Re: Linux Networking problem...please help..

Re: Linux Networking problem...please help..

[beolach]

I reasonably certain everything below is correct,
but don't sue me if it doesn't work.  :)

Here is what's causing your problem. Because you
are using IP addresses 192.168.200.??? and also
IPs 192.168.250.???, you need to either use for
netmask 255.255.0.0, or change all your IPs so
they start with either 192.168.200 or 192.168.250,
but NOT both. The problem is, with your current
netmasks, you're trying to communicate between
two seperate subnets, 192.168.200.??? and
192.168.250.???.  M$ Windows will not like this.
Changing the subnet mask to 255.255.0.0 will put
all your boxes on one subnet, 192.168.???.???.

I suppose there might be someway to set up your
firewall to bridge the two subnets, but that would
probably be more complicated.

Hope this helps,
Conway S. Smith

--- Sanjay Arora <skpobox@yahoo.com> wrote:
>
>Netmask is 255.255.255.0 on all machines.
>
>Point is that the WinXP machine is being given a
>redirect by the Linux firewall and that is being
>ignored, either due to inability of WinXP or some
>misconfiguration by me.
>
>Sanjay.
>
>--- Stephen Samuel <samuel@bcgreen.com> wrote:
>> What are the netmasks for the two machines?? If you
>> give them a /18
>> (or a /16) netmask and the associated broadcast
>> addresses, then they'll
>> know to just talk directly to each other.
>> 
>> Of course, I barely trust Windows to understand
>> netmasks, but it
>> should be OK -- far better than trying to get it to
>> accept ICMP
>> redirects.
>> 
>> 
>> Sanjay Arora wrote:
>> > Network Scenario: RH 8 Linux Firewall Server using
>> three ethernet cards, 
>> > IPs 172.16.0.141 (connected to Cable Ethernet ISP
>> doing NAT), 
>> > 192.168.200.1 connected to an ethernet hub, &
>> 192.168.100.1 (presently 
>> > not being used). Using a hub two lans are
>> connected to 192.168.200.1, 
>> > each presently having one machine each having IP
>> addresses 192.168.200.2 
>> > (Windows XP machine, having Gateway address of
>> 192.168.200.1 in TCP/IP 
>> > settings) and 192.168.250.1 (RH8 Linux Server,
>> again having 
>> > 192.168.200.1 as GW address).
>> > 
>> > 1. When I ftp from 192.168.200.2 (WinXP) to
>> 192.168.250.1 (RH Linux File 
>> > Server), the firewall shows an error message
>> saying that WinXP machine 
>> > is ignoring redirects to 192.168.250.1 The
>> transfer speed is also around 
>> > 3.5 MB instead of full 10 MB which I get between
>> the two Linux Servers. 
>> > What's the reason? What do I do to correct this
>> behaviour?
>> > 
>> > 2. The RH fileserver machine is very
>> underutilized. I am thinking of 
>> > putting another ethernet card in it and connect is
>> to the cable ISP and 
>> > Firewall server using a hub. I plan to put a
>> firewall on the new 
>> > ethernet/IP address denying all outgoing packets
>> and put a sniffer on 
>> > it. What are the security implications of this?
>> Mind the IP that sniffer 
>> > is running on is denying all outgoing traffic and
>> dropping all incoming 
>> > traffic and providing no services at all. On the
>> other hand the machine 
>> > is inside the firewall.... a compromise here would
>> provide direct access 
>> > to all local network resources. Is a compromise
>> possible on an IP that 
>> > denies all traffic inbound and outbound? Should I
>> waste one machine for 
>> > this task on my proposed small network (less than
>> 20 machines)?
>> > 
>> > With thanks in advance ;-))
>> > Sanjay.
>> 
>> 
>> -- 
>> Stephen Samuel +1(604)876-0426               
>> samuel@bcgreen.com
>> 		   http://www.bcgreen.com/~samuel/
>>     Powerful committed communication. Transformation
>> touching
>>         the jewel within each person and bring it to
>> life.
>> 

________________________________________________________________
The best thing to hit the internet in years - Juno SpeedBand!
Surf the web up to FIVE TIMES FASTER!
Only $14.95/ month - visit www.juno.com to sign up today!

Re: Linux Networking problem...please help..

[Liam Helmer]

AFAIK, Windows XP doesn't accept ICMP redirects.
I know that Windows 2000 and NT didn't, so it wouldn't surprise me if XP 
didn't. It's not secure... <g>.

Cheers,
Liam

Sanjay Arora wrote:

>Netmask is 255.255.255.0 on all machines.
>
>Point is that the WinXP machine is being given a
>redirect by the Linux firewall and that is being
>ignored, either due to inability of WinXP or some
>misconfiguration by me.
>
>Sanjay.
>
>  
>

Re: Linux Networking problem...please help..

[Sven Schuster]

Sven Schuster wrote:

>
> Hello,
>
> maybe you could try to turn off send_redirects??
>
> echo "0" >/proc/sys/net/ipv4/conf/all/send_redirects
> echo "0" >/proc/sys/net/ipv4/conf/eth0/send_redirects
>
> Maybe you'll have to write eth0 instead of eth0, depending on


Ouch...sorry, of course I mean eth1 or eth2 or what interface your
internal network is running on ;-)

> the interface for the internal network.
>
> Hope this helps
>
> Sven
>
>

Re: Linux Networking problem...please help..

[Sven Schuster]

Hello,

maybe you could try to turn off send_redirects??

echo "0" >/proc/sys/net/ipv4/conf/all/send_redirects
echo "0" >/proc/sys/net/ipv4/conf/eth0/send_redirects

Maybe you'll have to write eth0 instead of eth0, depending on
the interface for the internal network.

Hope this helps

Sven
 


Sanjay Arora wrote:

>Netmask is 255.255.255.0 on all machines.
>
>Point is that the WinXP machine is being given a
>redirect by the Linux firewall and that is being
>ignored, either due to inability of WinXP or some
>misconfiguration by me.
>
>Sanjay.
>
>--- Stephen Samuel <samuel@bcgreen.com> wrote:
>
>>What are the netmasks for the two machines?? If you
>>give them a /18
>>(or a /16) netmask and the associated broadcast
>>addresses, then they'll
>>know to just talk directly to each other.
>>
>>Of course, I barely trust Windows to understand
>>netmasks, but it
>>should be OK -- far better than trying to get it to
>>accept ICMP
>>redirects.
>>
>>
>>
>  
>

Re: Linux Networking problem...please help..

[Ray Olszewski]

At 05:20 AM 7/16/2003 -0700, Sanjay Arora wrote:
>Netmask is 255.255.255.0 on all machines.
>
>Point is that the WinXP machine is being given a
>redirect by the Linux firewall and that is being
>ignored, either due to inability of WinXP or some
>misconfiguration by me.
[old stuff deleted]

As I said in my prior response, redirects are commonly (though not always) 
ignored. Redirects are a way of spoofing, thus a security hole (even though 
they also have legitimate uses, as in your case). That XP rejects redirect 
instructions is quite reasonable.

(Are you sure that your Linux client on the LAN is receiving and acting on 
the router's redirect message? You haven't said. In any case, if it is on 
network 192.169.250.0/24, and has default gateway 192.168.200.1, as your 
earlier message seemed to say, it has a more elaborate routing table than 
the WinXP host ... either a route to 192.168.200.0/24 or a static route to 
192.168.200.1/32.)

In any case, if this is the "point" of your query, is it not better made on 
a Windows XP list than a pair of Linux lists? (BTW, no one else has 
mentioned this, but cross-posting of this sort is usually considered 
discourteous.) Both Linux hosts on the LAN seem to be functioning correctly 
(at least as far as I can tell from your description).

The only solution I can suggest is not to use the redirect trick to enable 
connectivity. Instead, give the WinXP host a proper routing table that 
tells it that it has a direct route to network 192.168.250.0/24.



-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: Linux Networking problem...please help..

[Sanjay Arora]

Netmask is 255.255.255.0 on all machines.

Point is that the WinXP machine is being given a
redirect by the Linux firewall and that is being
ignored, either due to inability of WinXP or some
misconfiguration by me.

Sanjay.

