Le 14/11/2016 à 00:48, deloptes a écrit :
Pascal Hambourg wrote:
Well then, all I can suggest is to run a packet capture and try to see
what's going on.
I guess you mean on the firewall?
Yes.
Henning Follmann wrote:
> Last time I chime in here.
> I understand growth and chaos, believe me. However sometimes we need a
> nudge or a kick in the but to clean up. Maybe this is your call..
It is kicking me and calling me since some time but I can not do this before
next summer. I have to sit
On Mon, Nov 14, 2016 at 12:45:20AM +0100, deloptes wrote:
> Henning wrote:
>
> > And usually there is no reason for two separate rfc1918 address ranges.
> > Pick one matching your address space needs and design subnets.
> > There is only one single reason for nat: you have more hosts than routable
deloptes wrote:
> Igor Cicimov wrote:
>
>> Run tcpdump and check whats happening
>
> That is strange - I will look into this direction - let me know if you
> have any ideas
>
> regards
>
>
> tcpdump -vvv dst 10.0.0.7
> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
> 65
Igor Cicimov wrote:
> Run tcpdump and check whats happening
That is strange - I will look into this direction - let me know if you have
any ideas
regards
tcpdump -vvv dst 10.0.0.7
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535
bytes
08:07:11.591763 ARP, Ethernet (l
On 13 Nov 2016 11:20 am, "deloptes" wrote:
>
> Joe wrote:
>
> > On Sat, 12 Nov 2016 22:15:45 +0100
> > deloptes wrote:
> >
> >> Hi,
> >> I need some help and I'll appreciate it.
> >>
> >> I have a firewall with iptables behind the modem.
> >> on this firewall I have
> >> eth0 with ip 10..
On 14 Nov 2016 12:50 am, "Pascal Hambourg" wrote:
>
> Le 13/11/2016 à 13:37, Joe a écrit :
>>>
>>>
>>> PPTP rather falls into the "complex protocols" described below.
>>
>>
>> Exactly so. You wouldn't believe how many routers of ten years ago or
>> so didn't handle it properly, at least with their
Pascal Hambourg wrote:
> Well then, all I can suggest is to run a packet capture and try to see
> what's going on.
I guess you mean on the firewall? I am not even sure I can install tcpdump
there, but I will try and ask again for help here for sure
thanks
Henning wrote:
> And usually there is no reason for two separate rfc1918 address ranges.
> Pick one matching your address space needs and design subnets.
> There is only one single reason for nat: you have more hosts than routable
> ip addresses. I guess 10.0.0.0 meets even the biggest organizatio
> On Nov 13, 2016, at 5:19 PM, Pascal Hambourg wrote:
>
>> Le 13/11/2016 à 22:27, Henning a écrit :
>> I followed this thread and i wonder if there is a sane reason why you do nat
>> inside your network. Why don't you just route between different subnets i.e.
>> 10.0.1.0/24 and 10.0.2.0/24
>
Le 13/11/2016 à 21:43, deloptes a écrit :
Pascal Hambourg wrote:
replace 10.0.0.1/32 with 10.0.0.0/24 it does not work
You should double check that.
I checked replaced 10.0.0.1/32 with 10.0.0.0/24.
Just insert this rule and check whether it changes anything :
iptables -I FORWARD -j ACCEP
Le 13/11/2016 à 22:27, Henning a écrit :
I followed this thread and i wonder if there is a sane reason why you do nat
inside your network. Why don't you just route between different subnets i.e.
10.0.1.0/24 and 10.0.2.0/24
Probably because the modem and hosts in 10.0.0.0/24 don't know about
I followed this thread and i wonder if there is a sane reason why you do nat
inside your network. Why don't you just route between different subnets i.e.
10.0.1.0/24 and 10.0.2.0/24
you still can have a firewall between those subnets
-H
Pascal Hambourg wrote:
>> replace 10.0.0.1/32 with 10.0.0.0/24 it does not work
>
> You should double check that.
>
I checked replaced 10.0.0.1/32 with 10.0.0.0/24.
>>> This ruleset does not need improvements but a total rewrite.
