* Re: Linux Networking problem...please help..
[not found] <3F1332FC.8080903@bcgreen.com>
@ 2003-07-16 12:20 ` Sanjay Arora
2003-07-16 14:06 ` Ray Olszewski
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: Sanjay Arora @ 2003-07-16 12:20 UTC (permalink / raw)
To: linux-net; +Cc: linux-newbie
Netmask is 255.255.255.0 on all machines.
Point is that the WinXP machine is being given a
redirect by the Linux firewall and that is being
ignored, either due to inability of WinXP or some
misconfiguration by me.
Sanjay.
--- Stephen Samuel <samuel@bcgreen.com> wrote:
> What are the netmasks for the two machines?? If you
> give them a /18
> (or a /16) netmask and the associated broadcast
> addresses, then they'll
> know to just talk directly to each other.
>
> Of course, I barely trust Windows to understand
> netmasks, but it
> should be OK -- far better than trying to get it to
> accept ICMP
> redirects.
>
>
> Sanjay Arora wrote:
> > Network Scenario: RH 8 Linux Firewall Server using
> three ethernet cards,
> > IPs 172.16.0.141 (connected to Cable Ethernet ISP
> doing NAT),
> > 192.168.200.1 connected to an ethernet hub, &
> 192.168.100.1 (presently
> > not being used). Using a hub two lans are
> connected to 192.168.200.1,
> > each presently having one machine each having IP
> addresses 192.168.200.2
> > (Windows XP machine, having Gateway address of
> 192.168.200.1 in TCP/IP
> > settings) and 192.168.250.1 (RH8 Linux Server,
> again having
> > 192.168.200.1 as GW address).
> >
> > 1. When I ftp from 192.168.200.2 (WinXP) to
> 192.168.250.1 (RH Linux File
> > Server), the firewall shows an error message
> saying that WinXP machine
> > is ignoring redirects to 192.168.250.1 The
> transfer speed is also around
> > 3.5 MB instead of full 10 MB which I get between
> the two Linux Servers.
> > What's the reason? What do I do to correct this
> behaviour?
> >
> > 2. The RH fileserver machine is very
> underutilized. I am thinking of
> > putting another ethernet card in it and connect is
> to the cable ISP and
> > Firewall server using a hub. I plan to put a
> firewall on the new
> > ethernet/IP address denying all outgoing packets
> and put a sniffer on
> > it. What are the security implications of this?
> Mind the IP that sniffer
> > is running on is denying all outgoing traffic and
> dropping all incoming
> > traffic and providing no services at all. On the
> other hand the machine
> > is inside the firewall.... a compromise here would
> provide direct access
> > to all local network resources. Is a compromise
> possible on an IP that
> > denies all traffic inbound and outbound? Should I
> waste one machine for
> > this task on my proposed small network (less than
> 20 machines)?
> >
> > With thanks in advance ;-))
> > Sanjay.
>
>
> --
> Stephen Samuel +1(604)876-0426
> samuel@bcgreen.com
> http://www.bcgreen.com/~samuel/
> Powerful committed communication. Transformation
> touching
> the jewel within each person and bring it to
> life.
>
__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: Linux Networking problem...please help..
2003-07-16 12:20 ` Linux Networking problem...please help Sanjay Arora
@ 2003-07-16 14:06 ` Ray Olszewski
2003-07-16 15:00 ` Sven Schuster
2003-07-17 15:09 ` Liam Helmer
2 siblings, 0 replies; 9+ messages in thread
From: Ray Olszewski @ 2003-07-16 14:06 UTC (permalink / raw)
To: linux-newbie
At 05:20 AM 7/16/2003 -0700, Sanjay Arora wrote:
>Netmask is 255.255.255.0 on all machines.
>
>Point is that the WinXP machine is being given a
>redirect by the Linux firewall and that is being
>ignored, either due to inability of WinXP or some
>misconfiguration by me.
[old stuff deleted]
As I said in my prior response, redirects are commonly (though not always)
ignored. Redirects are a way of spoofing, thus a security hole (even though
they also have legitimate uses, as in your case). That XP rejects redirect
instructions is quite reasonable.
(Are you sure that your Linux client on the LAN is receiving and acting on
the router's redirect message? You haven't said. In any case, if it is on
network 192.169.250.0/24, and has default gateway 192.168.200.1, as your
earlier message seemed to say, it has a more elaborate routing table than
the WinXP host ... either a route to 192.168.200.0/24 or a static route to
192.168.200.1/32.)
In any case, if this is the "point" of your query, is it not better made on
a Windows XP list than a pair of Linux lists? (BTW, no one else has
mentioned this, but cross-posting of this sort is usually considered
discourteous.) Both Linux hosts on the LAN seem to be functioning correctly
(at least as far as I can tell from your description).
The only solution I can suggest is not to use the redirect trick to enable
connectivity. Instead, give the WinXP host a proper routing table that
tells it that it has a direct route to network 192.168.250.0/24.
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Linux Networking problem...please help..
2003-07-16 12:20 ` Linux Networking problem...please help Sanjay Arora
2003-07-16 14:06 ` Ray Olszewski
@ 2003-07-16 15:00 ` Sven Schuster
2003-07-16 15:16 ` Sven Schuster
2003-07-17 15:09 ` Liam Helmer
2 siblings, 1 reply; 9+ messages in thread
From: Sven Schuster @ 2003-07-16 15:00 UTC (permalink / raw)
To: Sanjay Arora; +Cc: linux-net, linux-newbie
Hello,
maybe you could try to turn off send_redirects??
echo "0" >/proc/sys/net/ipv4/conf/all/send_redirects
echo "0" >/proc/sys/net/ipv4/conf/eth0/send_redirects
Maybe you'll have to write eth0 instead of eth0, depending on
the interface for the internal network.
Hope this helps
Sven
Sanjay Arora wrote:
>Netmask is 255.255.255.0 on all machines.
>
>Point is that the WinXP machine is being given a
>redirect by the Linux firewall and that is being
>ignored, either due to inability of WinXP or some
>misconfiguration by me.
>
>Sanjay.
>
>--- Stephen Samuel <samuel@bcgreen.com> wrote:
>
>>What are the netmasks for the two machines?? If you
>>give them a /18
>>(or a /16) netmask and the associated broadcast
>>addresses, then they'll
>>know to just talk directly to each other.
>>
>>Of course, I barely trust Windows to understand
>>netmasks, but it
>>should be OK -- far better than trying to get it to
>>accept ICMP
>>redirects.
>>
>>
>>
>
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Linux Networking problem...please help..
2003-07-16 15:00 ` Sven Schuster
@ 2003-07-16 15:16 ` Sven Schuster
0 siblings, 0 replies; 9+ messages in thread
From: Sven Schuster @ 2003-07-16 15:16 UTC (permalink / raw)
To: Sanjay Arora; +Cc: linux-net, linux-newbie
Sven Schuster wrote:
>
> Hello,
>
> maybe you could try to turn off send_redirects??
>
> echo "0" >/proc/sys/net/ipv4/conf/all/send_redirects
> echo "0" >/proc/sys/net/ipv4/conf/eth0/send_redirects
>
> Maybe you'll have to write eth0 instead of eth0, depending on
Ouch...sorry, of course I mean eth1 or eth2 or what interface your
internal network is running on ;-)
> the interface for the internal network.
>
> Hope this helps
>
> Sven
>
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Linux Networking problem...please help..
2003-07-16 12:20 ` Linux Networking problem...please help Sanjay Arora
2003-07-16 14:06 ` Ray Olszewski
2003-07-16 15:00 ` Sven Schuster
@ 2003-07-17 15:09 ` Liam Helmer
2 siblings, 0 replies; 9+ messages in thread
From: Liam Helmer @ 2003-07-17 15:09 UTC (permalink / raw)
To: Sanjay Arora; +Cc: linux-net, linux-newbie
AFAIK, Windows XP doesn't accept ICMP redirects.
I know that Windows 2000 and NT didn't, so it wouldn't surprise me if XP
didn't. It's not secure... <g>.
Cheers,
Liam
Sanjay Arora wrote:
>Netmask is 255.255.255.0 on all machines.
>
>Point is that the WinXP machine is being given a
>redirect by the Linux firewall and that is being
>ignored, either due to inability of WinXP or some
>misconfiguration by me.
