Hey Tom,
This is my T-1 slash 27 network btw.
How does this look??? for---- net eth0 66.224.62.120
----dmz eth1 66.224.62.120
This box is for practice Dmz we talked about.
with the pratice Dmz server''s Ip 66.224.62.121
routing and interface''s below
[root@66-224-62-120 root]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:E0:4C:39:0B:5B
inet addr:66.224.62.120 Bcast:66.224.62.127 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:991 errors:3 dropped:0 overruns:0 frame:0
TX packets:965 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:115889 (113.1 Kb) TX bytes:460378 (449.5 Kb)
Interrupt:10 Base address:0xb000
eth1 Link encap:Ethernet HWaddr 00:50:BF:92:5D:75
inet addr:66.224.62.120 Bcast:66.224.62.127 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:960 (960.0 b)
Interrupt:11 Base address:0xd000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:12 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:944 (944.0 b) TX bytes:944 (944.0 b)
[root@66-224-62-120 root]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
66-224-62-121.a * 255.255.255.255 UH 0 0 0 eth1
66.224.62.96 * 255.255.255.224 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 66-224-62-97.at 0.0.0.0 UG 0 0 0 eth0
[root@66-224-62-120 root]#
Thanks and Happy Thanksgiving Tom
Mike
On Wed, 2004-11-24 at 19:47 -0800, Mike Lander wrote:> Hey Tom, > This is my T-1 slash 27 network btw. > How does this look??? for---- net eth0 66.224.62.120 > ----dmz eth1 66.224.62.120 > This box is for practice Dmz we talked about. > with the pratice Dmz server''s Ip 66.224.62.121 > routing and interface''s below > > [root@66-224-62-120 root]# ifconfig > eth0 Link encap:Ethernet HWaddr 00:E0:4C:39:0B:5B > inet addr:66.224.62.120 Bcast:66.224.62.127 Mask:255.255.255.224 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:991 errors:3 dropped:0 overruns:0 frame:0 > TX packets:965 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:100 > RX bytes:115889 (113.1 Kb) TX bytes:460378 (449.5 Kb) > Interrupt:10 Base address:0xb000 > > eth1 Link encap:Ethernet HWaddr 00:50:BF:92:5D:75 > inet addr:66.224.62.120 Bcast:66.224.62.127 Mask:255.255.255.255 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:16 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:100 > RX bytes:0 (0.0 b) TX bytes:960 (960.0 b) > Interrupt:11 Base address:0xd000 > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:12 errors:0 dropped:0 overruns:0 frame:0 > TX packets:12 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:944 (944.0 b) TX bytes:944 (944.0 b) > > [root@66-224-62-120 root]# route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > 66-224-62-121.a * 255.255.255.255 UH 0 0 0 eth1 > 66.224.62.96 * 255.255.255.224 U 0 0 0 eth0 > 127.0.0.0 * 255.0.0.0 U 0 0 0 lo > default 66-224-62-97.at 0.0.0.0 UG 0 0 0 eth0 > [root@66-224-62-120 root]#That looks okay (although "route -n" is much more useful). Happy Thanksgiving to you and yours, Mike. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> > That looks okay (although "route -n" is much more useful). > > Happy Thanksgiving to you and yours, Mike. > > -Tom[root@66-224-62-120 root]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 66.224.62.121 0.0.0.0 255.255.255.255 UH 0 0 0 eth1 66.224.62.96 0.0.0.0 255.255.255.224 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 66.224.62.97 0.0.0.0 UG 0 0 0 eth0 [root@66-224-62-120 root]# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 66-224-62-121.a * 255.255.255.255 UH 0 0 0 eth1 66.224.62.96 * 255.255.255.224 U 0 0 0 eth0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default 66-224-62-97.at 0.0.0.0 UG 0 0 0 eth0 [root@66-224-62-120 root]# What''s the difference I forgot more gateway info??
