[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sheflug] lost packets
>>>>> "ross" == ross h <ross> writes:
ross> On 29 Apr 2001 11:25:35 +0000, Barrie Bremner wrote:
>> If you want to mail me your firewall script offlist, I can look
>> through it and see if I can figure it out.
>>
>> Broken firewall = good reason to play with IPTables :-)
>>
ross> thanks :-)
>> Have you modified your ppp or firewall config recently?
ross> i just upgraded my distro to mandrake8.0.
ross> i copied an old firewall and ppp configuration which worked
ross> fine (as far as i can remember........ i was a bit over
ross> eager to upgrade and wiped the partion before backing up the
ross> working firewall file!). i was kind of wondering if this is
ross> to do with the 2.4 kernel? i beleive it takes a different
ross> aproach to packet filtering?
ross> as i mentioned, i had a similar problem when i first setup
ross> demand dialing and found that i could resolve the issue by
ross> adding a line to the firewall rules which was something like
ross> echo 1> /proc/sys/net/ipv4/.......
ross> but then i could also be completly wrong! :-)
The mention of a distro/kernel change does make things a little clearer...
The 2.3/2.4 series kernels use IPTables for packet filtering, however
there is an IPChains compatiblity layer.
I'm not sure if Mandrake (or any one else) sets up the compatibility
layer on a standard install.
If you are running a 2.4 kernel it seems a bit silly to bother with
IPChains.
Certainly Rusty Russell would like people to move to the new code...
/proc/sys/net/ipv4/ allows you to modify the behaviour of kernel
related variables - most of the options are the same in both 2.2.x and
2.4.x series.
The two options that aren't in your firewall script that are useful
are:
# Activate the forwarding!
echo 1 > /proc/sys/net/ipv4/ip_forward
However, if you have a single machine connected to a modem, all the
packets are locally sourced, and so there is no need for this - only
required if the machine is a gateway, and is forwarding packets
through the box from one interface to the next, IIRC.
It wouldn't hurt to turn it on - RedHat turn it on as default by the
looks of things.
Also:
# Set the dynamic address flag.
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
If you are assigned a dynamic IP address (most ISP dialup modem
connections are), then you'll need to turn this function on.
I'm inclined to believe this might be the problem.
Obviously I'm concentrating on the firewall config side of things
here.
Can you manually bring the connection up and connect to the outside
world?
You're logging all dropped packets - is there anything interesting
appearing in /var/log/messages?
No matter what the problem is, and as I said, I'm inclined to think
the dynamic address flag might just need setting, consider using
IPTables - just make sure you run 2.4.4, or a patched 2.4.3 to solve
the ftp hole that was found a few weeks back.
Baz.
--
Barrie J. Bremner
baz [at] barriebremner.com | OpenPGP public key ID: 5164F553
http://barriebremner.com/
[Contact information available at website]
"Linux? Is that some kind of MacOS?"
-- BT technical support
---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word
"unsubscribe" in the body of the message.
GNU the choice of a complete generation.