Date: Fri, 29 Sep 95 9:23:27 EST From: M C Wong <mcw@hpato.aus.hp.com> To: mcw@hpato.aus.hp.com Cc: freebsd-questions@freefall.freebsd.org, socks@syl.dl.nec.com Subject: sockd 4.2 and FreeBSD 1.1.5.1 [was Re: [1.1.5.1] option GATEWAY/IPFORWARDING and sockd] Message-ID: <199509282323.AA165110614@relay.hp.com> In-Reply-To: <199509280617.AA068479073@relay.hp.com>; from "M C Wong" at Sep 28, 95 4:17 pm
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- > Hi, > On 1.1.5.1, I wanted to experimented with a socks (sock) based > dual-homed firewall setup. > I rebuilt and with a kernel WITHOUT option GATEWAY, and it should > set IPFORWARDING to 0 according to the options.doc. > However, when I try to telnet out of my default gw via the SLIP > interface sl0, I CAN get packets out as is with GATEWAY option enabled. > Can someone tell me what's happening ? Basically, I want to turn my > existing 1.1.5.1 gateway box into a socks-based dual-home firewall box, > and I though to be able to do that we must FIRST disable IPFORWARDING. > It didn't work for me ... > Can someone help please ? > Thanks in advance. Sorry, I mean to say that, the 1.1.5.1 is also running sockd 4.2 release, and my understanding (after reading http://www.socks.nec.com/ stuff) is that sockd ALONE is sufficient to implement a dual-home firewall machine, ie my 1.1.5.1 box is NOT sitting behind a router which can filter out IP packets. However, I ran into the following problem : 1) On the sock-host (running sockd) I am able to telnet out and also external hosts (which are denied access in /etc/sockd.conf) are able to telnet in to the sock-host. If sockd doesn't handle IP filtering like ipfw, ip_fil, then I can understand that. If so (ie sockd 4.2 doesn't take care of those IP filtering), does anyone know if the socks 5 does ? Has anyone portedip_fil 2.8a onto 1.1.5.1 box without making it an LKM ? 2) Socks clients (ie rtelnet etc, also from 4.2 dist) are UNABLE to access beyond the sock-host even when the rules in /etc/sockd.conf and routes in /etc/sockd.route have been tested using test_sockd_conf to be valid! Yes, I have double, tripple check the config files and they are correct. SOCKS_HOST and SOCKS_NS are set to 1.1.5.1 box as well! It seems to me the access deny is really the effect of disabling IPFORWARDING rather than use of sockd, 8-((! 3) Netscape 1.1 running on a Linux box (behind sock-host) with socks host set to the 1.1.5.1 box and port 1080 (the one actually being used), is also unable to reach out of the network. Many thanks in advance. - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ M.C Wong Email: mcw@hpato.aus.hp.com Australian Telecom Operation Voice: +61 3 272 8058 Hewlett-Packard Australia Ltd Fax: +61 3 898 9257 31 Joseph St, Blackburn 3130, Australia OS: FreeBSD-1.1.5.1 http://www-ato.aus.hp.com/~mcw -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMGsuUUmThh0X7Um5AQHSygP9EuFbGizLFJcpqyq1TxI6B+SnHWt5KjS/ /zdpqwXArkX7mfRfkOOo3jbxgNwBfT2SziqmDj5bQwZnIme0SYeTcD0q94qU0M1k RzJcBUn7gwVva1akfjX5Y01JpjWTKgsjxEWIOaytM68zP8RWM0SFQWWffl4Tob+e 8Im+vCZZK5o= =QrUt -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199509282323.AA165110614>