>
>Sanjay.
>
>
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Linux Networking problem...please help..
@ 2003-07-16 17:45 beolach
0 siblings, 0 replies; 9+ messages in thread
From: beolach @ 2003-07-16 17:45 UTC (permalink / raw)
To: skpobox; +Cc: linux-net, linux-newbie
I reasonably certain everything below is correct,
but don't sue me if it doesn't work. :)
Here is what's causing your problem. Because you
are using IP addresses 192.168.200.??? and also
IPs 192.168.250.???, you need to either use for
netmask 255.255.0.0, or change all your IPs so
they start with either 192.168.200 or 192.168.250,
but NOT both. The problem is, with your current
netmasks, you're trying to communicate between
two seperate subnets, 192.168.200.??? and
192.168.250.???. M$ Windows will not like this.
Changing the subnet mask to 255.255.0.0 will put
all your boxes on one subnet, 192.168.???.???.
I suppose there might be someway to set up your
firewall to bridge the two subnets, but that would
probably be more complicated.
Hope this helps,
Conway S. Smith
--- Sanjay Arora <skpobox@yahoo.com> wrote:
>
>Netmask is 255.255.255.0 on all machines.
>
>Point is that the WinXP machine is being given a
>redirect by the Linux firewall and that is being
>ignored, either due to inability of WinXP or some
>misconfiguration by me.
>
>Sanjay.
>
>--- Stephen Samuel <samuel@bcgreen.com> wrote:
>> What are the netmasks for the two machines?? If you
>> give them a /18
>> (or a /16) netmask and the associated broadcast
>> addresses, then they'll
>> know to just talk directly to each other.
>>
>> Of course, I barely trust Windows to understand
>> netmasks, but it
>> should be OK -- far better than trying to get it to
>> accept ICMP
>> redirects.
>>
>>
>> Sanjay Arora wrote:
>> > Network Scenario: RH 8 Linux Firewall Server using
>> three ethernet cards,
>> > IPs 172.16.0.141 (connected to Cable Ethernet ISP
>> doing NAT),
>> > 192.168.200.1 connected to an ethernet hub, &
>> 192.168.100.1 (presently
>> > not being used). Using a hub two lans are
>> connected to 192.168.200.1,
>> > each presently having one machine each having IP
>> addresses 192.168.200.2
>> > (Windows XP machine, having Gateway address of
>> 192.168.200.1 in TCP/IP
>> > settings) and 192.168.250.1 (RH8 Linux Server,
>> again having
>> > 192.168.200.1 as GW address).
>> >
>> > 1. When I ftp from 192.168.200.2 (WinXP) to
>> 192.168.250.1 (RH Linux File
>> > Server), the firewall shows an error message
>> saying that WinXP machine
>> > is ignoring redirects to 192.168.250.1 The
>> transfer speed is also around
>> > 3.5 MB instead of full 10 MB which I get between
>> the two Linux Servers.
>> > What's the reason? What do I do to correct this
>> behaviour?
>> >
>> > 2. The RH fileserver machine is very
>> underutilized. I am thinking of
>> > putting another ethernet card in it and connect is
>> to the cable ISP and
>> > Firewall server using a hub. I plan to put a
>> firewall on the new
>> > ethernet/IP address denying all outgoing packets
>> and put a sniffer on
>> > it. What are the security implications of this?
>> Mind the IP that sniffer
>> > is running on is denying all outgoing traffic and
>> dropping all incoming
>> > traffic and providing no services at all. On the
>> other hand the machine
>> > is inside the firewall.... a compromise here would
>> provide direct access
>> > to all local network resources. Is a compromise
>> possible on an IP that
>> > denies all traffic inbound and outbound? Should I
>> waste one machine for
>> > this task on my proposed small network (less than
>> 20 machines)?
>> >
>> > With thanks in advance ;-))
>> > Sanjay.
>>
>>
>> --
>> Stephen Samuel +1(604)876-0426
>> samuel@bcgreen.com
>> http://www.bcgreen.com/~samuel/
>> Powerful committed communication. Transformation
>> touching
>> the jewel within each person and bring it to
>> life.