On Wed, 2004-11-24 at 20:11 -0800, Mike Lander wrote:> > > > That looks okay (although "route -n" is much more useful). > > > > Happy Thanksgiving to you and yours, Mike. > > > > -Tom > [root@66-224-62-120 root]# route -n > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > 66.224.62.121 0.0.0.0 255.255.255.255 UH 0 0 0 eth1 > 66.224.62.96 0.0.0.0 255.255.255.224 U 0 0 0 eth0 > 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo > 0.0.0.0 66.224.62.97 0.0.0.0 UG 0 0 0 eth0 > [root@66-224-62-120 root]# route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > 66-224-62-121.a * 255.255.255.255 UH 0 0 0 eth1 > 66.224.62.96 * 255.255.255.224 U 0 0 0 eth0 > 127.0.0.0 * 255.0.0.0 U 0 0 0 lo > default 66-224-62-97.at 0.0.0.0 UG 0 0 0 eth0 > [root@66-224-62-120 root]# > > What''s the difference I forgot more gateway info??man route The -n option suppresses reverse DNS lookups; your DNS names may be significant to you but they sure aren''t to me. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Now the fun stuff configure shorewall, maybe I can do before me and the wife
goto grocery store, did I tell you we are still fighting the "C" word.
I just got the DMZ server up and it can ping eth1 from the dmz server
but thats about it.
Still gotta config shorewall.
Thanks again
Mike
On Wed, 2004-11-24 at 20:27 -0800, Mike Lander wrote:> Now the fun stuff configure shorewall, maybe I can do before me and the wife > goto grocery store, did I tell you we are still fighting the "C" word.I''m very sorry to hear that Mike.> > I just got the DMZ server up and it can ping eth1 from the dmz server > but thats about it. > Still gotta config shorewall.Keep us posted. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
This old shorewall box has Processing /etc/shorewall/start ... Shorewall Restarted [root@66-224-62-120 root]# shorewall version 1.4.6c [root@66-224-62-120 root]# Is this version good enough to learn this dmz stuff or should I upgrade? Mike
On Wed, 2004-11-24 at 20:36 -0800, Mike Lander wrote:> This old shorewall box has > Processing /etc/shorewall/start ... > Shorewall Restarted > [root@66-224-62-120 root]# shorewall version > 1.4.6c > [root@66-224-62-120 root]# > Is this version good enough to learn this dmz stuff or should I upgrade?It should be good enough to learn but I would install the latest 2.0 version when you build the real firewall. I will cease support for 1.4 early next year. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I am new to this malware work with Linux and have been lurking on this list trying to learn how to work with shorewall and iptables. I also know that Shorewall is not for web filtering. But I am seeking info here from anyone who might direct me to a web malware subscription or open source database. My customer, a very large and security aware enterprise, has asked me to do a cost benefit of running a commercial web filtering software package or running a Linux cluster with a signature filtering engine. This customer is willing to migrate to Linux from a Solaris and Windows DMZ mix if I can get a viable solution. So the question to anyone who might direct me on the list: is there a subscription or an info source where we can grab malware signatures that traverse in http (443, 80, 8080, 8000)? We can spend for an SSL/TLS stateful proxy with crypto accelerator and maintain state with the proxy bidirectionally. We can do the scripting. Does anyone know where we can locate the content for the signatures? melissa
>> I just got the DMZ server up and it can ping eth1 from the dmz server >> but thats about it. >> Still gotta config shorewall. > > Keep us posted. > > -TomGot it working, woohoo, although just I assigned an arbitrary RFC 1918 IP address and subnet mask to the DMZ interface on the firewall. And used proxy arp. With the other method: With host route to dmz server, all I could do was ping from dmz server to firewall and firewall to dmz that was it. Nothing else would communicate. I have a feeling it had something to do with your comment here because everything I tried would always enter broadcast address. I even tryed ifconfig 66.224.62.121/32 dev eth1, tryed both gui''s that I use for networking as well. on a Linux box ''8'' Quote from Tom Here is what the above configuration should look like when viewed using ip (the line "inet 130.252.100.17/32 scope global eth1" is the most important): Note in particular that there is no broadcast address. Thanks I think I will stick with this since it works unlesss I don''t have to spend hours to fix the other way. Mike Ps I showed you my routing table but I did not post the ip addr ls eth1 command.