LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   floppyfw cable modem dhcp (https://www.linuxquestions.org/questions/linux-security-4/floppyfw-cable-modem-dhcp-3010/)

c0c0deux 06-01-2001 01:03 PM
i am trying to install floppyfw for cable modem connection
I'am trying to get this firewall running but at boot time i can see on my
modem that there is a broadcast for dhcp_discover but eth0 card doesn't get an ip back. i am
not famillar (newbie on the way) with the script but these are my config and
firewall files.
Config
#
# Configuration for floppyfw
#
# Fill in the blanks.
#
# For configuring of modules to use : /modules.lst
# For configuring logging: /syslogd.cfg
# For configuring network interface cards (usually not necessary):
/syslinux.cfg
# For configuring firewall rules and incoming traffic: /firewall.ini
#
#
# Outside network:
#
#
# DHCP is the hook for the DHCP-client for the outside interface.
# If used, you may have hangups of connections when the client has
# to get a new IP-address.
#
# EXTERNAL is a hook for booting a external startup script from a package.
# the external script has to be in /etc/ext-up.init
#
#OUTSIDE_IP=
OUTSIDE_IP=DHCP
#OUTSIDE_IP=EXTERNAL

#
# The external script can need you to add your username and password, as
# the PPPoE package does. This is where you can add that.
# USER_IDENT=xllejqrs
# USER_PASSWORD=xde094

#
#
# eth0 default device.
#
OUTSIDE_DEV=eth0

#
# Not nescessary to set these if you are using DHCP
#
OUTSIDE_NETMASK=
OUTSIDE_NETWORK=
OUTSIDE_BROADCAST=

#
# Your inside network, this has 10.42.42.* set as default, this is
# addresses assigned for internal networks according to RFC 1918.
#
# eth1 is the default device for the internal network.
#
INSIDE_IP=10.42.42.1
INSIDE_DEV=eth1
INSIDE_NETMASK=255.255.255.0
INSIDE_NETWORK=10.42.42.0
INSIDE_BROADCAST=10.42.42.255

#
# Misc
# These are not nescessary to set if you are using DHCP.
#
DEFAULT_GATEWAY=
NAME_SERVER_IP1=24.200.243.242
NAME_SERVER_IP2=24.200.243.250
DOMAIN=videotron.ca
HOSTNAME=dl

#
# (y)es or (n)o
#
OPEN_SHELL=y
ONLY_8M=n

#
# Turning on syslogd and klogd.
# This is a nice thing but will eat CPU which is why it is turned
# off by default.
#
USE_SYSLOG=n
SYSLOG_FLAGS="-m 360"

# If you don't like the -- MARK -- messages:
#SYSLOG_FLAGS="-m 0"

firewall
# Firewall setup.
#
# Setting up ipchains and ipmasqadm
#

. /etc/config

#
# Flushing the chains.
#
ipchains -F

#
# Policy for forwarding, Deny
#
# #ipchains -P forward DENY
# But we want to Masquerade
ipchains -A forward -i ${OUTSIDE_DEV} -j MASQ > /dev/null
ipchains -A forward -s ${INSIDE_NETWORK}/${INSIDE_NETMASK} -j MASQ

# Using this one, you can open up the whole internal network to
# anyone adding a route to it through your outside IP.
# Can be quite useful but it is unsecure.
# (this is also the old behaviour of the floppy, and to my defence,
# I never said it was a secure default setting..)

#ipchains -P forward MASQ

#
# Timeouts for the masqueraded connections.
#
ipchains -M -S 6000 120 300

#
# Minimum delay for SSH.
#
ipchains -A output -p tcp -d 0.0.0.0/0 22 -t 0x01 0x10

#
# We don't like the NetBIOS and Samba leaking..
#
/bin/ipchains -I input -j REJECT -p TCP -s 0/0 -d 0/0 137:139
/bin/ipchains -I input -j REJECT -p UDP -s 0/0 -d 0/0 137:139

#
# Corresponding rules for the ipmasqadm lines below.
#
ipchains -A input -p TCP -d $1 21 -j ACCEPT
ipchains -A input -p TCP -d $1 22 -j ACCEPT
ipchains -A input -p TCP -d $1 25 -j ACCEPT
ipchains -A input -p TCP -d $1 80 -j ACCEPT
ipchains -A input -p TCP -d $1 110 -j ACCEPT
ipchains -A input -p TCP -d $1 119 -j ACCEPT

#
# Make http://www.grc.com happy.. or rather the "wow it's STEALTH" -crowd.
# If you are going to use ipmasqadm and inside servers you have to open
# up for them before this line. See above.
#
ipchains -A input -p TCP -y -j DENY -d $1

#
# Finally, list what we have
#
ipchains -L

#
# ipmasqadm takes care of connections from the outside to the inside.
# Remove these comments and the corresponding ACCEPT above to set it up.
#
ipmasqadm portfw -a -P tcp -L $1 22 -R 10.42.42.<SERVER-IP> 21 # ftp
ipmasqadm portfw -a -P tcp -L $1 22 -R 10.42.42.<SERVER-IP> 22 # ssh
ipmasqadm portfw -a -P tcp -L $1 25 -R 10.42.42.<SERVER-IP> 25 # mail
ipmasqadm portfw -a -P tcp -L $1 80 -R 10.42.42.<SERVER-IP> 80 # web
ipmasqadm portfw -a -P tcp -L $1 22 -R 10.42.42.<SERVER-IP> 110 # pop
ipmasqadm portfw -a -P tcp -L $1 22 -R 10.42.42.<SERVER-IP> 119 # nntp
# Rules set, we can enable forwarding in the kernel.
#
echo "Enabling IP forwarding."

echo "1" > /proc/sys/net/ipv4/ip_forward


I would apreciate detail explaination so i can remember what i don't
understand.
Thanks to all help

mcleodnine 06-01-2001 01:19 PM
most cable modem ISPs require you to send a 'hostname' to their dhcp servers/relay agents. If you're using dhcpcd to get the client address: 'dhcpcd -h <client_ID> <interface>'

Not sure where you will find it but look or the scrips that start your dhcp client. add the -h and your client-id (the one supplied by your ISP).

It's the same one they tell you put in the 'Hostname' box in your Winders Networking properties.

You will also need to add an ipchains rule to your setup to allow UDP/TCP bootpc (port 67 or 68... wetware is failing me today). This will let your sys accept the DHCP_OFFER from the dhcp server. Don't set it up as a masq rule.

c0c0deux 06-01-2001 02:17 PM
i added:
ipchains -A input -p UDP -d $1 67 -j ACCEPT
ipchains -A input -p TCP -d $1 68 -j ACCEPT
and it still doesn't work...
where do the dhcpd line:
'dhcpcd -h <client_ID> <interface>
goes?


All times are GMT -5. The time now is 01:16 AM.