I upgraded to Linux 2.1.102 and to the new ipchains 1.3.2
tools. Previously I used the old ipfwadm.
I use masquerading and also the firewall features.
I have have set up all computers to use the nameserver at my IPS.
If I am not connected to the IPS my masquerading client gets
its DNS calls rejected at the masquerading server. This is done
because otherwise tools like netscape would try over and over
to access the nameserver.
The above setup worked with the old ipfwadm and firewall code,
but has a problem with ipchains. The client never gets a negative ack.
The nameserver is berlin.snafu.de (194.64.64.1). The client
is taliesin(192.168.0.2). The server is zahn(192.168.0.1).
tcpdump while the DNS calls are coming from the client:
tcpdump: listening on eth0
09:20:52.630076 arp who-has taliesin tell zahn
09:20:52.630281 arp reply taliesin is-at 0:60:97:b4:8:52
09:20:58.767107 taliesin.1038 > berlin.snafu.de.nameserver: 5703+ (32)
09:21:03.776333 taliesin.1038 > berlin.snafu.de.nameserver: 5703+ (32)
09:21:13.786112 taliesin.1038 > berlin.snafu.de.nameserver: 5703+ (32)
09:21:18.785693 arp who-has zahn tell taliesin
09:21:18.785800 arp reply zahn is-at 0:60:97:b4:8:83
09:21:22.376418 taliesin.1039 > berlin.snafu.de.nameserver: 14467+ (32)
8 packets received by filter
0 packets dropped by kernel
syslog messages at the same time:
May 16 10:20:50 zahn vmunix: eth0: Setting promiscuous mode.
May 16 10:20:50 zahn vmunix: device eth0 entered promiscuous mode
May 16 10:20:58 zahn vmunix: Packet log: input REJECT eth0 PROTO=17 192.168.0.2:1038 194.64.64.1:53 L=60 S=0x00 I=382 F=0x0000 T=64
May 16 10:21:03 zahn vmunix: Packet log: input REJECT eth0 PROTO=17 192.168.0.2:1038 194.64.64.1:53 L=60 S=0x00 I=383 F=0x0000 T=64
May 16 10:21:13 zahn vmunix: Packet log: input REJECT eth0 PROTO=17 192.168.0.2:1038 194.64.64.1:53 L=60 S=0x00 I=384 F=0x0000 T=64
May 16 10:21:22 zahn vmunix: Packet log: input REJECT eth0 PROTO=17 192.168.0.2:1039 194.64.64.1:53 L=60 S=0x00 I=385 F=0x0000 T=64
May 16 10:21:23 zahn vmunix: eth0: Setting promiscuous mode.
So the firewall thinks that it does REJECT, but it infact does not happen,
it looks more like a DENY, i.e. the packets are silently dropped.
The old ipfwadm is: ipfwadm 2.3.0, 1996/07/30
ipchains is: ipchains 1.3.2, 29-Mar-1998
ipchains-save in the case when I am NOT connected to the IPS:
:input ACCEPT
:forward REJECT
:output ACCEPT
Saving `input'.
-A input -s 0.0.0.0/0.0.0.0 -d 194.64.64.1/255.255.255.255 -j 0 REJECT -l
Saving `forward'.
-A forward -s 192.168.0.2/255.255.255.255 -d 0.0.0.0/0.0.0.0 -j 0 REJECT -l
ipchains-save in the case when I AM connected to the IPS (for completeness):
:input ACCEPT
:forward REJECT
:output ACCEPT
Saving `forward'.
-A forward -s 192.168.0.2/255.255.255.255 -d 0.0.0.0/0.0.0.0 -j 0 MASQ
If more details are needed I will provide them.
I compiled with egcs-1.0.2, the LAN is based on 3c905 cards, driver
3c59x.c:v0.99C 4/26/98 Donald Becker.
Regards
Steffen
--
home email: user@domain where domain=berlin.snafu.de, user=zahn
Use of my address for unsolicited commercial advertising is forbidden.
2^3021377 - 1 | "Where do you want to crash today?"
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu