Dial on Demand problem
Christos Ricudis
ricudis at paiko.gr
Tue Apr 17 21:36:41 EEST 2001
Hello Alexios!
On 17 Apr 01, Alexios Chouchoulas wrote to All with subject "RE: Dial on
Demand problem":
>> Ypopshn oti ektos apo ayta, apo arketous routers 8a exeis na
>> filtrareis kai IGMP kai sia paketa, mia oloklhrh mera kynhgi me
>> to tcpdump moy phre na ftiaksw filtra poy na kanoun SWSTO dial
>> on demand/inactivity hangup [2]
AC> Ta exeis se kammia selida sto web afta; Einai didaktika kai
AC> mporei na katsw na sthsw kai to diko mou dial-on-demand [2].
Agaphmenh moy soupieritsa,
Parta, se BSD user-mode-ppp format. Den einai toso dyskolo na katalabeis ti
kanoyn kai na ta metatrepseis se diald h oti allo :
# Filtraroume private subnets
set filter out 0 deny 0/0 10.0.0.0/8
set filter out 1 deny 10.0.0.0/8 0/0
set filter out 2 deny 172.16.0.0/12 0/0
set filter out 3 deny 0/0 172.16.0.0/12
set filter out 4 deny 0/0 192.168.0.0/16
set filter out 5 deny 192.168.0.0/16 0/0
# Ka8orizoume poia paketonia 8a kratane zwntanh th syndesh. Dystyxws to freebsd
den exei state keeping ston inactivity timer toy. 8a h8ela logou xarh na
mporousa na krataw es aei anoixth th syndesh OSO exw estw kai ena established
TCP connection
# Ka8orizoume ti DEN 8eloyme na mhdenizei to inactivity, kai epitrepoume ola ta
alla.
# 224.0.0.0/24 : Multicasting. Ksou ksou!
set filter alive 0 deny 0/0 224.0.0.0/24
set filter alive 1 deny 224.0.0.0/24 0/0
# DNS. KSOU KSOU!
set filter alive 2 deny udp dst eq 53
# Malakies ths microsoft. KSOU KSOU!
set filter alive 3 deny udp src eq 137
set filter alive 4 deny udp src eq 138
set filter alive 5 deny udp src eq 139
set filter alive 6 deny udp dst eq 137
set filter alive 7 deny udp dst eq 138
set filter alive 8 deny udp dst eq 139
# ICMP paketa pros emas. KSOU KSOU!
set filter alive 9 deny 0/0 MYADDR icmp
# Otidhpote allo, mhdenizei to inactivity timeout
set filter alive 10 permit 0/0 0/0
# Ka8orizoume poia paketa 8eloume na shkwnoyn to..e..link mas, an einai down
# Deny Netbios, allow everything else.
set filter dial 0 deny udp src eq 137
set filter dial 1 deny udp src eq 138
set filter dial 2 deny udp src eq 139
set filter dial 3 deny udp dst eq 137
set filter dial 4 deny udp dst eq 138
set filter dial 5 deny udp dst eq 139
set filter dial 6 deny tcp finrst # Badly closed TCP channels
set filter dial 7 permit 0 0
Edw dhmiourgeitai h ekshs periplokh.
Sxedon ka8e TCP connection arxizei me ena DNS lookup. Einai eylogo loipon na
ftiaksoume ena filtro poy shkwnei to link me to poy anixneyei outgoing 53/udp
packets.
An to kanoyme ayto, 8a diapistwsoume oti ena ygies LAN me ena karo mhxanhmata
(8 me 9 eterogenh workstations kai PCia sthn periptwsh moy) kanei ena karo
hli8ia DNS requests, poy de fainetai na eksyphretoun poy8ena. To XEIROTERO
paradeigma einai to parakatw :
22:08:57.676005 223.1.2.12.36184 > grdns.ics.forth.gr.domain: 4481+ A?
/opt/OV/bin/createSnmpColStats.ovpl. (53) (DF)
22:08:57.744949 grdns.ics.forth.gr.domain > 223.1.2.12.36184: 4481
NXDomain* 0/1/0 (129) (DF)
22:08:57.746782 223.1.2.12.36185 > grdns.ics.forth.gr.domain: 4482+ A?
/opt/OV/bin/createSnmpColStats.ovpl.paiko.gr. (62) (DF)
22:08:57.817193 grdns.ics.forth.gr.domain > 223.1.2.12.36185: 4482
0/1/0 (119) (DF)
(kai gia oses den katalaban, to OpenView poy exw sthmeno sto 223.1.2.12
prospa8ei na kanei resolve <blink><b><u>TO PATHNAME TOY</u></b></blink> sto
DNS. Akoma prospa8w na katalabw GIATI).
To deytero kai eksisou shmantiko problhma einai oti ka8e miso me ena lepto 8a
exete kai ena gamwHTTP request apo kapoio ksexasmeno gamwrotating gamwbanner
poy brisketai panw panw sth gamwselida poy ksexase kapoios sto gamwnetscape
toy.
Ta dyo parapanw problhmata lynontai me thn xrhsh enos wraiou ad-buster proxy
server kai enos caching DNS server, poy krinontai mallon aparaithta gia ena
tetoio periballon...
--
Christos Ricudis
In God we trust.
All others must present a valid X.509 certificate.
More information about the Linux-greek-users
mailing list