[plug] Query about gateway computer settings
Bret Busby
bret.busby at gmail.com
Wed Mar 30 13:59:41 WST 2011
On 25/03/2011, Peter <demo9 at gswd.com> wrote:
> On 24/03/11 22:52, Bret Busby wrote:
>> ------- snip ---------
>> Okay.
>>
>> My /etc/network/interfaces files are below.
>>
>> .......
>>
>> Workstation
>>
>> :~$ cat /etc/network/interfaces
>> # This file describes the network interfaces available on your system
>> # and how to activate them. For more information, see interfaces(5).
>>
>> # The loopback network interface
>> auto lo
>> iface lo inet loopback
>>
>> # The primary network interface
>> allow-hotplug eth0
>> iface eth0 inet static
>> address 192.168.2.95
>> netmask 255.255.255.0
>> network 192.168.2.0
>> broadcast 192.168.2.255
>> gateway 192.168.2.1
>> # dns-* options are implemented by the resolvconf package, if installed
>> dns-nameservers 192.168.2.1 192.168.2.11
>> dns-search busby.net
>>
>> auto eth0
>> ................
>>
>> Gateway Computer
>>
>>
>> :~# cat /etc/network/interfaces
>> # This file describes the network interfaces available on your system
>> # and how to activate them. For more information, see interfaces(5).
>>
>> # The loopback network interface
>> auto lo
>> iface lo inet loopback
>>
>> iface eth0 inet static
>> address 192.168.2.1
>> netmask 255.255.255.0
>> gateway 10.1.1.2
>>
>
> Is this a typo? "gateway 10.1.1.2" ???
>
> P.
>
>
>> auto eth0
>>
>> iface eth1 inet static
>> address 10.1.1.3
>> netmask 255.255.255.0
>> gateway 10.1.1.1
>>
>> auto eth1
>>
>> ...............
>>
>> The LAN NIC on the gateway computer, is 192.168.2.1
>>
>> The NIC that interfaces to the ADSL modem is 10.1.1.3
>>
>> The ADSL modem (the same for each modem) is 10.1.1.1
>>
>> So, what do I need to change?
>>
>> Thank you in anticipation.
>>
>
Hello, Peter.
I have installed Firestarter, and have not had much luck with support,
on the Firestarter mailing list.
I do not know whether you are subscribed to that list, but, if you
are, you will have seen my postings, and the responses.
The message that I have sent to that list, that contains the latest
details, is below.
Assistance in getting this working, would be appreciated.
Thank you in anticipation.
--
Bret Busby
Armadale
West Australia
..............
"So once you do know what the question actually is,
you'll know what the answer means."
- Deep Thought,
Chapter 28 of Book 1 of
"The Hitchhiker's Guide to the Galaxy:
A Trilogy In Four Parts",
written by Douglas Adams,
published by Pan Books, 1992
....................................................
On 28/03/2011, Mark L. Wise <mark at alpha2.com> wrote:
>
> It appears to me that the internal/external interfaces are backwards in your
> configuration file. Swap eth1 and eth0 there and restart firestarter...
>
> Mark
> Sent from my Verizon Wireless Phone
>
> Bret Busby <bret.busby at gmail.com> wrote:
>
>>On 26/03/2011, Mark L. Wise <mark at alpha2.com> wrote:
>>>
>>>
>>> On 3/25/2011 4:49 PM, Bret Busby wrote:
>>>> On 26/03/2011, Mark L. Wise<mark at alpha2.com> wrote:
>>>>> Are you using the GUI to maintain Firestarter, or the CLI?
>>>>>
>>>>> Setting the LAN side IP address is done in Linux, not firestarter. You
>>>>> can set both the eth0 and eth1 interfaces to whatever IP address you
>>>>> want. Firestarter uses this information to do it's job.
>>>>>
>>>>> Set the LAN side (usually eth1) to 192.168.2.1 with a 24 bit mask
>>>>> (/24).
>>>>> Any devices on that LAN then can have addresses in the range
>>>>> 192.168.2.<2-255>
>>>>>
>>>>> As for the eth0 side, the 10.1.1.3 MAY be a problem. Check in
>>>>> /etc/firestarter/non-routables to see if this address is in there. If
>>>>> so, just remove that line and restart firestarter, OR in
>>>>> /etc/firestarter/configuration, turn off non-routable processing.
>>>>>
>>>>> I hope this helps!
>>>>>
>>>>> Mark
>>>>>
>>>>>
>>>>> On 3/25/2011 2:58 PM, Bret Busby wrote:
>>>>>> Hello.
>>>>>>
>>>>>> I have just installed Firestarter, and have tried to set it up.
>>>>>>
>>>>>> In the documentation, for using static IP addresses for the LAN side,
>>>>>> the
>>>>>> range
>>>>>> "192.168.0.2 to 192.168.0.254"
>>>>>> is specified.
>>>>>>
>>>>>> Is it possible to instead use the range 192.168.2.x, and, if so, how
>>>>>> is that to be set?
>>>>>>
>>>>>> Also, the firewall/gateway computer has the NIC that interfaces to the
>>>>>> modem, set at 10.1.1.3. Is that compatible with Firestarter? The
>>>>>> network between that NIC and the modem, involves DHCP (the modem
>>>>>> allows reserved IP addresses), and having the IP so set for that NIC,
>>>>>> has worked so far, in that computer connecting to the Internet.
>>>>>>
>>>>>> Thank you in anticipation.
>>>>>>
>>>>>
>>>>
>>>> Hello.
>>>>
>>>> Thank you for your response.
>>>>
>>>> I had used the GUI for accessing Firestarter.
>>>>
>>>> Prior to installing and setting up Firestarter, I had been able to ssh
>>>> into the firewall/gateway computer from both sides; from the LAN side,
>>>> using the 192.168.2.1 eth0 LAN NIC on the firewall/gateway computer,
>>>> from my workstation, and, from the modem side, using the 10.1.1.3 eth1
>>>> outgoing NIC on the gateway computer, using this workstation (which is
>>>> subject to DHCP within the 10.1.1.x network).
>>>>
>>>> Now, I cannot ssh into the firewall/gateway computer, using the
>>>> 192.168.2.1 NIC, from my workstation, but I can ssh into the
>>>> firewall/gateway computer, via the 10.1.1.3 NIC, from this workstation
>>>> (and, as before, can then telnet into my workstation within the
>>>> 192.168.2.x LAN), so I had assumed that it was something to do with
>>>> the documentation specifying the 192.168.0.x IP address range.
>>>>
>>>> My workstation (and also this workstation) had not been in the
>>>> /etc/hosts table on the firewall/gateway computer, so I added my
>>>> workstation to the /etc/hosts table, but it did not make any
>>>> difference to not being able to ssh into the firewall/gateway
>>>> computer.
>>>>
>>>> I could not find within the GUI's (for either the Setup Wizard or the
>>>> main GUI), a means of allowing functionality such as ssh from within
>>>> specified IP address ranges (such as 192.168.2.x), to separate
>>>> requests from the LAN, from requests from the Internet.
>>>>
>>>
>>> I usually maintain the rules directly in the files
>>> /etc/firestarter/inbound
>>>
>>> There are two files there... allow-from and allow-service. I would set
>>> up in /etc/firestarter/inbound/allow-from a rule for 192.168.2/24 to
>>> access all ports/services.
>>>
>>> i.e.
>>>
>>> 192.168.2.0/24, Allow all outbound connections from LAN
>>>
>>> However, it is possible, based on your description, that you have the
>>> firewall protecting the LAN instead of the WAN, since the default rule
>>> is to allow internal LAN connections.
>>>
>>> Make sure that you have properly specified the LAN as the 192.168.2.0/24
>>> side.
>>>
>>> Mark
>>>
>>>
>>> --
>>> Mark L. Wise
>>>
>>
>>Okay.
>>
>>As this apparently needs to be done at the command line level,...
>>
>>1. In the non-routables file, neither the 10.1.1.x nor the 192.168.2.x
>>ranges are listed.
>>
>>"
>>:~# cat /etc/firestarter/non-routables | grep "192.168"
>>192.168.0.0/16
>>"
>>
>>"
>>:~# cat /etc/firestarter/non-routables | grep "10.1"
>>"
>>(null response; not found)
>>
>>
>>2. Regarding the /etc/firestarter/inbound/allow-from file. That files
>>was empty. It also had 440 (I can't think of the name) privilege
>>access thing. I had to use chmod to change it to 640, so I could
>>modify it. I inserted both the 192.168.2.0/24 range and 10.1.1.2 (this
>>computer) in that file.
>>
>>I then saved the file.
>>
>>I then, using the Firestarter GUI, stopped the firewall, then started
>>the firewall.
>>
>>I can ping but not ssh into, the LAN NIC (192.168.2.1) from my
>>workstation (192.168.2.95).
>>
>>I can ping and ssh into the WAN NIC (10.1.1.3) from this computer
>> (10.1.1.2).
>>
>>So, adding the IP address value range for the LAN, to the
>>/etc/firestarter/inbound/allow-from file, still leaves my workstation
>>unable to ssh into the LAN NIC on the gateway/firewall computer.
>>
>>3. The /etc/firestarter/inbound directory shows, for ls -al;
>>
>>"
>>ls -al /etc/firestarter/inbound
>>total 28
>>drwx------ 2 root root 4096 2011-03-26 18:50 .
>>drwxr-xr-x 4 root root 4096 2011-03-26 18:29 ..
>>-rw-r----- 1 root root 25 2011-03-26 18:41 allow-from
>>-rw------- 1 root root 12288 2011-03-26 18:33 .allow-from.swp
>>-r--r----- 1 root root 0 2011-03-24 06:55 allow-service
>>-r--r----- 1 root root 0 2011-03-24 06:55 forward
>>-r--r----- 1 root root 1114 2011-03-24 07:01 setup
>>"
>>
>>which shows the files allow-service and forward, to be empty.
>>
>>What do I need to put into them, to get it working, to allow the
>>192.168.2.x LAN IP range, to be able to
>>1) ssh into the computer, via the 192.168.2.1 LAN NIC, and
>>2) be able to access the computer, via the 192.168.2.1 LAN NIC, using
>>a web browser to go past the computer onto the Internet, and
>>3) be able to ping the modem at 10.1.1.1
>>?
>>
>>4. The configuration file has the following content:
>>
>>"
>>:~# cat /etc/firestarter/configuration
>>#-----------( Firestarter Configuration File )-----------#
>>
>># --(External Interface)--
>># Name of external network interface
>>IF="eth1"
>># Network interface is a PPP link
>>EXT_PPP="off"
>>
>># --(Internal Interface--)
>># Name of internal network interface
>>INIF="eth0"
>>
>># --(Network Address Translation)--
>># Enable NAT
>>NAT="on"
>># Enable DHCP server for NAT clients
>>DHCP_SERVER="off"
>># Forward server's DNS settings to clients in DHCP lease
>>DHCP_DYNAMIC_DNS="on"
>>
>># --(Inbound Traffic)--
>># Packet rejection method
>># DROP: Ignore the packet
>># REJECT: Send back an error packet in response
>>STOP_TARGET="DROP"
>>
>># --(Outbound Traffic)--
>># Default Outbound Traffic Policy
>># permissive: everything not denied is allowed
>># restrictive everything not allowed is denied
>>OUTBOUND_POLICY="permissive"
>>
>># --(Type of Service)--
>># Enable ToS filtering
>>FILTER_TOS="off"
>># Apply ToS to typical client tasks such as SSH and HTTP
>>TOS_CLIENT="off"
>># Apply ToS to typical server tasks such as SSH, HTTP, HTTPS and POP3
>>TOS_SERVER="off"
>># Apply ToS to Remote X server connections
>>TOS_X="off"
>># ToS parameters
>># 4: Maximize Reliability
>># 8: Maximize-Throughput
>># 16: Minimize-Delay
>>TOSOPT=8
>>
>># --(ICMP Filtering)--
>># Enable ICMP filtering
>>FILTER_ICMP="off"
>># Allow Echo requests
>>ICMP_ECHO_REQUEST="off"
>># Allow Echo replies
>>ICMP_ECHO_REPLY="off"
>># Allow Traceroute requests
>>ICMP_TRACEROUTE="off"
>># Allow MS Traceroute Requests
>>ICMP_MSTRACEROUTE="off"
>># Allow Unreachable Requests
>>ICMP_UNREACHABLE="off"
>># Allow Timestamping Requests
>>ICMP_TIMESTAMPING="off"
>># Allow Address Masking Requests
>>ICMP_MASKING="off"
>># Allow Redirection Requests
>>ICMP_REDIRECTION="off"
>># Allow Source Quench Requests
>>ICMP_SOURCE_QUENCHES="off"
>>
>># --(Broadcast Traffic)--
>># Block external broadcast traffic
>>BLOCK_EXTERNAL_BROADCAST="on"
>># Block internal broadcast traffic
>>BLOCK_INTERNAL_BROADCAST="off"
>>
>># --(Traffic Validation)--
>># Block non-routable traffic on the public interfaces
>>BLOCK_NON_ROUTABLES="off"
>>
>># --(Logging)--
>># System log level
>>LOG_LEVEL=info
>>"
>>
>>How do I need to modify that, to get it working?
>>
>>5. The /etc/firestarter/outbound directory has the following listing;
>>
>>"
>>:~# ls -al /etc/firestarter/outbound
>>total 12
>>drwx------ 2 root root 4096 2011-03-24 06:55 .
>>drwxr-xr-x 4 root root 4096 2011-03-26 18:29 ..
>>-r--r----- 1 root root 0 2011-03-24 06:55 allow-from
>>-r--r----- 1 root root 0 2011-03-24 06:55 allow-service
>>-r--r----- 1 root root 0 2011-03-24 06:55 allow-to
>>-r--r----- 1 root root 0 2011-03-24 06:55 deny-from
>>-r--r----- 1 root root 0 2011-03-24 06:55 deny-service
>>-r--r----- 1 root root 0 2011-03-24 06:55 deny-to
>>-r--r----- 1 root root 1825 2011-03-24 07:01 setup
>>"
>>
>>What values do I need to put in which files, there, to get it working,
>>to allow the computers in the 192.168.2.x LAN, access to the Internet?
>>
>>Thank you in anticipation.
>>
>>--
>>Bret Busby
>>Armadale
>>West Australia
>>..............
The IP addresses of the two NIC's should be irrelevant - they work,
with my workstation within the 192.168.2.x LAN, successfully
communicating with the gateway/firewall computer, via the eth0 NIC set
at 192.168.2.1.
In trying a possibility, I inserted into the
/etc/firestarter/inbound/forwarding file, 192.168.2.0/24 , and stopped
then started Firestarter.
I can now, for the first time since the electricity failure / ISP
sabotage of my Internet connection, ping the IP address of the modem.
So, with inserting the IP address range of the internal LAN, into the
/etc/firestarter/inbound/forwarding file, I can now reach the ADSL
modem from my workstation.
But, what values do I need to insert into what files, to allow access
to the Internet, and, to allow me to send web page requests, and,
receive the web pages from the Internet?
--
Bret Busby
Armadale
West Australia
..............
"So once you do know what the question actually is,
you'll know what the answer means."
- Deep Thought,
Chapter 28 of Book 1 of
"The Hitchhiker's Guide to the Galaxy:
A Trilogy In Four Parts",
written by Douglas Adams,
published by Pan Books, 1992
....................................................
....................................................
More information about the plug
mailing list