--- Stephen Samuel <samuel@bcgreen.com> wrote:
> What are the netmasks for the two machines?? If you
> give them a /18
> (or a /16) netmask and the associated broadcast
> addresses, then they'll
> know to just talk directly to each other.
> 
> Of course, I barely trust Windows to understand
> netmasks, but it
> should be OK -- far better than trying to get it to
> accept ICMP
> redirects.
> 
> 
> Sanjay Arora wrote:
> > Network Scenario: RH 8 Linux Firewall Server using
> three ethernet cards, 
> > IPs 172.16.0.141 (connected to Cable Ethernet ISP
> doing NAT), 
> > 192.168.200.1 connected to an ethernet hub, &
> 192.168.100.1 (presently 
> > not being used). Using a hub two lans are
> connected to 192.168.200.1, 
> > each presently having one machine each having IP
> addresses 192.168.200.2 
> > (Windows XP machine, having Gateway address of
> 192.168.200.1 in TCP/IP 
> > settings) and 192.168.250.1 (RH8 Linux Server,
> again having 
> > 192.168.200.1 as GW address).
> > 
> > 1. When I ftp from 192.168.200.2 (WinXP) to
> 192.168.250.1 (RH Linux File 
> > Server), the firewall shows an error message
> saying that WinXP machine 
> > is ignoring redirects to 192.168.250.1 The
> transfer speed is also around 
> > 3.5 MB instead of full 10 MB which I get between
> the two Linux Servers. 
> > What's the reason? What do I do to correct this
> behaviour?
> > 
> > 2. The RH fileserver machine is very
> underutilized. I am thinking of 
> > putting another ethernet card in it and connect is
> to the cable ISP and 
> > Firewall server using a hub. I plan to put a
> firewall on the new 
> > ethernet/IP address denying all outgoing packets
> and put a sniffer on 
> > it. What are the security implications of this?
> Mind the IP that sniffer 
> > is running on is denying all outgoing traffic and
> dropping all incoming 
> > traffic and providing no services at all. On the
> other hand the machine 
> > is inside the firewall.... a compromise here would
> provide direct access 
> > to all local network resources. Is a compromise
> possible on an IP that 
> > denies all traffic inbound and outbound? Should I
> waste one machine for 
> > this task on my proposed small network (less than
> 20 machines)?
> > 
> > With thanks in advance ;-))
> > Sanjay.
> 
> 
> -- 
> Stephen Samuel +1(604)876-0426               
> samuel@bcgreen.com
> 		   http://www.bcgreen.com/~samuel/
>     Powerful committed communication. Transformation
> touching
>         the jewel within each person and bring it to
> life.
> 


__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

Re: Linux Networking problem...please help..

[Glynn Clements]

Sanjay Arora wrote:

> Network Scenario: RH 8 Linux Firewall Server using three ethernet cards, 
> IPs 172.16.0.141 (connected to Cable Ethernet ISP doing NAT), 192.168.200.1 
> connected to an ethernet hub, & 192.168.100.1 (presently not being used). 
> Using a hub two lans are connected to 192.168.200.1, each presently having 
> one machine each having IP addresses 192.168.200.2 (Windows XP machine, 
> having Gateway address of 192.168.200.1 in TCP/IP settings) and 
> 192.168.250.1 (RH8 Linux Server, again having 192.168.200.1 as GW address).

Do all the machines have a /16 netmask (255.255.0.0) for the 192.168.x
addresses?

> 1. When I ftp from 192.168.200.2 (WinXP) to 192.168.250.1 (RH Linux File 
> Server), the firewall shows an error message saying that WinXP machine is 
> ignoring redirects to 192.168.250.1

This suggests that the XP machine has the wrong netmask. If it has a
/24 netmask (255.255.255.0), it will consider 192.168.250.1 to be in a
separate network, and will attempt to send packets via the router.

-- 
Glynn Clements <glynn.clements@virgin.net>
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: Linux Networking problem...please help..

[Ray Olszewski]

At 12:11 AM 7/14/2003 +0530, Sanjay Arora wrote:
>Network Scenario: RH 8 Linux Firewall Server using three ethernet cards, 
>IPs 172.16.0.141 (connected to Cable Ethernet ISP doing NAT), 
>192.168.200.1 connected to an ethernet hub, & 192.168.100.1 (presently not 
>being used). Using a hub two lans are connected to 192.168.200.1, each 
>presently having one machine each having IP addresses 192.168.200.2 
>(Windows XP machine, having Gateway address of 192.168.200.1 in TCP/IP 
>settings) and 192.168.250.1 (RH8 Linux Server, again having 192.168.200.1 
>as GW address).
>
>1. When I ftp from 192.168.200.2 (WinXP) to 192.168.250.1 (RH Linux File 
>Server), the firewall shows an error message saying that WinXP machine is 
>ignoring redirects to 192.168.250.1 The transfer speed is also around 3.5 
>MB instead of full 10 MB which I get between the two Linux Servers. What's 
>the reason? What do I do to correct this behaviour?

Hard to say from what you reported. Especially hard because the problems 
both involve an XP system, and my expertise (like most folks here) is in 
Linux. With that warning, I do have a thought.

1. What does the routing table on the WinXP host look like? The redirect 
message *might* mean that it does not know it has a direct (LAN) connection 
to 192.168.250.1, so uses the Linux Firewall (192.168.200.1) as its route 
to 192.168.250.1. The Linux firewall does know that the WinXP host has a 
direct route so sends a redirect message. Ignoring redirects isn't unusual, 
as they are a possible security problem.

2. If the WinXP host is using the Linux Firewall to reach the RH Linux FIle 
Server, then the slower ftp speed is at least approximately explained, 
since each packet has to traverse the LAN twice (once between the XP Host 
and the Firewall, the other between the FIrewall and the RH Linux File 
Server). The difference between 3.5 Mb (I suspect you mean b=bits, not 
B=Bytes, because "full 10 MB" has no real meaning, but "full 10 Mb" would 
mean something with 10 Mbit hardware) and 5 Mb is not remarkable when 
routing is involved.

If all this guesswork is right, then the fix is to modify the routing table 
on the WinXP host so it knows that it has a direct route to whatever 
network 192.168.250.1 is on (and maybe make an analogous change to the RH 
Server's routing table0.

>2. The RH fileserver machine is very underutilized. I am thinking of 
>putting another ethernet card in it and connect is to the cable ISP and 
>Firewall server using a hub. I plan to put a firewall on the new 
>ethernet/IP address denying all outgoing packets and put a sniffer on it. 
>What are the security implications of this? Mind the IP that sniffer is 
>running on is denying all outgoing traffic and dropping all incoming 
>traffic and providing no services at all. On the other hand the machine is 
>inside the firewall.... a compromise here would provide direct access to 
>all local network resources. Is a compromise possible on an IP that denies 
>all traffic inbound and outbound? Should I waste one machine for this task 
>on my proposed small network (less than 20 machines)?

What is your purpose in connecting the RH fileserver to the external side 
of the firewall? Do you *only* want it to act as a sniffer? If so, what you 
describe should be reasonably safe, especially if the "external" interface 
on the machine does not have a public IP address (I don't think a sniffer 
requires one). To be maximally safe with this setup, modify your Ethernet 
cable so the host can only receive packets, not send them, on the 
interface. At that point, your host is as safe as the kenrel itself ... if 
there is a flaw in the iptables code, it could still, just barely 
conceivably, be the basis of an exploit. But the risk seems small, and 
risks can never be reduced to zero with a working system.



-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Linux Networking problem...please help..

[Sanjay Arora]

Network Scenario: RH 8 Linux Firewall Server using three ethernet cards, 
IPs 172.16.0.141 (connected to Cable Ethernet ISP doing NAT), 192.168.200.1 
connected to an ethernet hub, & 192.168.100.1 (presently not being used). 
Using a hub two lans are connected to 192.168.200.1, each presently having 
one machine each having IP addresses 192.168.200.2 (Windows XP machine, 
having Gateway address of 192.168.200.1 in TCP/IP settings) and 
192.168.250.1 (RH8 Linux Server, again having 192.168.200.1 as GW address).

1. When I ftp from 192.168.200.2 (WinXP) to 192.168.250.1 (RH Linux File 
Server), the firewall shows an error message saying that WinXP machine is 
ignoring redirects to 192.168.250.1 The transfer speed is also around 3.5 
MB instead of full 10 MB which I get between the two Linux Servers. What's 
the reason? What do I do to correct this behaviour?

2. The RH fileserver machine is very underutilized. I am thinking of 
putting another ethernet card in it and connect is to the cable ISP and 
Firewall server using a hub. I plan to put a firewall on the new 
ethernet/IP address denying all outgoing packets and put a sniffer on it. 
What are the security implications of this? Mind the IP that sniffer is 
running on is denying all outgoing traffic and dropping all incoming 
traffic and providing no services at all. On the other hand the machine is 
inside the firewall.... a compromise here would provide direct access to 
all local network resources. Is a compromise possible on an IP that denies 
all traffic inbound and outbound? Should I waste one machine for this task 
on my proposed small network (less than 20 machines)?

With thanks in advance ;-))
Sanjay.