>>
________________________________________________________________
The best thing to hit the internet in years - Juno SpeedBand!
Surf the web up to FIVE TIMES FASTER!
Only $14.95/ month - visit www.juno.com to sign up today!
^ permalink raw reply [flat|nested] 9+ messages in thread
* Linux Networking problem...please help..
@ 2003-07-13 18:41 Sanjay Arora
2003-07-13 21:52 ` Ray Olszewski
2003-07-14 2:41 ` Glynn Clements
0 siblings, 2 replies; 9+ messages in thread
From: Sanjay Arora @ 2003-07-13 18:41 UTC (permalink / raw)
To: linux-net; +Cc: linux-newbie
Network Scenario: RH 8 Linux Firewall Server using three ethernet cards,
IPs 172.16.0.141 (connected to Cable Ethernet ISP doing NAT), 192.168.200.1
connected to an ethernet hub, & 192.168.100.1 (presently not being used).
Using a hub two lans are connected to 192.168.200.1, each presently having
one machine each having IP addresses 192.168.200.2 (Windows XP machine,
having Gateway address of 192.168.200.1 in TCP/IP settings) and
192.168.250.1 (RH8 Linux Server, again having 192.168.200.1 as GW address).
1. When I ftp from 192.168.200.2 (WinXP) to 192.168.250.1 (RH Linux File
Server), the firewall shows an error message saying that WinXP machine is
ignoring redirects to 192.168.250.1 The transfer speed is also around 3.5
MB instead of full 10 MB which I get between the two Linux Servers. What's
the reason? What do I do to correct this behaviour?
2. The RH fileserver machine is very underutilized. I am thinking of
putting another ethernet card in it and connect is to the cable ISP and
Firewall server using a hub. I plan to put a firewall on the new
ethernet/IP address denying all outgoing packets and put a sniffer on it.
What are the security implications of this? Mind the IP that sniffer is
running on is denying all outgoing traffic and dropping all incoming
traffic and providing no services at all. On the other hand the machine is
inside the firewall.... a compromise here would provide direct access to
all local network resources. Is a compromise possible on an IP that denies
all traffic inbound and outbound? Should I waste one machine for this task
on my proposed small network (less than 20 machines)?
With thanks in advance ;-))
Sanjay.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Linux Networking problem...please help..
2003-07-13 18:41 Sanjay Arora
@ 2003-07-13 21:52 ` Ray Olszewski
2003-07-14 2:41 ` Glynn Clements
1 sibling, 0 replies; 9+ messages in thread
From: Ray Olszewski @ 2003-07-13 21:52 UTC (permalink / raw)
To: linux-newbie
At 12:11 AM 7/14/2003 +0530, Sanjay Arora wrote:
>Network Scenario: RH 8 Linux Firewall Server using three ethernet cards,
>IPs 172.16.0.141 (connected to Cable Ethernet ISP doing NAT),
>192.168.200.1 connected to an ethernet hub, & 192.168.100.1 (presently not
>being used). Using a hub two lans are connected to 192.168.200.1, each
>presently having one machine each having IP addresses 192.168.200.2
>(Windows XP machine, having Gateway address of 192.168.200.1 in TCP/IP
>settings) and 192.168.250.1 (RH8 Linux Server, again having 192.168.200.1
>as GW address).
>
>1. When I ftp from 192.168.200.2 (WinXP) to 192.168.250.1 (RH Linux File
>Server), the firewall shows an error message saying that WinXP machine is
>ignoring redirects to 192.168.250.1 The transfer speed is also around 3.5
>MB instead of full 10 MB which I get between the two Linux Servers. What's
>the reason? What do I do to correct this behaviour?
Hard to say from what you reported. Especially hard because the problems
both involve an XP system, and my expertise (like most folks here) is in
Linux. With that warning, I do have a thought.
1. What does the routing table on the WinXP host look like? The redirect
message *might* mean that it does not know it has a direct (LAN) connection
to 192.168.250.1, so uses the Linux Firewall (192.168.200.1) as its route
to 192.168.250.1. The Linux firewall does know that the WinXP host has a
direct route so sends a redirect message. Ignoring redirects isn't unusual,
as they are a possible security problem.
2. If the WinXP host is using the Linux Firewall to reach the RH Linux FIle
Server, then the slower ftp speed is at least approximately explained,
since each packet has to traverse the LAN twice (once between the XP Host
and the Firewall, the other between the FIrewall and the RH Linux File
Server). The difference between 3.5 Mb (I suspect you mean b=bits, not
B=Bytes, because "full 10 MB" has no real meaning, but "full 10 Mb" would
mean something with 10 Mbit hardware) and 5 Mb is not remarkable when
routing is involved.
If all this guesswork is right, then the fix is to modify the routing table
on the WinXP host so it knows that it has a direct route to whatever
network 192.168.250.1 is on (and maybe make an analogous change to the RH
Server's routing table0.
>2. The RH fileserver machine is very underutilized. I am thinking of
>putting another ethernet card in it and connect is to the cable ISP and
>Firewall server using a hub. I plan to put a firewall on the new
>ethernet/IP address denying all outgoing packets and put a sniffer on it.
>What are the security implications of this? Mind the IP that sniffer is
>running on is denying all outgoing traffic and dropping all incoming
>traffic and providing no services at all. On the other hand the machine is
>inside the firewall.... a compromise here would provide direct access to
>all local network resources. Is a compromise possible on an IP that denies
>all traffic inbound and outbound? Should I waste one machine for this task
>on my proposed small network (less than 20 machines)?
What is your purpose in connecting the RH fileserver to the external side
of the firewall? Do you *only* want it to act as a sniffer? If so, what you
describe should be reasonably safe, especially if the "external" interface
on the machine does not have a public IP address (I don't think a sniffer
requires one). To be maximally safe with this setup, modify your Ethernet
cable so the host can only receive packets, not send them, on the
interface. At that point, your host is as safe as the kenrel itself ... if
there is a flaw in the iptables code, it could still, just barely
conceivably, be the basis of an exploit. But the risk seems small, and
risks can never be reduced to zero with a working system.
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Linux Networking problem...please help..
2003-07-13 18:41 Sanjay Arora
2003-07-13 21:52 ` Ray Olszewski
@ 2003-07-14 2:41 ` Glynn Clements
1 sibling, 0 replies; 9+ messages in thread
From: Glynn Clements @ 2003-07-14 2:41 UTC (permalink / raw)
To: Sanjay Arora; +Cc: linux-newbie
Sanjay Arora wrote:
> Network Scenario: RH 8 Linux Firewall Server using three ethernet cards,
> IPs 172.16.0.141 (connected to Cable Ethernet ISP doing NAT), 192.168.200.1
> connected to an ethernet hub, & 192.168.100.1 (presently not being used).
> Using a hub two lans are connected to 192.168.200.1, each presently having
> one machine each having IP addresses 192.168.200.2 (Windows XP machine,
> having Gateway address of 192.168.200.1 in TCP/IP settings) and
> 192.168.250.1 (RH8 Linux Server, again having 192.168.200.1 as GW address).
Do all the machines have a /16 netmask (255.255.0.0) for the 192.168.x
addresses?
> 1. When I ftp from 192.168.200.2 (WinXP) to 192.168.250.1 (RH Linux File
> Server), the firewall shows an error message saying that WinXP machine is
> ignoring redirects to 192.168.250.1
This suggests that the XP machine has the wrong netmask. If it has a
/24 netmask (255.255.255.0), it will consider 192.168.250.1 to be in a
separate network, and will attempt to send packets via the router.
--
Glynn Clements <glynn.clements@virgin.net>
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2003-07-17 15:09 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <3F1332FC.8080903@bcgreen.com>
2003-07-16 12:20 ` Linux Networking problem...please help Sanjay Arora
2003-07-16 14:06 ` Ray Olszewski
2003-07-16 15:00 ` Sven Schuster
2003-07-16 15:16 ` Sven Schuster
2003-07-17 15:09 ` Liam Helmer
2003-07-16 17:45 beolach
-- strict thread matches above, loose matches on Subject: below --
2003-07-13 18:41 Sanjay Arora
2003-07-13 21:52 ` Ray Olszewski
2003-07-14 2:41 ` Glynn Clements
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.