Re: ipautofw not working
Subject: Re: ipautofw not working
Date: Wed, Jun 02, 1999 at 11:08:03AM -0700
In reply to:George Bonser
Quoting George Bonser(grep@shorelink.com):
> On Wed, 2 Jun 1999, Wayne Topa wrote:
>
> > > To make it clear, I can use ipfwadm ok, but I can't use ipautofw.
> > >
> > > Any clue?
> > >
> >
> > Clue #1 is to look for the information on your system 'first'!
> >
> > "From /usr/src/linux/Documentation/Changes"
> > As of 2.1.102, the IP firewalling code has been replaced; ipfwadm
> > will no longer work. You need to obtain "ipchains," available from
> > http://www.rustcorp.com/linux/ipchains/ , and use that instead of
> > ipfwadm.
> >
> > To use masq forwarding you will need to obtain "ipmasqadm,"
> > available from http://juanjox.linuxhq.com/ .
> >
>
> Except that the person is not talking about having problems masquerading,
> the problem seems to be port forwarding.
>
>
>
Thank you for pointing that out George. I was aware of that.
>From /usr/src/linux/Documentation/Configure.help
CONFIG_IP_ROUTER
Some Linux network drivers use a technique called copy and checksum
to optimize host performance. For a machine which acts as a router
most of the time and is forwarding most packets to another host this
is however a loss. If you say Y here, copy and checksum will be
switched off. In the future, it may make other changes which
optimize for router operation.
Note that your box can only act as a router if you enable IP
forwarding in your kernel; you can do that by saying Y to "/proc
filesystem support" and "Sysctl support" below and executing the
line
echo "1" > /proc/sys/net/ipv4/ip_forward
at boot time after the /proc filesystem has been mounted. You can do
that even if you say N here.
If unsure, say N here.
IP: firewalling
CONFIG_IP_FIREWALL
If you want to configure your Linux box as a packet filter firewall
for a local TCP/IP based network, say Y here. You may want to read
the FIREWALL-HOWTO, available via FTP (user: anonymous) in
ftp://metalab.unc.edu/pub/Linux/docs/HOWTO.
Also, you will need the ipchains tool (available on the WWW at
http://www.rustcorp.com/linux/ipchains/) to allow selective blocking
of Internet traffic based on type, origin and destination.
Note that the Linux firewall code has changed and the old program
called ipfwadm won't work anymore. Please read the IPCHAINS-HOWTO.
The type of firewall provided by ipchains and this kernel support is
called a "packet filter". The other type of firewall, a
"proxy-based" one, is more secure but more intrusive and more
bothersome to set up; it inspects the network traffic much more
closely, modifies it and has knowledge about the higher level
protocols, which a packet filter lacks. Moreover, proxy-based
firewalls often require changes to the programs running on the local
clients. Proxy-based firewalls don't need support by the kernel, but
they are often combined with a packet filter, which only works if
you say Y here.
The firewalling code will only work if IP forwarding is enabled in
your kernel. You can do that by saying Y to "/proc filesystem
support" and "Sysctl support" below and executing the line
echo "1" > /proc/sys/net/ipv4/ip_forward
at boot time after the /proc filesystem has been mounted.
>From proc.txt
ip_forward
Enable or disable forwarding of IP packages between interfaces. A
change of this value resets all other parameters to their default
values. They differ if the kernel is configured as host or router.
As the original post was rather vague I opted to point to writer to a
reliable source for the answers. As IPchains is required in the 2.2.x
kernels, I thought that the info he required would be found there.
Sorry if I didn't give the answer you thought I should. I personally
feel it is better for the newbie if I point him to the information,
rather then read it all for him. "Teach a man to fish" and all that.
Where should I have sent him? No one else ha offered any help when
I 'tried' to.
Regards
Wayne
--
It is easier to change the specification to fit the program than vice
versa.
_______________________________________________________
Wayne T. Topa <wtopa@mindspring.com>
Reply to: