sslug-teknik team mailing list archive

Thread
Date
DNS til modem problem

To: <sslug-teknik@xxxxxxxx>
From: "Jan Larsen" <jan_l@xxxxxxxxxxxxxxxx>
Date: Wed, 27 Sep 2000 09:06:12 +0200
Delivered-to: mailing list sslug-teknik@xxxxxxxx
Importance: Normal
Mailing-list: contact sslug-teknik-help@xxxxxxxx; run by ezmlm
jeg har et problem med min DNS, se udskrift, da den vil
lave forbindelse til min ISP, ca. hvær 2 til 3 min, med
en varighed på 1,1 min ( det 1 min er en delay jeg har lavet i ppp).

Jeg kan ikke se hvad den laver med netstat -m

Hvordan kan jeg se hvad den sender, og hvorfor ?

Kan jeg komme af med det, da det koster hvær gang
den laver det.

Jeg har også vedlagt min firewall med.

MVH Jan Larsen


>>min named.conf<<<
options {
	directory "/var/named";
	/*
	 * If there is a firewall between you and nameservers you want
	 * to talk to, you might need to uncomment the query-source
	 * directive below.  Previous versions of BIND always asked
	 * questions using port 53, but BIND 8.1 uses an unprivileged
	 * port by default.
	 */
	// query-source address * port 53;
forwarders {
	212.242.40.3;
	212.242.40.51;
};
listen-on { 192.168.1.1; 127.0.0.1 ; };
notify no;
};
logging {
category lame-servers { null; };
category cname { null; };
};
//
// a caching only nameserver config
//
zone "." in {
	type hint;
	file "root.cache";
};
zone "0.0.127.in-addr.arpa" in {
	type master;
	file "127.0.0.rev";
};
zone "1.168.192.in-addr.arpa" in {
	type master;
	file "192.168.1.rev";
};
zone "home" in {
	type master;
	file "home";
};

>>>Min firewall<<<
#!/bin/sh
# Configure safe networking practices
# chkconfig: - 06 90
# description: Setup firewalling and network security
#              This assumes your Internet is on a PPP connection
#              and the local (trusted) LAN is eth0.
# To install this on a Red Hat 6.x system, save this script as
# /etc/rc.d/init.d/securenet, then run the commands
#   chmod 755 /etc/rc.d/init.d/securenet
#   /sbin/chkconfig --add securenet
#   /sbin/chkconfig --level 2345 securenet on
# Henrik Størner, storner@xxxxxxxx
# Modified 2000-03-20: Changed rules for ftp-data and DNS responses
#   so they work for masqueraded connections.
PATH=/bin:/sbin:/usr/bin:/usr/sbin
#########################################
# First setup some of the kernel features
#########################################
# Disable forwarding - this is for a standalone system.
# (For masquerading, see below).
echo "0" >/proc/sys/net/ipv4/ip_forward
# Enable syn-cookies (syn-flooding attacks)
#if [ -f /proc/sys/net/ipv4/tcp_syncookies ]; then
#   echo "1" >/proc/sys/net/ipv4/tcp_syncookies
#else
#   echo "Warning: SYN-cookie protection disabled in this kernel."
#fi
# Disable ICMP echo-request to broadcast addresses (Smurf amplifier)
#echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable ICMP echo-request altogether (see also below for ICMP filtering)
# echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_all
# Set local port range for listeners (ftp ...)
# The range used here is what will be used for the connections
# initiated from the firewall host. If you do masquerading, then
# masqueraded connections will use the range 61000-65096.
# Thus, in the ipchains rules below we will combine these two
# ranges into one: 56000:65096
#echo "56000 60999" >/proc/sys/net/ipv4/ip_local_port_range
# It seems that this must be done for all network interfaces
#for f in /proc/sys/net/ipv4/conf/*; do
# Drop all source-routed packets
#   echo "0" >$f/accept_source_route
   # Enable Egress filtering (anti-spoofing measure)
#   echo "2" >$f/rp_filter
#done
######################
# Setup IP firewalling
######################
# Default policies.
# We deny all input and forwarding, then allow specific things further down.
# We allow all outgoing traffic - this could be tightened, but is only
# necessary for very secure installations.
#ipchains -P input DENY;  ipchains -F input
#ipchains -P forward DENY;  ipchains -F forward
#ipchains -P output ACCEPT; ipchains -F output
# Allow anything on trusted interfaces
# ------------------------------------
# Allow anything on the loopback i/f: We trust ourselves.
# ipchains -A input -p all -j ACCEPT -i lo
# Allow anything on the local LAN: We trust the local guys.
# ipchains -A input -p all -j ACCEPT -i eth0
# Handle incoming TCP traffic
# ---------------------------
# Allow all traffic that does not try to setup a connection (no SYN)
# ipchains -A input -p tcp -j ACCEPT \! -y
# Explicitly reject (RST) connections to my ident/auth server.
# Some mail servers try to talk to this when you send them mail,
# and get really slow if you shut this off.
# ipchains -A input -p tcp -j REJECT -s 0/0 -d 0/0 auth -y
# If you want people from the outside to be able to access your web
# server, you must enable this. But most people don't run web servers
# on their home machines.
#ipchains -A input -p tcp -j ACCEPT -s 0/0 -d 0/0 www -y
# Allow ftp-data connections to listener ports (downloads and dir listings).
# Would be better if kernel could setup temporary rules when we start
# an ftp download ("port" command), but this will have to do for now.
# If you don't like this, consider enforcing use of passive-mode ftp only.
# ipchains -A input -p tcp -j ACCEPT -s 0/0 ftp-data -d 0/0 56000:65096 -y
# Handle incoming UDP traffic
# ---------------------------
# Allow dns replies to our locally originating requests
# BIND 8 uses the high ports for sending requests; this is good.
# ipchains -A input -p udp -j ACCEPT -s 0/0 domain -d 0/0 56000:65096
# Allow ntp communication (uses ntp port for request and reply)
# ipchains -A input -p udp -j ACCEPT -s 0/0 ntp -d 0/0 ntp
# Allow Real Audio/Video in best quality (uses udp).
# NB: This is for listening to RealAudio on the firewall only!
# Don't do this if you're paranoid - newer (G2) Real Audio will
# automatically switch to TCP if udp does not work.
# By default, you must allow incoming udp to ports 6970:7170,
# but that is WAY too big an area for me. Changing this does
# require some configuration of the Real Player client software.
# ipchains -A input -p udp -j ACCEPT -d 0/0 32768:32769
# Handle incoming ICMP
# --------------------
# Allow all, except remote timestamp-, echo- and address-mask requests,
# and ICMP redirects.and router-advertisements
# (Denying echo-requests means we cannot be ping'ed).
#ipchains -A input -p icmp -s 0/0 timestamp-request    -j DENY --log
#ipchains -A input -p icmp -s 0/0 address-mask-request -j DENY --log
#ipchains -A input -p icmp -s 0/0 redirect             -j DENY --log
#ipchains -A input -p icmp -s 0/0 router-advertisement -j DENY --log
#ipchains -A input -p icmp -s 0/0 echo-request         -j DENY --log
#ipchains -A input -p icmp -j ACCEPT
# Log what drops through to here. If we catch anything, it
# will be interesting.
#ipchains -A input --log
# Now, play some tricks with outgoing packets on the modem link
# Use the TOS field to prioritize different protocols
# -------------------------------------------------------------
# http, telnet and ssh get "minimum delay"
#ipchains -A output -p tcp -d 0/0 80    -i ppp+ -t 0x01 0x10
#ipchains -A output -p tcp -d 0/0 23    -i ppp+ -t 0x01 0x10
#ipchains -A output -p tcp -d 0/0 22    -i ppp+ -t 0x01 0x10
# ftp-data, nntp and pop-3 get "low cost"
#ipchains -A output -p tcp -d 0/0 20    -i ppp+ -t 0x01 0x02
#ipchains -A output -p tcp -d 0/0 119   -i ppp+ -t 0x01 0x02
#ipchains -A output -p tcp -d 0/0 110   -i ppp+ -t 0x01 0x02
######################
# Setup Masquerading #
######################
### NB: This is disabled by default. If you want to use     ###
###     masquerading, just remove the "###" comment-markers ###
###     from the lines below.                               ###
# Load the masquerading prototcol-modules
# This loads all of the modules in /lib/modules/2.2.x/ipv4/
#for f in /lib/modules/`uname -r`/ipv4/*masq*.o; do
#   /sbin/modprobe `basename $f | sed -e's/\.o$//'`
#done
# Enable a hack in the kernel for dial-on-demand Internet connectivity
# without having a static IP address.
# Without setting this, the first packet that goes out on a dial-on-demand
# connection has the wrong sender IP address, meaning that you will have
# to retransmit at least once.
# (This has nothing to do with security - but it is useful for a home
# network using masquerading).
# echo "1" >/proc/sys/net/ipv4/ip_dynaddr
# Defrag all packets. Needed for masquerading
echo "1" >/proc/sys/net/ipv4/ip_always_defrag
# Enable forwarding (needed for masquerading)
 echo "1" >/proc/sys/net/ipv4/ip_forward
# Masquerade anything that needs forwarding on the
# external interface (ppp0, usually), except all the Windows
# Netbios chit-chat on ports 137 thru 139.
# Note: "-i" on the forward chain refers to the OUTGOING interface.
#ipchains -A forward -i ppp+ -p tcp -s 0/0 137:139 -j DENY
#ipchains -A forward -i ppp+ -p udp -s 0/0 137:139 -j DENY
#her kommer min routing
#!/bin/sh
ipchains -F
ipchains -A forward -p tcp -s 0/0 137:139 -j DENY
ipchains -A forward -p udp -s 0/0 137:139 -j DENY
ipchains -A forward -i ppp0 -j MASQ
ipchains -P forward DENY
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
modprobe ip_masq_ftp
modprobe ip_masq_raudio
modprobe ip_masq_irc
modprobe ip_masq_cuseeme
modprobe ip_masq_vdolive
ipchains -M -S 7200 10 160