tvlad

I'm on a lan made of 16 computers connected with switches. Five of us agreed to share a net connection. Some time ago i made an old pc on which i installed linux act as a server, and since we only have one external ip, it does both masquerading, and serves as a firewall, for both outside, and inside the network, by denying people who are in our lan but don't pay access to the net.

Though what i found out quite recently made me think on how i could prevent something like this. I found out that if you first change your mac address and then your ip, even if someone with the same ip and mac is on the network, he won't get an ip conflict message, and what i want to ask, is how can i stop someone doing this from being able to use the net. One way would be with manageable switches, where i'd assign a mac for each port, but i HOPE there is another way, since we don't have programable switches.

I took the fw from the Ip masquerading howto and i blocked those that i didn't want to have net in our lan by their mac addresses, i allowed myself and a couple of others by our mac addresses and then i blocked everyone by using ip ranges.

#------------BLOCK BY MAC ADDRESS-----------------------

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -m mac --mac-source 00:A0:D2:A4:91:25 \ -d $UNIVERSE -j DROP #CONTE

#--------------ALLOW NET ACCESS-------------------------

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -m mac --mac-source 00:02:44:41:1E:DB \

-d $UNIVERSE -j ACCEPT #VLAD

#-------------BLOCK EVERYONE ELSE----------------------

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s 192.168.0.0/16 -d $UNIVERSE -j DROP

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s 172.16.0.0/12 -d $UNIVERSE -j DROP

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s 10.0.0.0/0 -d $UNIVERSE -j DROP

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s 169.254.0.0/8 -d $UNIVERSE -j DROP

UNIVERSE="0.0.0.0/0"

Is the order in which i block and allow a good one ?,

And another question, would smth like -m mac --mac-source **:**:**:**:**:**

block all possible mac addresses.If not, how could i do that ???

Should i remove this line

# anything else outgoing on remote interface is valid

#

$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT

I got all my speakers working, i just played arround with the controls on the alsamixer.( thx for the help)

Do you have any idea why i can't hear my central speaker in windows while listening mp3s, because in linux i can hear it.

I'll do that, but if audigy has 5.1 channel support, shouldn't this be true for Audigy 2 as well ?

I've recently installed Mdk 9.2 and i chose the alsa driver for it.After i used the mixer in kde i was able to hear sound, but only on the two front speakers.

Why is that ? The remaining channels are muted and the mixer in kde doesn't show'em, or the driver doesn't support 5.1 sound ???

I want to setup a vpn server that will authenticate the clients that are connecting to it against an active directory running in Windows 2000.

How can i do that, cause i have 0 ideas.

Well, to answer the question myself :D, it's really easy

-u just create a new user, login with that new user, mail and that's it, you have a new account

I just finished installing and configuring postfix, still there are many things that i don't know, the most important being : How do i create mail accounts on my new, shiny postfix ????

Yup, the documentation has arrived, now if i pass my physics exam tommorow i'll be REALLY happy and i'll start reading the docs.

UPDATE: I did pass my exam, after learning for about five days :(, now i have time for my linux and bsd experiments, if only i'd make Solaris 9 x86 to work it would make my day.

Now that would be nice, thx.

Unfortunately, the only mdk at my disposal is our lan's server, and it doesn't have the pam documentation, guess i'll try google.

Could you be a bit more specific, cause you gave me too many links, really.

I looked through the files in /etc/pam.d/ and in passwd i saw this at the end of several lines : service=system-auth, what does it do, cause i have no idea.

Tell, why have both /etc/modules and modules.conf, because they do the same thing, what modules you put into /etc/modules will be loaded at startup, the same with /etc/modules.conf, so why have two files that do the same thing ??????

That is the syntax of tcpwrappers.For example, if i add this to hosts.allow :

ALL EXCEPT in.ftpd: 123.123.123.1

would allow this ip to use all services except ftp.What i want to know is

why does fptd start with "in." in the syntax and if this is also the case with sshd.If i wanted to allow all but ssh, should i do like this :

ALL EXCEPT in.sshd: 123.123.123.1

OR

ALL EXCEPT sshd: 123.123.123.1

This is the general syntax :

<daemon_list>: <client_list>[: spawn <shell_command> ]

Now, how can i find out the "<daemon list>"

And why does ftpd has to be specified as in.ftpd, is this the case with sshd ???

Hmmm, yup, when i saw fromdos i didn't bother looking elsewhere on that page, i saw smth that startde with col, but gave it no importance :) .

Anyway, i installed sysutils, and fromdos works just fine, as does col -b .....

Thx guys, you've really helped me.

Thx Bvc, though i'm wandering, couldn't it be done with awk, sed or some other very common tools ????

Nope, doesn't work, all i want to do is to remove those ^M from the file.

There must be a way to do it from text mode.

First, it isn't ^B, it's ^M.

#^M

# Log:^M

#^M

# 0.77s - Changed the default block behavior to REJECT not DROP^M

# 0.76s - Added a comment about the OPTIONAL WWW ruleset and a comment^M

# where to put optional PORTFW commands^M

# 0.75s - Added clarification that PPPoE users need to use^M

And i tryed using that sed command on this file, but no change (ofcourse i pu ^M instead of ^B in the command, ain't THAT dum ).

Yup, but how do i do that ???

If i edit a file in windows, and then copy it to linux, if it's a script or smth like that it won't run.When i do vim -b on the file, i find that on every line it has ^B.

Now, there must be a way to get rid of those ^B.Is there a windows utility, or

should i do it in linux (it can be done, but how ? ) :D

Nope, it just won't work, why ????????, because the proxy works perfectly, so i don't have any idea.

I am trying to make urpmi work with a proxy.I went into Mandrake control center and in the sources manager i configured my proxy.When i tryied to run Mandrake update it said it couldn't contact any mirror.

The proxy works just fine, because at the same time i was surfin with mozilla which was using the same proxy, so why doesn't urpmi work with a proxy.

I checked, when i change the proxy, the changes are reflected into /etc/urpmi/proxy.cfg.