Subject: Re: help. need cern 3.0?
To: Adam Nicol Delu <abam@othello.sph.berkeley.edu>
From: Monroe Williams <monroe@teleport.com>
List: port-mac68k
Date: 02/03/1996 17:12:08
At 8:54 AM 2/1/96, Adam Nicol Delu wrote:
>Has anybody gotten cern 3.0 httpd to work on their netbsd 68k mac?
>
>Er, or socks5?
>
>I've almost concluded that I'm too stupid to run socks.
Stupid is as stupid does... (ducking)
Sorry, couldn't resist. ;-)
>In any case, I
>can't seem to get a working socks5.conf file that works.
>
>What I'm trying to do:
>^^^^^^^^^^^^^^^^^^^^^^
>I have a real mac, "marsha", (running macbsd 1.1) and a
"Real Macs(tm) run NetBSD"? ;-) Oh, 68k...
>powermac 7100, "cindy", running 7.5. I also have a Linux machine, "bobby"
>running on a 486dx2 66. The netbsd mac is on the net from time to time at
>thesis764.med.uth.tmc.edu. The netbsd mac and the others are on a
>fictitious network that is reserved by the NIC for testing 172.16.0.0 I
>think. I want the other two machines to be able to see out, so that I can
>have netscape running on them, telnet and maybe fetch. Security would be
>nice too, but I'm not that worried--yet.
I've got a similar setup. SE/30 running NetBSD, connected to a PM 7500 via
ethernet and the outside world via dialup ppp (a simple one-address account).
The local machines are on net 127.0.0.x (dns "localnet"). The SE/30 runs
a nameserver for the other machines on ethernet (primary for localnet,
forwarder/cache for the nameserver at the ISP), socks 4.2 (for proxy ftp,
http, etc.), and has the plugboard daemon from fwtk set up to forward pop
and smtp connections to the mailhost at the ISP for Eudora (which isn't
socks-aware :( ). There will probably be some differences, since I run
ppp and have a dynamically-allocated IP address, but I might be some help...
I haven't looked at cern httpd or socks 5, but my socks 4.2 sockd.conf
consists of one non-comment line:
permit 255.255.255.255 0.0.0.0
(I'm not counting on it for security -- just proxy.)
I also:
- turned off packet forwarding and IP redirect with sysctl (in rc.local)
- added the following to /etc/inetd.conf:
socks stream tcp nowait nobody /usr/local/sbin/sockd sockd
pop3 stream tcp nowait nobody /usr/local/etc/plug-gw plug-gw pop3
smtp stream tcp nowait nobody /usr/local/etc/plug-gw plug-gw smtp
- added the following to /etc/serivces:
socks 1080/tcp
- set up the name server with names for local machines and pointed it at the
ISP's nameserver for everything else (This requires a bunch of 'named'
files in /etc, so I won't include the details here. Mail me if you
really want to know.)
- put the following in /usr/local/etc/netperm-table (the fwtk config file):
plug-gw: port pop3 127.0.0.3 -plug-to pop.teleport.com
plug-gw: port smtp 127.0.0.3 -plug-to mail.teleport.com
(teleport.com is my ISP, 127.0.0.3 is the machine I use Eudora on)
- probably did something else critically important and forgot about it.
("Mind like a steel sieve..." -- me)
>How I'm trying to do it:
>^^^^^^^^^^^^^^^^^^^^^^^^
>I've used ifconfig to add the fictitious network to ae0, the UTH slip
>connection to sl0. I've added a route for the net 172.16.0.0. I'm not
>running routed because I think it would be fairly tasteless to broadcast
>my fictitious addresses. I can only get one IP address from UT :-(
>Marsha's also the default gateway on MacTCP for the Powermacintosh.
According to the man page, running routed with the '-q' option will keep it
from broadcasting its routing tables. This should keep outside hosts from
getting confused (and stay inside the bounds of good taste). Anyway, most
ISP's have their dialin servers set up to ignore routing information from
the dialups. (Can you blame them?)
>From the gateway machine, can you 'ping' both machines on your local
network and machines outside the slip link?
What does 'netstat -r' say when your slip/ppp link is active? Mine says:
Internet:
Destination Gateway Flags Refs Use Mtu Interface
default net-nb-pdx01-08.te UG 1 10 - ppp0
127 link#1 UC 0 0 - ae0
localhost localhost UH 3 46 - lo0
archaeopteryx.lo 0:0:94:31:1e:47 UHL 5 65 - lo0
power.localnet 8:0:7:7f:b8:f7 UHL 2 892 - ae0
net-nb-pdx01-08. ip-pdx03-28.telepo UH 1 0 - ppp0
ip-pdx01-08.tele localhost UH 0 0 - lo0
Both routes on interface 'ppp0' are added when pppd starts and removed when
it terminates. The last line (third loopback) is added by pppd, but
doesn't seem to get removed.
(FYI, the SE/30 is {archaeopteryx,gate,ns}.localnet, and the 7500 is
power.localnet. net-nb... is the NetBlazer dialup server, and ip-pdx...
is the dns name of my dynamic IP address.)
>I've been playing with Socks5 for about a week now, but I can't get the
>machines to work with it. It seemed to compile just fine (ran the script
>and let it go all night). The binary seems to run okay. The conf file
>probably doesn't work. I can't attach to the outside, even with netscape
>that is socksified. Socks5 does not come with a config file, unfortunately.
What are the _exact_ symptoms? (See if you can catch all of the things
that flash in the status line in Netscape. Specific messages might be
important.)
What are the contents of your sockd.conf?
When compiling socks 4, I there is a special configuration that can be
enabled for multi-homed hosts with ip forwarding turned off
(MULTIHOMED_SERVER). I DID NOT enable it. (I'm sure I could improve
security by doing so, but all of the other local machines are running
MacOS and thus aren't in much danger :-P). If it is enabled, you'll
have to have another config file telling socks which network interface
is which.
>Anybody have luck with cern or want to help me get socks going? I think
>it would help your NetKarma. Is there an O'reilly book that covers this?
I haven't looked for an O'Reilly book. I think they have a web site...
BTW, fwtk (FireWall ToolKit) is available from:
ftp://ftp.tis.com/pub/firewalls/toolkit/
If you (or anyone on the list) are interested in seeing some of my config
files, I can mail specific ones out or put them up for http. Polite requests
via email will be considered. ;-) (I've just been watching the mayhem
on the linux-ppc mailing list. Ick. Let's stay civil here.)
***DISCLAIMER***
While I have taken a TCP/IP class and had some experience with network
administration, I'm not a 'trained professional', and I figured out
much of this information from manpages and trial/error. It works for me,
but I might just be lucky, and I won't guarantee that following my example
will keep your ISP from coming after you for wedging their routers, etc.
(Mine hasn't complained yet, though...)
-- monroe