Sysadmin Internet Systems, Inc.
> Voice: +1 408 543 0313 Fax: +1 408 541 9878
> PGP Fingerprint: 65 0D 03 A8 26 21 6D B8 23 3A D6 67 23 6E C0 36
>

----------------------------------
E-Mail: rkn@intellinet.com
Date: 20-May-97
Time: 12:54:06

-------------------------------------
RKN can do all of your web and graphics needs
call (501) 221-1207 or E-mail for more information
or vist us at http://www.hubble.com/Design
-------------------------------------