Hi Folks:

I'm a Solaris and Windows programmer. My sys admin
and Linux skills are weak.

I want to dedicate an old 266 MHz Pentium PC to be
a router/firewall. I'm planning on running IPFilter,
but I'm open to suggestions for any alternative.

I have a copy of RH9, so I'll use that. On this
weak PC, I'll do a text install of a text only server.

So, I put a couple of NICs in this PC, and during
the install I indicate that one, eth0, has a static
address of 192.168.0.20, and the other NIC, eth1,
will be the DHCP interface to the cable modem.

I'm not sure which NIC is designated eth0, and
which is eth1. So I plug each in to my hub and try
to ping the Linux PC from the Windows 2K system.

The ping times out.

Next I try to ping the Windows PC from the Linux
PC.

# ping 192.168.0.1
connect: Network is unreachable

Hmm, "unreachable"? Did I miss-type the Linux PC's
IP address?

What's "ifconfig -a" tell us?


eth0 Link encap:Ethernet HWaddr 000:B7:BD:61:27
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:11 Base address:0xf700 Memory:ffde6000-ffde6038

eth1 Link encap:Ethernet HWaddr 000:B7:85:BB:A1
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:10 Base address:0xf680 Memory:ffde5000-ffde5038

Uh, shouldn't I see eth0's IP address?

What do the network config scripts look like?

ifcfg-eth0:

DEVICE=eth0
BOOTPROTO=static
BROADCAST=192.168.0.255
IPADDR=192.168.0.20
NETMASK=255.255.255.0
NETWORK=192.168.0.0
ONBOOT=no

ifcfg-eth1:

DEVICE=eth1
BOOTPROTO=dhcp
ONBOOT=yes

Eth0's IP address is 192.168.0.20. Should a ping
of 192.168.0.1 be unreachable?

Just to be complete, here is the /etc/sysconfig's
network file.

NETWORKING=yes
HOSTNAME=linux-1
GATEWAY=192.168.0.20

linux-1 will be the firewall and gateway, as
specified in the GATEWAY value.

An error message is being generated during system
initialization at boot time, eth1 seems to not be seeing
a DHCP server to chat with. This is when it is plugged
into the cable modem. I tried this when testing both
NICs.

As stated, I'm ignorant of Linux and system admin.

I'd appreciate any suggestions.

Thanks
Larry

On Sun, 12 Dec 2004 11:33:24 GMT, Larry Lindstrom wrote:
>
> I want to dedicate an old 266 MHz Pentium PC to be
> a router/firewall. I'm planning on running IPFilter,
> but I'm open to suggestions for any alternative.
>
> I have a copy of RH9, so I'll use that. On this
> weak PC, I'll do a text install of a text only server.
>
> So, I put a couple of NICs in this PC, and during
> the install I indicate that one, eth0, has a static
> address of 192.168.0.20, and the other NIC, eth1,
> will be the DHCP interface to the cable modem.
>
> I'm not sure which NIC is designated eth0, and
> which is eth1.

First one found on the IO buss is eth0

> So I plug each in to my hub and try
> to ping the Linux PC from the Windows 2K system.

Do add
192.168.0.1 winbox.whatever
to /etc/hosts

Example:
$ head -4 /etc/hosts
192.168.1.10 wb.home.invalid wb
127.0.0.1 localhost
192.168.1.12 wb1.home.invalid wb1
192.168.1.1 fw.home.invalid fw


Once you get your routing set correctly, you could
ping 216.109.112.135 # yahoo.com for the WAN nic
ping 192.168.0.1 # for the LAN nic
and see which lights blink on the nic card.

> Uh, shouldn't I see eth0's IP address?

I would have thought so.

> What do the network config scripts look like?
>
> ifcfg-eth0:
>
> DEVICE=eth0
> BOOTPROTO=static
> BROADCAST=192.168.0.255
> IPADDR=192.168.0.20
> NETMASK=255.255.255.0
> NETWORK=192.168.0.0
> ONBOOT=no

Well, change onboot to =yes

>
> ifcfg-eth1:
>
> DEVICE=eth1
> BOOTPROTO=dhcp
> ONBOOT=yes
>
> Eth0's IP address is 192.168.0.20. Should a ping
> of 192.168.0.1 be unreachable?

If the nic made it up. but your ifconfig shows no ip address.
Also guessing route is not set correctly.

> Just to be complete, here is the /etc/sysconfig's
> network file.
>
> NETWORKING=yes
> HOSTNAME=linux-1
> GATEWAY=192.168.0.20

Now this is backwards. You want the WAN gateway device here
GATEWAYDEV=eth1 LAN boxe's gateway will have to be 192.168.0.20
Remove the GATEWAY=192.168.0.20 line.

Example:
cat /etc/sysconfig/network
HOSTNAME=fw.home.invalid
NETWORKING=yes
GATEWAYDEV=eth1

> linux-1 will be the firewall and gateway, as
> specified in the GATEWAY value.

Change net.ipv4.ip_forward = 1 in /etc/sysctl.conf
and do a
sysctl -p # to load the change

That and masquarding firewall rules will allow packets to get from LAN to WAN.

> An error message is being generated during system initialization at
> boot time, eth1 seems to not be seeing a DHCP server to chat with.
> This is when it is plugged into the cable modem. I tried this when
> testing both NICs.

I can believe that, set gatewaydev and remove GATEWAY=192.168.0.20
in /etc/sysconfig/network

You also have to reset (power reset, 15 sec by watch) the cable modem anytime
you change the nic connected to it. It will only talk to the nic is
sees after a reset.

> As stated, I'm ignorant of Linux and system admin.

Sorry I cannot be of more help. I do not have a RH 9 install to check
you values.

After you replug your cables, change config files, power reset cable
modem, you can do a
service network restart
to see if the WAN and LAN have values with ifconfig -a

Your route should look something like this, eth1 is my WAN eth0 is LAN
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
24.1.208.0 0.0.0.0 255.255.248.0 U 0 0 0 eth1
0.0.0.0 24.1.208.1 0.0.0.0 UG 0 0 0 eth1

G under Flags is the gateway

Example ifconfig snippet. inet addr is the nic's address

eth0 Link encap:Ethernet HWaddr 00:A0:CC:E6:82:E9
inet addr:192.168.1.10 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::2a0:ccff:fee6:82e9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:208640 errors:1 dropped:0 overruns:0 frame:2
TX packets:178859 errors:12 dropped:0 overruns:0 carrier:6
collisions:156 txqueuelen:1000
RX bytes:110811492 (105.6 Mb) TX bytes:19411606 (18.5 Mb)
Interrupt:3 Base address:0xcc00

Larry Lindstrom wrote:

<snip>

Hi Larry:

For a dedicated firewall PC, I'd suggest you install either smoothwall
(http://www.smoothwall.org) or ipcop (http://ipcop.sf.net). Both are
dedicated linux distributions aimed at firewall appliance applications, and
both are very easy to administer and keep up to date. They install straight
off a CD image, which is around a 30MB download.

If you want to spend more time surfing the net than looking after your
firewall, go with the pre-packaged solution.

Cheers,
--
** Matt van de Werken -- Cricket, Unix, Electronics Enthusiast **
** Linux -- Dual Athlon MP1800+ -- Sun, 12 Dec 2004 9:41PM **
"First things first -- but not necessarily in that order"
-- The Doctor, "Doctor Who"

Matt van de Werken wrote:

> Larry Lindstrom wrote:
>
> <snip>
>
> Hi Larry:
>
> For a dedicated firewall PC, I'd suggest you install either smoothwall
> (http://www.smoothwall.org) or ipcop (http://ipcop.sf.net). Both are
> dedicated linux distributions aimed at firewall appliance applications, and
> both are very easy to administer and keep up to date. They install straight
> off a CD image, which is around a 30MB download.
>
> If you want to spend more time surfing the net than looking after your
> firewall, go with the pre-packaged solution.
>
> Cheers,

Thanks Matt:

These sound interesting.

Unfortunately, I don't have a burner.

Is there any freeware/shareware facility, Solaris or
Windows, and Linux after this is working, that will turn
a CD-ROM image into something useful on a hard drive?

I'll need Linux development on my next project, but for
now this is it. I have no immediate need to compile for
Linux. I'm a Solaris programmer toiling in the dark side
for the last year.

I'm tempted to put a new gcc on this and use it for
compiles. But a little light blinks red, something
about security, when I ponder the implications.

I have no problem dedicating this to the single task
of protecting my system. Should I abandon any
expectation of this also being a rarely used development
environment?

Thanks
Larry

On Sun, 12 Dec 2004 17:10:51 GMT, Larry Lindstrom
<nobody@aracnet.com> wrote:
> Matt van de Werken wrote:
>
>> Cheers,
>
> Thanks Matt:
>
> These sound interesting.
>
> Unfortunately, I don't have a burner.
>
CD burners aren't that expensive, and Christmas is coming. Also
there are some firewall-only linux distributions that fit on a floppy.

> Is there any freeware/shareware facility, Solaris or
> Windows, and Linux after this is working, that will turn
> a CD-ROM image into something useful on a hard drive?
>
I don't know about Solaris, but in Linux you can mount a cd image as if
it were an actual cd.


--
Programming Department:
Mistakes made while you wait.

"Bill Marcum" wrote:
> On Sun, 12 Dec 2004 17:10:51 GMT, Larry Lindstrom
>> Is there any freeware/shareware facility, Solaris or
>> Windows, and Linux after this is working, that will turn
>> a CD-ROM image into something useful on a hard drive?
>>
> I don't know about Solaris, but in Linux you can mount a cd image as if
> it were an actual cd.

That sounds very cool, but how do you do it? Do you just mnt the iso file by
locating it in nautilus? Or from the command line?
-=Conner=-

--
Visit The Castle's Dungeon BBS at telnet://tcdbbs.zapto.org for some family
fun in a medieval setting, or come test your mettle in the Land of Legends,
our MUD, at telnet://tcdbbs.zapto.org:4000
For general info, visit http://www.tcdbbs.zapto.org

Conner Destron wrote:
> "Bill Marcum" wrote:
>
>>On Sun, 12 Dec 2004 17:10:51 GMT, Larry Lindstrom
>>
>>> Is there any freeware/shareware facility, Solaris or
>>>Windows, and Linux after this is working, that will turn
>>>a CD-ROM image into something useful on a hard drive?
>>>
>>
>>I don't know about Solaris, but in Linux you can mount a cd image as if
>>it were an actual cd.
>
>
> That sounds very cool, but how do you do it? Do you just mnt the iso file by
> locating it in nautilus? Or from the command line?


The tool is the loop device:

mount -t iso9660 -o loop path_to_the_image /mnt/cdrom

The idea is to show the file pointed to by the loopback device
as a partition to the filesystem.

HTH

--

Tauno Voipio
tauno voipio (at) iki fi

"Tauno Voipio" <tauno.voipio@iki.fi.NOSPAM.invalid> wrote in message
news03vd.491$mk7.186@read3.inet.fi...
> Conner Destron wrote:
>> "Bill Marcum" wrote:
>>>I don't know about Solaris, but in Linux you can mount a cd image as if
>>>it were an actual cd.
>> That sounds very cool, but how do you do it? Do you just mnt the iso file
>> by locating it in nautilus? Or from the command line?
>
> The tool is the loop device:
>
> mount -t iso9660 -o loop path_to_the_image /mnt/cdrom
>
> The idea is to show the file pointed to by the loopback device
> as a partition to the filesystem.

That's very cool, thanks! I'm learning more new things about Linux everyday,
I love it!
-=Conner=-

--
Visit The Castle's Dungeon BBS at telnet://tcdbbs.zapto.org for some family
fun in a medieval setting, or come test your mettle in the Land of Legends,
our MUD, at telnet://tcdbbs.zapto.org:4000
For general info, visit http://www.tcdbbs.zapto.org

Larry Lindstrom wrote:
> What do the network config scripts look like?
>
> ifcfg-eth0:
>
> DEVICE=eth0
> BOOTPROTO=static
> BROADCAST=192.168.0.255
> IPADDR=192.168.0.20
> NETMASK=255.255.255.0
> NETWORK=192.168.0.0
> ONBOOT=no
(...)
> Eth0's IP address is 192.168.0.20. Should a ping
> of 192.168.0.1 be unreachable?

Yes, because the config file has "ONBOOT=no". This means that the
interface won't be started automatically. Change that to "ONBOOT=yes".

--
Markku Kolkka
markku.kolkka@iki.fi

Bit Twister wrote:
> On Sun, 12 Dec 2004 11:33:24 GMT, Larry Lindstrom wrote:
>
>> I want to dedicate an old 266 MHz Pentium PC to be
>>a router/firewall. I'm planning on running IPFilter,
>>but I'm open to suggestions for any alternative.

< Snip >

> Do add
> 192.168.0.1 winbox.whatever
> to /etc/hosts
>
> Example:
> $ head -4 /etc/hosts
> 192.168.1.10 wb.home.invalid wb
> 127.0.0.1 localhost
> 192.168.1.12 wb1.home.invalid wb1
> 192.168.1.1 fw.home.invalid fw

Thanks Bit:

Following your advice, eth0 is now working properly.
I'm still having problems with eth1, and it's DHCP
interface to the WAN.

This is what my hosts looks like now:
127.0.0.1 linux-1 localhost.localdomain localhost
192.168.0.1 tiamat
192.168.0.30 ppro-od

> Once you get your routing set correctly, you could
> ping 216.109.112.135 # yahoo.com for the WAN nic
> ping 192.168.0.1 # for the LAN nic
> and see which lights blink on the nic card.

It started out good, eth1 initialized on boot with
no complaints.

# ping 216.109.112.135
connect: Network is unreachable

That routing table doesn't seem to be setup.

Here is ifcfg-eth1, unchanged:

DEVICE=eth1
BOOTPROTO=dhcp
ONBOOT=yes

This is network now?

NETWORKING=yes
HOSTNAME=linux-1
GATEWAYDEV=eth1

Here is ifconfig's output for eth1:
eth1 Link encap:Ethernet HWaddr 000:B7:BD:61:27
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:51419 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:3311947 (3.1 Mb) TX bytes:2736 (2.6 Kb)
Interrupt:10 Base address:0xf680 Memory:ffde5000-ffde5038

> Now this is backwards. You want the WAN gateway device here
> GATEWAYDEV=eth1 LAN boxe's gateway will have to be 192.168.0.20
> Remove the GATEWAY=192.168.0.20 line.
>
> Example:
> cat /etc/sysconfig/network
> HOSTNAME=fw.home.invalid
> NETWORKING=yes
> GATEWAYDEV=eth1

This is network now?

NETWORKING=yes
HOSTNAME=linux-1
GATEWAYDEV=eth1

> Change net.ipv4.ip_forward = 1 in /etc/sysctl.conf
> and do a
> sysctl -p # to load the change

Done.

> That and masquarding firewall rules will allow packets to get from LAN to WAN.

I don't know what that means. But I hope this will
resolve the issue.

>>An error message is being generated during system initialization at
>>boot time, eth1 seems to not be seeing a DHCP server to chat with.
>>This is when it is plugged into the cable modem. I tried this when
>>testing both NICs.
>
>
> I can believe that, set gatewaydev and remove GATEWAY=192.168.0.20
> in /etc/sysconfig/network

It still seems to be a problem.

> You also have to reset (power reset, 15 sec by watch) the cable modem anytime
> you change the nic connected to it. It will only talk to the nic is
> sees after a reset.

Yep, did it.

>> As stated, I'm ignorant of Linux and system admin.
>
>
> Sorry I cannot be of more help. I do not have a RH 9 install to check
> you values.
>
> After you replug your cables, change config files, power reset cable
> modem, you can do a
> service network restart
> to see if the WAN and LAN have values with ifconfig -a
>
> Your route should look something like this, eth1 is my WAN eth0 is LAN
> $ route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 24.1.208.0 0.0.0.0 255.255.248.0 U 0 0 0 eth1
> 0.0.0.0 24.1.208.1 0.0.0.0 UG 0 0 0 eth1
>
> G under Flags is the gateway

Here is the routing table, netstat - rn:

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo

We're getting close. But no gateway flag on eth0.

> Example ifconfig snippet. inet addr is the nic's address
>
> eth0 Link encap:Ethernet HWaddr 00:A0:CC:E6:82:E9
> inet addr:192.168.1.10 Bcast:192.168.1.255 Mask:255.255.255.0
> inet6 addr: fe80::2a0:ccff:fee6:82e9/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:208640 errors:1 dropped:0 overruns:0 frame:2
> TX packets:178859 errors:12 dropped:0 overruns:0 carrier:6
> collisions:156 txqueuelen:1000
> RX bytes:110811492 (105.6 Mb) TX bytes:19411606 (18.5 Mb)
> Interrupt:3 Base address:0xcc00

I appreciate your assistance.

Thanks
Larry