From colin at colina.demon.co.uk  Thu Jun  5 08:16:48 2003
From: colin at colina.demon.co.uk (Colin Paul Adams)
Date: 05 Jun 2003 16:16:48 +0100
Subject: [NARC] Ping from DMZ to LAN
Message-ID: <lt1xy8a71b.fsf@colina.demon.co.uk>

I have finally acquired a third machine, so now my DMZ and LAN are
actually on different ethernets!

I thought i knew how to configure all this, but although I can ping
the LAN machine from the firewall, I cannot ping it from the DMZ. Is
this purely a network configuration issue, or is it something that can
be influenced by narc?
-- 
Colin Paul Adams
Preston Lancashire


From morris at maynidea.com  Fri Jun  6 10:00:57 2003
From: morris at maynidea.com (Morris Maynard)
Date: Fri, 06 Jun 2003 13:00:57 -0400
Subject: [NARC] INVALID: ACK FIN
In-Reply-To: <20030606132731.17327.2931.Mailman@moles>
Message-ID: <MGEHJMJAAOMOPBKBNKNBMEKPDMAA.morris@maynidea.com>

I have iptables running, organized by narc, on a server running Linx 7.3.
The server also runs the squid proxy. I am not running squid in transparent
mode.
Web browsing from LAN clients usually works. However, sometimes it does not,
and then I see lines like this in the kernel log:

12:44:54 lion kernel: INVALID IN=eth0 OUT= MAC=blahblah SRC=192.168.2.11
DST=192.168.2.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=10715 DF PROTO=TCP
SPT=3030 DPT=3128 WINDOW=64992 RES=0x00 ACK FIN URGP=0
12:45:04 lion kernel: INVALID IN=eth0 OUT= MAC=blahblah SRC=192.168.2.11
DST=192.168.2.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=10748 DF PROTO=TCP
SPT=3030 DPT=3128 WINDOW=64992 RES=0x00 ACK FIN URGP=0
12:45:23 lion kernel: INVALID IN=eth0 OUT= MAC=blahblah SRC=192.168.2.11
DST=192.168.2.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=10856 DF PROTO=TCP
SPT=3030 DPT=3128 WINDOW=64992 RES=0x00 ACK FIN URGP=0

which should be a problem, since DPT=3128 means that packets addressing the
proxy are being rejected.

My illegal flags section of narc.conf reads:

ILLEGAL_TCP_FLAGS="SYN,FIN PSH,FIN SYN,ACK,FIN SYN,FIN,PSH SYN,FIN,RST
SYN,FIN,RST,PSH SYN,FIN,ACK,RST SYN,ACK,FIN,RST,PSH ALL"
FINSCAN="FIN"
XMASSCAN="URG,PSH,FIN"
NULLSCAN="NONE"

so I don't see "ACK,FIN" by themselves in there.

Specific questions: would "SYN,ACK,FIN" cause this rejection?



From shane at knowplace.org  Sat Jun  7 11:29:31 2003
From: shane at knowplace.org (Shane Chen)
Date: Sat, 7 Jun 2003 11:29:31 -0700
Subject: [NARC] Ping from DMZ to LAN
References: <lt1xy8a71b.fsf@colina.demon.co.uk>
Message-ID: <002c01c32d22$bd169e60$4264a8c0@TRANSMUTE>

Hi,

----- Original Message ----- 
From: "Colin Paul Adams" <colin at colina.demon.co.uk>
> I thought i knew how to configure all this, but although I can ping
> the LAN machine from the firewall, I cannot ping it from the DMZ. Is
> this purely a network configuration issue, or is it something that can
> be influenced by narc?

If you mean that you cannot ping machines in the LAN from your machines in
the DMZ, this is the default behavior of NARC.  It basically firewalls off
the LAN from machines in the DMZ so that as far as the machines in the DMZ
are concerned, there is no LAN.

If you want to change that behavior, you'll have to write custom rules.

Shane



From shane at knowplace.org  Sat Jun  7 11:32:27 2003
From: shane at knowplace.org (Shane Chen)
Date: Sat, 7 Jun 2003 11:32:27 -0700
Subject: [NARC] INVALID: ACK FIN
References: <MGEHJMJAAOMOPBKBNKNBMEKPDMAA.morris@maynidea.com>
Message-ID: <003201c32d23$25bffbf0$4264a8c0@TRANSMUTE>

----- Original Message ----- 
From: "Morris Maynard" <morris at maynidea.com>
> 12:44:54 lion kernel: INVALID IN=eth0 OUT= MAC=blahblah SRC=192.168.2.11
> DST=192.168.2.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=10715 DF PROTO=TCP

The INVALID prefix in NARC means that these packets don't belong to any
established connections in iptables's connection tracking table.  So either
it belongs to a connection that has timed-out (more likely), or it's someone
lobbing funky packets at you.

> Specific questions: would "SYN,ACK,FIN" cause this rejection?

No. =)

Shane



From AllshouseBM at navair.navy.mil  Tue Jun 10 10:37:30 2003
From: AllshouseBM at navair.navy.mil (Allshouse, Brian M (Sabre))
Date: Tue, 10 Jun 2003 13:37:30 -0400
Subject: [NARC] narc without NAT
Message-ID: <7160403BF562D211A1C70000F809810B0528700C@nems09.nawcad.navy.mil>

I'm trying to configure narc with all IP's on the same network. I need a
firewall/router with no NATing and no Masquerading if anyone can give me
some ideas I would really appreciate it.

Sincerely,

Brian Allshouse
UNIX Systems Administrator
Sabre Systems Inc.
mailto:allshousebm at navair.navy.mil
(301) 342-7034



From shane at knowplace.org  Thu Jun 12 00:55:25 2003
From: shane at knowplace.org (Shane Chen)
Date: Thu, 12 Jun 2003 00:55:25 -0700
Subject: [NARC] narc without NAT
References: <7160403BF562D211A1C70000F809810B0528700C@nems09.nawcad.navy.mil>
Message-ID: <009c01c330b7$fb87b830$4264a8c0@TRANSMUTE>

----- Original Message ----- 
From: "Allshouse, Brian M (Sabre)" <AllshouseBM at navair.navy.mil>
> I'm trying to configure narc with all IP's on the same network. I need a
> firewall/router with no NATing and no Masquerading if anyone can give me
> some ideas I would really appreciate it.

Well, you don't have to turn on the NAT'ing if you don't want to.  Just get
your routing right, then configure iptables to forward the traffic between
the proper interfaces and do your filtering in the forward chain.

Shane



From AllshouseBM at navair.navy.mil  Thu Jun 12 06:04:52 2003
From: AllshouseBM at navair.navy.mil (Allshouse, Brian M (Sabre))
Date: Thu, 12 Jun 2003 09:04:52 -0400
Subject: [NARC] narc without NAT
Message-ID: <7160403BF562D211A1C70000F809810B0528702F@nems09.nawcad.navy.mil>

ok, I have gotten that far since I sent out that email. Now my problem is
the routing. From the test machine I have running behind the firewall
(running narc) I can get everywhere I need to go (internet, ftp,chat,etc.)
except I can't communicate with systems on my same network that are on the
other side of the firewall. Any suggestions I'm sure it's a routing problem,
but I'm not even seeing anything in the logs on the firewall to give me some
hints. Is there a way I can use NAT so traffic on my local network but
outside the firewall can make it back and forth between machines behind the
firewall. I've tried static routes, but that only works for traffic for
machines behind the firewall. Any help would be appreciated. Thanks.

Sincerely,

Brian Allshouse
UNIX Systems Administrator
Sabre Systems Inc.
mailto:allshousebm at navair.navy.mil
(301) 342-7034


-----Original Message-----
From: Shane Chen [mailto:shane at knowplace.org]
Sent: Thursday, June 12, 2003 3:55 AM
To: Allshouse, Brian M (Sabre); narc at knowplace.org
Subject: Re: [NARC] narc without NAT


----- Original Message ----- 
From: "Allshouse, Brian M (Sabre)" <AllshouseBM at navair.navy.mil>
> I'm trying to configure narc with all IP's on the same network. I need a
> firewall/router with no NATing and no Masquerading if anyone can give me
> some ideas I would really appreciate it.

Well, you don't have to turn on the NAT'ing if you don't want to.  Just get
your routing right, then configure iptables to forward the traffic between
the proper interfaces and do your filtering in the forward chain.

Shane


From shane at knowplace.org  Thu Jun 12 10:24:49 2003
From: shane at knowplace.org (Shane Chen)
Date: Thu, 12 Jun 2003 10:24:49 -0700
Subject: [NARC] narc without NAT
References: <7160403BF562D211A1C70000F809810B0528702F@nems09.nawcad.navy.mil>
Message-ID: <002f01c33107$87807260$22c1a8c0@ict.usc.edu>

Hi Brian,

----- Original Message -----
From: "Allshouse, Brian M (Sabre)" <AllshouseBM at navair.navy.mil>
> ok, I have gotten that far since I sent out that email. Now my problem is
> the routing. From the test machine I have running behind the firewall
> (running narc) I can get everywhere I need to go (internet, ftp,chat,etc.)
> except I can't communicate with systems on my same network that are on the
> other side of the firewall. Any suggestions I'm sure it's a routing
problem,

I'm not sure that the way you're going about this is the best approach.  If
you arbitrarily divide up a subnet without actually subnetting it, routing
breaks as a natural consequence.  If you really need to firewall off a
segment without making any modifications to the network settings, look into
inserting a transparent bridging firewall between the segments.  I believe
there's a howto at tldp.org.

In a subnet segment, when the nodes want to talk to each other, they ARP for
the MAC address of the IP they need to send the packets to.  If you have a
machine segregating the segments without setting up an ARP proxy, the
machines on the other side won't answer because they'll never get the ARP
broadcast.

Otherwise, you need to properly subnet your network so that all the machines
involved know when to ARP and when to talk to your router.

Shane



From zhu1230 at 163.com  Mon Jun 16 07:02:08 2003
From: zhu1230 at 163.com (zhu1230)
Date: Mon, 16 Jun 2003 22:02:08 +0800
Subject: [NARC] about the fopen() problem!help!
Message-ID: <003301c3340f$e08e1eb0$0baaa8c0@zhu>

HI?ALL
MY FIREWALL?LOG IS LIKE THIS:
Jun 16 21:16:27 localhost kernel: ALL_ELSE IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=61.***.**.*** DST=61.***.**.*** LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34196 DF PROTO=TCP SPT=50154 DPT=80 WINDOW=32767 RES=0x00 SYN URGP=0 OPT (020440
0C0402080A2CD957D50000000001030300)

NOTE:
61.***.**.*** IS MY IP

I host a web server,and i use apache server and php together.now,i want to use the php's function "fopen()"( fopen(http://mywebserver.com/******.php)),
and this function is invalid.
however,when i shutdown the narc-firewall,then the function turn into valid.
and the firewall.log is appended to following words:

Jun 16 21:16:27 localhost kernel: ALL_ELSE IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=61.***.**.*** DST=61.***.**.*** LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34196 DF PROTO=TCP SPT=50154 DPT=80 WINDOW=32767 RES=0x00 SYN URGP=0 OPT (020440
0C0402080A2CD957D50000000001030300)

NOW,i want to know how to let the php function valid,and i don't need shutdown the entire firewall??

i will appreciate any ideas!
thank you!!!

my english is poor ,sorry!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.knowplace.org/pipermail/narc/attachments/20030616/bbb1881a/attachment.htm 

From zhu1230 at 163.com  Tue Jun 17 21:45:16 2003
From: zhu1230 at 163.com (zhu1230)
Date: Wed, 18 Jun 2003 12:45:16 +0800
Subject: [NARC] about the fopen() problem!help!
Message-ID: <001401c33554$6d2f0970$0baaa8c0@zhu>

HI?ALL
MY FIREWALL?LOG IS LIKE THIS:
Jun 16 21:16:27 localhost kernel: ALL_ELSE IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=61.***.**.*** DST=61.***.**.*** LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34196 DF PROTO=TCP SPT=50154 DPT=80 WINDOW=32767 RES=0x00 SYN URGP=0 OPT (020440
0C0402080A2CD957D50000000001030300)

NOTE:
61.***.**.*** IS MY IP

I host a web server,and i use apache server and php together.now,i want to use the php's function "fopen()"( fopen(http://mywebserver.com/******.php)),
and this function is invalid.
however,when i shutdown the narc-firewall,then the function turn into valid.
and the firewall.log is appended to following words:

Jun 16 21:16:27 localhost kernel: ALL_ELSE IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=61.***.**.*** DST=61.***.**.*** LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34196 DF PROTO=TCP SPT=50154 DPT=80 WINDOW=32767 RES=0x00 SYN URGP=0 OPT (020440
0C0402080A2CD957D50000000001030300)

NOW,i want to know how to let the php function valid,and i don't need shutdown the entire firewall??

i will appreciate any ideas!
thank you!!!

my english is poor ,sorry!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.knowplace.org/pipermail/narc/attachments/20030618/859797b8/attachment-0001.htm 

From hisham at shaw.ca  Sun Jun 22 17:01:09 2003
From: hisham at shaw.ca (Hisham Abdel-Rahman)
Date: Sun, 22 Jun 2003 18:01:09 -0600
Subject: [NARC] PPTP server and narc
Message-ID: <013401c3391a$8d651210$740aa8c0@hisham>

Hello All,

I just installed pptp server on a RH 2.4.20-8, but as soon as I load the needed modules for pptp the Linux gateway/router stop working, can not browse the internet or connect to the Linux server using SSH for example. as soon as I unload those modules everything is fine. Any one saw this problem before??

here is how my /etc/modules.conf looks like:

alias eth0 tlan
alias eth1 ne
options ne irq=5 io=0x300 
#alias char-major-108 ppp_generic
#alias ppp-compress-18 ppp_mppe
#alias ppp-compress-21 bsd_comp
#alias ppp-compress-24 ppp_deflate
#alias ppp-compress-26 ppp_deflate
#alias tty-ldisc-3 ppp_async
#alias tty-ldisc-14 ppp_synctty
#alias net-pf-47 ip_gre

Have to comment all pptp modules for the router to work.

Thanks,

Hisham
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.knowplace.org/pipermail/narc/attachments/20030622/4a2871a4/attachment.htm