Re: no ipchains with 2.2/no network with 2.4
From: Martin Bock <ixel@gmx.de>
To: debian-firewall@lists.debian.org
CC: pierredamas@hotmail.com
Subject: Re: no ipchains with 2.2/no network with 2.4
Date: Wed, 5 Jan 2005 19:16:57 +0100
Pierre,
On Wed, Jan 05, 2005 at 10:58:31AM +0100, Pierre A. Damas wrote:
> Hello,
>
> I am fairly new to debian and firewalls, although I can read
> documentation ;-)
[snip]
> I installed my old Pentium-MMX 200 65Mb RAM, two network adapters (ne
> and 8139too).
ne seems very old to me; in the linux 2.4.20 documentation (sorry, no
older version here) I found it to need io=0xNNN parameter given at
insmod, which is most probably only necessary for ISA cards. Get any PCI
card and you will have no problem in getting it seen by the kernel.
I have no problem with ne, correctly configured (IRQ and port provided).
Works well under 2.2,
same config for 2.4. Do you think that the module itself may have changed
and be not working now? The same would have happened to the 8139too also,
since both subnets are unavailable.
> Prerequisite: I don't want to compile my kernel myself (insmod should
should be OK ...
[snip]
> be Since I installed the woody distribution, I am the happy owner of a
> kernel 2.2.
>
> In that config, the network works fine (from the server, I can ping
> the two subnets and access Internet). I installed squid and
> everything is ok.
>
> I would like to use ipchains, but it is "not supported in this
> Kernel", so I searched everywhere to find an ipchains.o module to
> insmod for 2.2 (I found for 2.4). In which package would it be ?
So what is the precise version of the kernel(2.2) package you installed?
2.2.20 in the current Woody.
> As an alternative, I installed the kernel 2.4. There, iptables is
> correctly configured, with ACCEPT policies by default. But in this
> config, the network doesn't work. I checked with ifconfig, and
> ensured that eth0 and eth1 are up (and it is the case),
You are sure that your interface related to ne is up?
Yes. ifsconfig is ok, I down/up them, and received a message from the RTL
about 100Mb full duplex.
> but I cannot ping any other machine than the server itself on both
> subnets, and of course cannot access internet.
>
> Iptables seems to be out of cause, since if I halt it, my ping requests
are
> correctly rejected with a message, instead of "hanging"...
What do you mean by "halt it"?
I receive a message like "operation not permitted" (cannot reproduce the
message from here now) for each of my ping packet, so feeling that they are
all rejected. When it iptables is started again, ping just hangs.
> For the rest, the network config is exactly the same as the one
> defined for kernel 2.2. But maybe there are changes in the network
> between these two versions ?
Most certainly there are.
Thanks ;-)
> So, my two questions:
>
> a) where is ipchains.o for the kernel 2.2 ?
> and/or
usually in /lib/modules/2.2.yourkernelversion
Yes, of course, except that they are not there, hence my question "In which
package would it be ?" to apt-get it.
> b) what component, installed by default in the kernel-image-2.4.16-586,
> could be the cause of my network blockage ?
I would guess it is this ancient ne card you seem to be using. BTW let
me recommand you to update your system to the current, 4th release of
Woody. There have been *lots* of security fixes, in particular the
kernel 2.4.16 is outdated, you should use 2.4.18
I wanted to follow the rules, and if 2.2.20 is considered as being the
kernel for the stable distribution, I should be able to set-up a "stable"
firewall, with security updates.
> I invested more than 20 hours to read all google mailing-lists
> information, firewall how-tos, etc., so a view on the problem by a
> fresh mind would be appreciated...
Or you can use the upcoming Sarge release of Debian. I have set up a
firewall with a snapshot, kernel 2.4.26 and firehol (a firewall
generator), it works like charm on my probably even older P1 166.
user point of view, stable, no compilation are my mottos ;-)
Good luck, mab
Thanks a lot, mab.
> Thanks,
> Pierre A.
>
> _________________________________________________________________
> Do you have your own space? http://spaces.msn.com
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Reply to: