[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Configuring Diald on gateway
- To: "zoqix" <http://www.yahoo.com/~zoqix>
- Subject: Re: Configuring Diald on gateway
- From: http://dummy.us.eu.org/robert (robert)
- Date: Sat, 9 Nov 2002 01:36:57 -0500
- In-Reply-To: <00c201c043a6$a0eb9640$6688a8c0@krdl.org.sg>
- Keywords: http://www.yahoo.com/~zoqix
> From: "zoqix" <http://www.yahoo.com/~zoqix>
> Date: Wed, 1 Nov 2000 09:54:08 +0800
>
> Hi Robert,
>
> Are the filter rules customized by you?
They were modified from the original standard.filter, yes.
> or is it the original one from diald
> program? Which diald version are you using?
0.16.5-3
>
> Since I'm trying to ignore all internal communications, could I just write a
> rule to ignore packets whose IP source and destination addresses are
> internal?
Yes, but...
> For example, do I use "ignore tcp ip.saddr=192.168.5.0,
> ip.daddr=192.168.5.0"?
Yes, but...
> Is that right if my internal network is 192.168.5.*?
Yes, but...
>
> But this is just for tcp, I still need to add in for the other protocols
> right? What are the other protocols used?
...it's probably a DNS lookup problem, not anything to do with diald per-se.
> And why must we turn off DNS lookups?
No, this isn't turning off all DNS lookups.
> What if I tried to access a web page
> from the browser by typing in an url, will it activate the link?
It will work fine.
What .reg file I gave you does is to disable reverse-lookups of all
connections and double DNS lookups, even when the host is in LM_HOSTS file
(this is a eXceed thing). I was having exactly the same problem as you
before I used this .reg file. (BTW, I got this file/technique from the
diald archives about 1 year ago. See
<a href="http://www.mail-archive.com/http://www.vger.rutgers.edu/~linux-diald/msg00288.html">Re: netbios & diald problems (dns/domain name resolution/53)</a>.)
>
>
> Sorry for the long mail.
>
> ----- Original Message -----
> From: "robert" <http://dummy.us.eu.org/robert>
> To: "zoqix" <http://www.yahoo.com/~zoqix>
> Sent: Tuesday, October 31, 2000 10:37 PM
> Subject: Re: Configuring Diald on gateway
>
> > I've included my configuration files below. I also included the Register
> > file below which turns off DNS lookups from Windows. Hopefully, this may
> > help. If not, give me a call.
> >
> > ---
> >
> >
> > > From: "zoqix" <http://www.yahoo.com/~zoqix>
> > > Date: Tue, 31 Oct 2000 08:14:10 +0800
> > >
> > > Content-type: text/html ; charset = "Windows-1252"
> > >
> > > ---Executing: html-to-ascii
> > > Hi Robert, Sorry for the late reply. May I know how you configure
> > > Diald cos mine's not working very consistently. It keeps activating my
> > > link when not needed to like when I'm accessing my internal network.
> For
> > > example, pc1 is my gateway. pc2 and pc3 are my clients. The IPs are
> > > 192.168.5.1, 2, and 3. pc1, 2, and 3 are their hostnames. Some
> > > examples are: telnet from pc2 to pc3 will activate the link ftp from
> pc2
> > > to pc3 will also activate the link
> > > From: "zoqix" <http://www.yahoo.com/~zoqix ,http://www.yahoo.com/~zoqix, >
> > > > Date: Tue, 10 Oct 2000 13:40:34 +0800
> > > >
> > > > Content-type: text/html ; charset = "Windows-1252"
> > > >
> > > > ---Executing: html-to-ascii
> > > > Hi, I'm currently using the Diald program. My situation is that
> I'm
> > > > connecting my PC to a hub (which is connected to a gateway installed
> > > > with an adsl modem). When the gateway detect packets for external
> > > > network, it will run a script to activate my adsl modem. At timeout,
> > > it
> > > > will run another script to down it. I'm using dynamic IP. What if
> I
> > > > want to telnet to my internal network without activating my adsl
> > > link?
> > > > How do I setup the dynamic dns on my gateway? I would want it to
> > > update
> > > > the caching name server by the dhcp so that I could telnet by
> > > hostnames.
> > > > Thanks in advance, zoqix
> > > >
> > > I don't have DSL, but I use diald+ipmasq and I can use my internal
> > > network
> > > fine w/o bringing up the modem. If you are still having problems,
> > > please
> > > email me and I'll see what I can do.
> >
> > --------------------------------------------------------------------------
> -----
> > etc/diald.conf
> > --------------------------------------------------------------------------
> -----
> > mode ppp
> > ip-up /etc/ppp/ip-up
> > pppd-options debug user xxxx lcp-max-configure 60 lcp-max-failure 60
> lcp-max-terminate 12 lcp-echo-interval 6 lcp-echo-failure 50 noipdefault
> > # -pap
> > # refuse-pap refuse-chap
> > # ipcp-accept-local ipcp-accept-remote
> > proxyarp
> > start-pppd-timeout 300
> > first-packet-timeout 240
> > connect /usr/local/lib/diald/connect
> > #disconnect /usr/local/lib/diald/disconnect
> > netmask 255.255.255.0
> > device /dev/modem
> > modem
> > lock
> > crtscts
> > local 192.168.0.1
> > #remote 192.168.0.2
> > remote 216.126.160.226
> > dynamic
> > #-buffer-packets
> > defaultroute
> > #impulse 600,599,1
> > #impulse 320,40
> > # if we get cut-off, don't even try to reconnect
> > died-retry-count 0
> > retry-count 10
> > outfill 30
> > #two-way
> > redial-timeout 6
> > redial-backoff-start 1
> > redial-backoff-limit 90
> > fifo /usr/local/lib/diald/fifo
> > include /usr/local/lib/diald/standard.filter
> > --------------------------------------------------------------------------
> -----
> > lib/diald/standard.filter
> > --------------------------------------------------------------------------
> -----
> > # This is a pretty complicated set of filter rules.
> > # (These are the rules I use myself.)
> > #
> > # I've divided the rules up into four sections.
> > # TCP packets, UDP packets, ICMP packets and a general catch all rule
> > # at the end.
> >
> >
> >
> #---------------------------------------------------------------------------
> ---
> > # Rules for TCP packets.
> >
> #---------------------------------------------------------------------------
> ---
> > # General comments on the rule set:
> > #
> > # In general we would like to treat only data on a TCP link as signficant
> > # for timeouts. Therefore, we try to ignore packets with no data.
> > # Since the shortest possible set of headers in a TCP/IP packet is 40
> bytes.
> > # Any packet with length 40 must have no data riding in it.
> > # We may miss some empty packets this way (optional routing information
> > # and other extras may be present in the IP header), but we should get
> > # most of them. Note that we don't want to filter out packets with
> > # tcp.live clear, since we use them later to speedup disconnects
> > # on some TCP links.
> > #
> > # We also want to make sure WWW packets live even if the TCP socket
> > # is shut down. We do this because WWW doesn't keep connections open
> > # once the data has been transfered, and it would be annoying to have the
> link
> > # keep bouncing up and down every time you get a document.
> > #
> > # Outside of WWW the most common use of TCP is for long lived connections,
> > # that once they are gone mean we no longer need the network connection.
> > # We don't neccessarily want to wait 10 minutes for the connection
> > # to go down when we don't have any telnet's or rlogin's running,
> > # so we want to speed up the timeout on TCP connections that have
> > # shutdown. We do this by catching packets that do not have the live flag
> set.
> >
> > # --- start of rule set proper ---
> >
> > # When initiating a connection we only give the link 15 seconds initially.
> > # The idea here is to deal with possibility that the network on the
> opposite
> > # end of the connection is unreachable. In this case you don't really
> > # want to give the link 10 minutes up time. With the rule below
> > # we only give the link 15 seconds initially. If the network is reachable
> > # then we will normally get a response that actually contains some
> > # data within 15 seconds. If this causes problems because you have a slow
> > # response time at some site you want to regularly access, you can either
> > # increase the timeout or remove this rule.
> > #accept tcp 15 tcp.syn
> > accept tcp 90 tcp.syn
> >
> > # Keep named xfers from holding the link up
> > ignore tcp tcp.dest=tcp.domain
> > ignore tcp tcp.source=tcp.domain
> >
> > ## keep local slip address from holding the link up
> > #ignore tcp ip.daddr=192.168.0.1
> > #ignore tcp ip.saddr=192.168.0.1
> >
> > # I think these are for real audio
> > keepup tcp 20 tcp.dest=tcp.realaud2
> > keepup tcp 20 tcp.dest=tcp.realaud1
> > keepup tcp 20 tcp.source=tcp.realaud2
> > keepup tcp 20 tcp.source=tcp.realaud1
> >
> > # Keep netbios from holding us up as well.
> > ignore tcp tcp.dest=tcp.netbios-ns
> > ignore tcp tcp.dest=tcp.netbios-dgm
> > ignore tcp tcp.dest=tcp.netbios-ssn
> >
> > # (Ack! SCO telnet starts by sending empty SYNs and only opens the
> > # connection if it gets a response. Sheesh..)
> > # 7/21/98
> > keepup tcp 90 ip.tot_len=40,tcp.syn
> > ignore tcp ip.tot_len=40,tcp.syn
> >
> > # keep empty packets from holding the link up (other than empty SYN
> packets)
> > # 7/20/98 -- don't ignore; let fall through...
> > #ignore tcp ip.tot_len=40,tcp.live
> >
> > # make sure http transfers hold the link for 2 minutes, even after they
> end.
> > # If the link is already down, don't let a FIN packet bring it back up.
> > # NOTE: Your /etc/services may not define the tcp service www, in which
> > # case you should comment out the following two lines or get a more
> > # up to date /etc/services file. See the FAQ for information on obtaining
> > # a new /etc/services file.
> > #ignore tcp !tcp.live,tcp.dest=tcp.www
> > #ignore tcp !tcp.live,tcp.source=tcp.www
> > # 7/20/98 -- just fall through; will probably get 5 mins anyway...
> > #accept tcp 300 tcp.dest=tcp.www
> > #accept tcp 300 tcp.source=tcp.www
> >
> > # Once the link is no longer live, we let the connection go down
> > # slowly (1.5 minutes).
> > keepup tcp 90 !tcp.live
> > ignore tcp !tcp.live
> >
> > # an ftp-data or ftp connection can be expected to show reasonably
> frequent
> > # traffic.
> > # 7/21/98
> > #accept tcp 120 tcp.dest=tcp.ftp
> > #accept tcp 120 tcp.source=tcp.ftp
> >
> > #NOTE: ftp-data is not defined in the /etc/services file provided with
> > # the latest versions of NETKIT, so I've got this commented out here.
> > # If you want to define it add the following line to your /etc/services:
> > # ftp-data 20/tcp
> > # and uncomment the following two rules.
> > # 7/21/98
> > #accept tcp 120 tcp.dest=tcp.ftp-data
> > #accept tcp 120 tcp.source=tcp.ftp-data
> >
> > #ssh sessions should be up for 15 mins
> > keepup tcp 900 tcp.dest=tcp.ssh
> > keepup tcp 900 tcp.dest=tcp.sshcont
> >
> > # If we don't catch it above, give the link 5 minutes up time.
> > keepup tcp 300 any
> > ignore tcp any
> >
> > # Rules for UDP packets
> > #
> > # We time out domain requests right away, we just want them to bring
> > # the link up, not keep it around for very long.
> > # This is because the network will usually come up on a call
> > # from the resolver library (unless you have all your commonly
> > # used addresses in /etc/hosts, in which case you will discover
> > # other problems.)
> > # Note that you should not make the timeout shorter than the time you
> > # might expect your DNS server to take to respond. Otherwise
> > # when the initial link gets established there might be a delay
> > # greater than this between the initial series of packets before
> > # any packets that keep the link up longer pass over the link.
> >
> > # Don't bring the link up for rwho.
> > ignore udp udp.dest=udp.who
> > ignore udp udp.source=udp.who
> > # Don't bring the link up for RIP.
> > ignore udp udp.dest=udp.route
> > ignore udp udp.source=udp.route
> > # Don't bring the link up for NTP or timed.
> > ignore udp udp.dest=udp.ntp
> > ignore udp udp.source=udp.ntp
> > ignore udp udp.dest=udp.timed
> > ignore udp udp.source=udp.timed
> > ## keep local slip address from holding the link up
> > #ignore udp ip.daddr=192.168.0.1
> > #ignore udp ip.saddr=192.168.0.1
> > # Don't bring up on domain name requests between two running nameds.
> > #ignore udp udp.dest=udp.domain,udp.source=udp.domain
> > # Bring up the network whenever we make a domain request from someplace
> > # other than named.
> > accept udp 90 udp.dest=udp.domain
> > ignore udp udp.source=udp.domain
> > #accept udp 90 udp.source=udp.domain
> > # Do the same for netbios-ns broadcasts
> > # NOTE: your /etc/services file may not define the netbios-ns service
> > # in which case you should comment out the next three lines.
> > ignore udp udp.dest=udp.netbios-ns
> > ignore udp udp.dest=udp.netbios-dgm
> > ignore udp udp.dest=udp.netbios-ssn
> > # windows is f**king pain
> > #keepup udp 30 udp.dest=udp.netbios-ns
> > #keepup udp 30 udp.source=udp.netbios-ns
> > #accept udp 30 udp.dest=udp.netbios-ns
> > #accept udp 30 udp.source=udp.netbios-ns
> > # keep routed and gated transfers from holding the link up
> > ignore udp tcp.dest=udp.route
> > ignore udp tcp.source=udp.route
> >
> > # Anything else gest 2 minutes.
> > accept udp 120 any
> >
> > # Give icmp packets 30 seconds.
> > accept icmp 30 any
> >
> > # Any packets we did not catch above belong to some bizzare protocol
> > # that we don't know about. Keep up the line for 90 seconds.
> >
> > keepup any 90 any
> > --------------------------------------------------------------------------
> -----
> > dns-reg.reg
> > --------------------------------------------------------------------------
> -----
> > REGEDIT4
> >
> > [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP]
> > "EnableDNS"="0"
> >
> >
> > �
>