b

Your case described and explained.

(LDP free publication, http://www.tldp.org/guides.html

mdk used to have a "nag" rpm for this)

Linux Network Administrator's Guide

From appendix A

Example Network: The Virtual Brewery

...

The Virtual Brewery and the Virtual Winery each have a class C

subnet of the Brewery's class B network, and gateway to each other

via the host vlager, which also supports UUCP connection.

...

Chapter 5: Configuring TCP/IP Networking

...

Howto setup vlager et all.

(Have not done this yet)

HIH

Hi

Other idea 1:

Don't know enough to critique your iptables setup!

Maybe attack that machine with latest nessus or something?

Other idea 2:

Other kernel ipv4 gizmo's to consider ?

Most of following is in here somewhere:

(no german version yet so)

http://www.gentoo.org/doc/en/gentoo-security.xml

Note: If your are running a firewall/expert system the following may

not be necessary or usefull or advisable.

kernel ipv4 settings

 

#(Lot's of probably useless feedback on startup messages 

#in following [included just to make sure they are set as wished])



echo "Options /proc/sys/net/ipv4"

if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_all ]; then # if variable exist

  echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all   # set variable

  msg=`cat /proc/sys/net/ipv4/icmp_echo_ignore_all`    # build feedback message

  echo -e "t${msg} = icmp_echo_ignore_all"            # display feedback message 	 

fi

if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then

  echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

  msg=`cat /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts`

  echo -e "t${msg} = icmp_echo_ignore_broadcasts"

fi

if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then

  echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

  msg=`cat /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses`

  echo -e "t${msg} = icmp_ignore_bogus_error_responses"

fi

if [ -e /proc/sys/net/ipv4/ip_forward ]; then

  echo "1" > /proc/sys/net/ipv4/ip_forward   #echo "0" >... if not gateway machine

  msg=`cat /proc/sys/net/ipv4/ip_forward`

  echo -e "t${msg} = ip_forward"

fi

echo "   /proc/sys/net/ipv4/conf/*/rp_filter"

for i in /proc/sys/net/ipv4/conf/*; do

  b_n=`basename ${i}`

  if [ -e  $i/rp_filter ]; then

      echo "1" > $i/rp_filter

      msg=`cat $i/rp_filter`

      echo -e "t${msg} = $b_n"

  fi

done

echo "   /proc/sys/net/ipv4/conf/all"

if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route  ]; then

  echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

  msg=`cat /proc/sys/net/ipv4/conf/all/accept_source_route`

  echo -e "t${msg} = accept_source_route"

fi 

if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then

  echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

  msg=`cat /proc/sys/net/ipv4/conf/all/accept_redirects`

  echo -e "t${msg} = accept_redirects"

fi

if [ -e /proc/sys/net/ipv4/conf/all/log_martians ]; then

  echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

  msg=`cat /proc/sys/net/ipv4/conf/all/log_martians`

  echo -e "t${msg} = log_martians"

fi

HIH

Hi

One more for the toolbox.

Extremely light use here.

dia

Homepage: http://www.gnome.org/gnome-office/dia.shtml

Description: Diagram Creation Program

(lots of plugins)

dia2code

Homepage: http://dia2code.sourceforge.net

Description: Convert UML diagrams produced with Dia to various source code

flavours.

HIH

Hi

Maybe portmap and nfs are not yet running

when filesystems in /etc/fstab are mounted ?

Is there feedback in logs ?

If I am on track, ideas.

Change service startup order so that portamp and nfs

are started after network setup

and before filesytems in fstab are mounted

or

manually 're'mount nfs shares as last entries commands

in your "rc.local" file

(I think in mandrake it's /etc/rc.d/rc.local,

for me it's /etc/conf.d/local.start, no idea for your linux)

i.e. nfs mount instructions just before user get's control

at a cli or in gui.

HIH

Hi

Just in case, gateway set?

Output of ifconfig and route would help all reading....

Hi

Got the snort email alert too.

Nothing pressing here since RPC does not run here, it is usually not needed.

If it is not running it cannot be exploited !

Will upgrade soon anyway.

Since you don't have a Lan setup yet

you certainly don't need/use NIS, NFS or r services.(might be more rpc uses: don't know)

i.e. you don't need rpc services.

Turn them off (portmap, nfs, nis).

rpcinfo -p (to check)

(you can always turn them back on if needed or if something breaks!?)

However if your router device can firewall too

and you need NFS(soon will be openafs for me) on lan(remove r services use ssh instead)

make sure it does not allow outside(web) connections to ports.(/etc/services)

sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP

sunrpc 111/udp portmapper

My firewall machine often drops port 111 attempts even though that port is not open !

(They are fishing in an empty ocean)

Hope your plain ML security settings include a firewall denying

what you do not what to supply to the www.

Some reading:

The Linux System Administrators' Guide

at

http://www.tldp.org/guides.html

Ch. 12 Remote Procedure Call

HIH

Hi

Dont know anything about a mcc wizard setup.

On a 8.1 machine in /etc/ncp.conf

I have

...

# Public Canadian meteorological ... at Dorval, Québec, Canada

server ntp1.cmc.ec.gc.ca

(and that is it for setup)

I found the public time server reading:

http://www.eecis.udel.edu/~mills/ntp/servers.html

then

http://www.eecis.udel.edu/~mills/ntp/clock2a.html

(probably some public ones in there closer to you)

service ntpd.../chkconfig.../wizard... to taste.

The 8.1 setup does a ntpdate ... to sync gross time differences

before launching the ntpd daemon.

The other machine not mandrake I manually launch ntpdate... before

launching the daemon(about same setup as 8.1).

Have not tried yet syncing second machine from other syncing on

public web time server.

Just a thought from the dark!

/sbin/ldconfig

Hi

Are these it?

rss_glx:

DESCRIPTION="OpenGL screensavers, ported to GLX. Suitable for use with xscreensaver"

HOMEPAGE="http://rss-glx.sourceforge.net/"

SRC_URI="mirror://sourceforge/rss-glx/rss_glx-0.6.8.tar.bz2"

...

/usr/lib/xscreensaver/euphoria

/usr/lib/xscreensaver/lattice

/usr/lib/xscreensaver/cyclone

/usr/lib/xscreensaver/fieldlines

/usr/lib/xscreensaver/flocks

/usr/lib/xscreensaver/flux

/usr/lib/xscreensaver/helios

/usr/lib/xscreensaver/plasma

/usr/lib/xscreensaver/skyrocket

/usr/lib/xscreensaver/solarwinds

/usr/lib/xscreensaver/hufo_smoke

/usr/lib/xscreensaver/hufo_tunnel

/usr/lib/xscreensaver/colorfire

/usr/lib/xscreensaver/sundancer2

Have you considered emacs/xemacs ?

I think if I knew how to ask they would

tell me the color of my socks.

Longshot: maybe delete some .directory file ?

Fed up & give up: mv .kde .kde-KEEP!

Allo

My .02 read is that your kernel is setup and used to 1 only tcpip connection

it now has 2 and does not know how to route them correctly

(not setup for this). Are you getting any feedbackcomplaints in logs ?

On a similar micro lan the machine having the 2 links

has this set to 1

/proc/sys/net/ipv4/ip_forward

The other has it set to 0.

This 1 might be magical, hope it is but dought it.

Anyway for me all this networking voodoo nat, masquerading, forwarding,

filtering was handled by bastille-firewall (now gone from mdk I hear)

while basic networking was through installation then netconf.

(dont remember much of it I am afraid)