>>
>> Yes I was thinking the same, I'll put it on the TODO. I ev
Le 13/11/2016 à 20:40, deloptes a écrit :
Pascal Hambourg wrote:
Did you check the routing table on the firewall and the targets ? Do
they have a route to all the 10.0.0.0/24 range ?
the one I posted is on the firewall - firewall is the one I am trying to
modify.
The one you posted ? I didn
Pascal Hambourg wrote:
> Le 13/11/2016 à 16:05, deloptes a écrit :
>>
>> These are the rules - a friend created this like 10y ago. I added few
>> rules to forward ports from outside to the intranet and to be able to
>> handle VPN.
>> You can ignore 192.168.60.1 on eth2 - not used.
>
> IMO, this
Le 13/11/2016 à 16:05, deloptes a écrit :
These are the rules - a friend created this like 10y ago. I added few rules
to forward ports from outside to the intranet and to be able to handle VPN.
You can ignore 192.168.60.1 on eth2 - not used.
IMO, this ruleset is totally insane.
However, afte
Michael Milliman wrote:
> Again, posting the exact ruleset would be helpful.
These are the rules - a friend created this like 10y ago. I added few rules
to forward ports from outside to the intranet and to be able to handle VPN.
You can ignore 192.168.60.1 on eth2 - not used.
Another important
Le 13/11/2016 à 13:37, Joe a écrit :
PPTP rather falls into the "complex protocols" described below.
Exactly so. You wouldn't believe how many routers of ten years ago or
so didn't handle it properly, at least with their initial firmware. But
Why wouldn't I ? Knowing how NAT is tricky, I am
On Sun, 13 Nov 2016 11:29:48 +0100
Pascal Hambourg wrote:
> Le 13/11/2016 à 11:09, Joe a écrit :
> > Pascal Hambourg wrote:
> >
> >> Le 12/11/2016 à 23:32, Joe a écrit :
> >>>
> >>> The SNAT should not be an issue, it can handle all protocols
> >>> transparently
> >>
> >> No it cannot. NAT
On 11/12/2016 06:19 PM, deloptes wrote:
Joe wrote:
On Sat, 12 Nov 2016 22:15:45 +0100
deloptes wrote:
Hi,
I need some help and I'll appreciate it.
I have a firewall with iptables behind the modem.
on this firewall I have
eth0 with ip 10..1 to the modem ip: 10..12
eth1 wi
Le 13/11/2016 à 11:09, Joe a écrit :
Pascal Hambourg wrote:
Le 12/11/2016 à 23:32, Joe a écrit :
The SNAT should not be an issue, it can handle all protocols
transparently
No it cannot. NAT is not possible with some IP protocols. Plain IPSec
(without NAT-T encapsulation) is the first one t
On Sun, 13 Nov 2016 10:35:29 +0100
Pascal Hambourg wrote:
> Le 12/11/2016 à 23:32, Joe a écrit :
> >
> > The SNAT should not be an issue, it can handle all protocols
> > transparently
>
> No it cannot. NAT is not possible with some IP protocols. Plain IPSec
> (without NAT-T encapsulation) is
Le 13/11/2016 à 01:19, deloptes a écrit :
Yes, it is not working
How is it not working ? What do you do and what happens ?
From one computer ip 10..6 I can ssh to 10..7 and vv.
That does not concern the firewall between the modem and the LAN.
I also see that iptables forwards to the outp
Le 12/11/2016 à 23:32, Joe a écrit :
The SNAT should not be an issue, it can handle all protocols
transparently
No it cannot. NAT is not possible with some IP protocols. Plain IPSec
(without NAT-T encapsulation) is the first one that comes in mind.
Also many complex protocols such as FTP or
Joe wrote:
> On Sat, 12 Nov 2016 22:15:45 +0100
> deloptes wrote:
>
>> Hi,
>> I need some help and I'll appreciate it.
>>
>> I have a firewall with iptables behind the modem.
>> on this firewall I have
>> eth0 with ip 10..1 to the modem ip: 10..12
>> eth1 with ip 192..1 to the i
On Sat, 12 Nov 2016 22:15:45 +0100
deloptes wrote:
> Hi,
> I need some help and I'll appreciate it.
>
> I have a firewall with iptables behind the modem.
> on this firewall I have
> eth0 with ip 10..1 to the modem ip: 10..12
> eth1 with ip 192..1 to the intranet
>
> iptables is
Erwan David wrote:
>Le 09/11/2013 23:06, Shawn Wilson a écrit :
>> Redhat has something called firewalld which generates rules based on
>zones. I don't use it because using dbus to help manage rules scares
>me. But it's there and could be what you want.
>>
>>
>I use fwbuilder which helps to def
Le 09/11/2013 23:06, Shawn Wilson a écrit :
> Redhat has something called firewalld which generates rules based on zones. I
> don't use it because using dbus to help manage rules scares me. But it's
> there and could be what you want.
>
>
I use fwbuilder which helps to define elaborated rules ;
Shawn Wilson a écrit :
>
> Pascal Hambourg wrote:
>>
>> Unless recent change I am not aware of, you cannot specify an address
>> range in -s or -d. You must use the "iprange" match instead (or ipset if
>> your kernel supports it).
>
> Also, idk any way to match interface with ipset
I did not su
Pascal Hambourg wrote:
>Hello,
>
>Bill.M a écrit :
>>
>> In IPTables one can specify multiple addresses, and multiple ports,
>but
>> is there anyway to specify multiple interfaces.
>>
>> For example, -m multiport --destination-port 22,25,80
>>
>> Or -s 1.2.3.4,1.2.3.5,1.2.3.7 or -s
Hello,
Bill.M a écrit :
>
> In IPTables one can specify multiple addresses, and multiple ports, but
> is there anyway to specify multiple interfaces.
>
> For example, -m multiport --destination-port 22,25,80
>
> Or -s 1.2.3.4,1.2.3.5,1.2.3.7 or -s 1.2.3.4:1.2.3.10
In addition to Dav
Redhat has something called firewalld which generates rules based on zones. I
don't use it because using dbus to help manage rules scares me. But it's there
and could be what you want.
David F wrote:
>On 11/09/2013 12:47 PM, Bill.M wrote:
>> But is there anyway to specify both eth0 and wlan0 a
On 11/09/2013 12:47 PM, Bill.M wrote:
> But is there anyway to specify both eth0 and wlan0 as equally valid
> interfaces on my laptop depending on whether it's in my dock or on the road?
>
> For example, -i wlan0,eth0 or -o wlan0,eth0
> Is something like these possible?
* You can avoid specifying
> From: I Rattan [mailto:ratt...@cps.cmich.edu]
> Sent: Thursday, September 10, 2009 2:03 PM
>
> I asked about a modem dialin server problem. I saw
> no response, so, I rephrase it.
>
> The Linux box is connected to Internet on 141.209.169.x
>
> The dialin ppp (Linux end) ipaddr is 192.168.0.10
For firewall relative question there's another, more specific, mail list:
debian-firew...@lists.debian.org
Anyway, if you are using ppp to connect to your ISP, the ppp0 interface
should have a public IP address not a private one like 192.168.0.10. In
order to enable kernel ipv4 fowarding you must
On 2009-08-26 10:36 (-0400), I. Rattan wrote:
> Is it possible to restrict access by user-id
> under iptables firewall?
>
> If so, pointers to the info/example will be appreciated.
Does "man iptables" qualify as a pointer? In "owner" module there is
--uid-owner option.
--
To UNSUBSCRIBE, email
On Mon,12.Jan.09, 14:50:48, Paul Cartwright wrote:
> I used to be able to ssh to my desktop, then.. I couldn't ( sounds like my
> K3B
> issue:).
> I noticed someone else with a message about iptables, and I basically copied
> his script:
> # iptables -I INPUT -p tcp -m state --state NEW --dport
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Koh Choon Lin wrote:
>>> Be careful with IMAP, though. One of my users has well over 500MB of
>>> mail on my server that she apparently doesn't know how to delete (I
>>> know, I know).
>> How can you not know how to delete? (No, seriously, I'm not tr
On Sat, 03 Jan 2009 20:49:35 -0500, Napoleon wrote:
> Justin Piszcz wrote:
>>
>>
>> On Thu, 1 Jan 2009, Napoleon wrote:
>>
>>> I'll admit I'm still pretty green at a lot of this (lots of experience
>>> in computers, little in Linux) and don't understand everything. But
>>> I'm trying to learn,
On 01/03/09 21:58, ghe wrote:
[snip]
Be careful with IMAP, though. One of my users has well over 500MB of
mail on my server that she apparently doesn't know how to delete (I
know, I know).
How can you not know how to delete? (No, seriously, I'm not trying
to be sarcastic...)
--
Ron Johnson
ghe writes:
> Be careful with IMAP, though. One of my users has well over 500MB of mail
> on my server that she apparently doesn't know how to delete (I know, I
> know).
Heh. My "user" (my wife) has about 150MB (text only) in /var/mail. Some
of it is 20 years old.
--
John Hasler
--
To UNSUBS
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Boyd Stephen Smith Jr. wrote:
> I've recently had good luck with dovecot, which handles a pop3 and pop3s.
> I'll also echo Ron's suggestion to move to IMAP, if possible, which is how I
> set up dovecot.
Dovecot also does SASL authentication for P
On Saturday 2009 January 03 19:49:35 Napoleon wrote:
> I also tried to find the support forums for qpopper, but the only ones I
> found hadn't had a post in over 2 years. So maybe I need to change pop3
> servers.
I've recently had good luck with dovecot, which handles a pop3 and pop3s.
I'll als
On 01/03/09 19:49, Napoleon wrote:
[snip]
I also tried to find the support forums for qpopper, but the only ones I
found hadn't had a post in over 2 years. So maybe I need to change pop3
servers.
Unless you are running an ISP, you should really ditch POP and move
your mail to an IMAP "stor
Justin Piszcz wrote:
On Thu, 1 Jan 2009, Napoleon wrote:
I'll admit I'm still pretty green at a lot of this (lots of experience
in computers, little in Linux) and don't understand everything. But
I'm trying to learn, so please go easy on me :-)
I've been having a problem with dictionary h
On Thu, Jan 1, 2009 at 5:44 PM, David Schmidt wrote:
> Here is how I implemented it, coincidentially today :)
>
>
># Allow already established traffic
>$IPTABLES -A INPUT -p TCP -m state --state ESTABLISHED -j ACCEPT
>
># No more than 2 connection attempts per 2
>#
Here is how I implemented it, coincidentially today :)
# Allow already established traffic
$IPTABLES -A INPUT -p TCP -m state --state ESTABLISHED -j ACCEPT
# No more than 2 connection attempts per 2
# minutes to prevent brute force attacks
# log blocked at
On Thu, 1 Jan 2009, Napoleon wrote:
I'll admit I'm still pretty green at a lot of this (lots of experience in
computers, little in Linux) and don't understand everything. But I'm trying
to learn, so please go easy on me :-)
I've been having a problem with dictionary hacker attempts on my s
Napoleon a écrit :
> I'll admit I'm still pretty green at a lot of this (lots of experience
> in computers, little in Linux) and don't understand everything. But I'm
> trying to learn, so please go easy on me :-)
>
> I've been having a problem with dictionary hacker attempts on my system
> (hundr
On Mon, Apr 05, 2004 at 12:09:31PM -0500, hugo vanwoerkom wrote:
> + iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
[ ... ]
> + iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j
> REJECT
>
> Now I know nothing of iptables, but why can he do d
On Mon, Apr 05, 2004 at 02:08:35PM -0500, hugo vanwoerkom wrote:
> I'm trying it now with multiport + eject enabled in netfilter.
Check REJECT in /proc/net/ip_tables_targets and check for multiport
in /proc/net/ip_tables_matches. Using either loaded netfilter
modules or built in netfilter support
hugo vanwoerkom wrote:
Hi World!
The lokkit question yesterday by Faheem Mitha prompted me to install
lokkit on Sarge.
As Dircha pointed out: it don't work.
All lokkit does is create a little iptables script that sits in
/etc/default/lokkit.
Then upon boot lokkit in /etc/init.d executes that
techlists wrote:
I have a box that I use for routing, it's running sid, with ipmaq on
it. It works fine for the most part. For a while I had an internal
axis webcam that was port forwarded. I use to put in the following at
the command prompt
iptables -t nat -A PREROUTING -j DNAT --proto tcp --dp
54 matches
Mail list logo
