Weblog entry #10 for pedxing
See all weblog entries made by pedxing.
#10
ipkungfu: too damn smart for my own good.
Posted by pedxing on Fri 3 Feb 2006 at 14:36
Being a lazy sort of person, I wanted a pre-built firewall solution for my home system. I have Debian unstable running on my main PC, which has two nics, one to my Bell Sympatico DSL modem, and one to my internal network.
I downloaded ipkungfu, which allowed me to NAT to my network by changing "GATEWAY" from 0 to 1. I restarted, everything worked. From my days with ipfw and ipchains, I was very impressed with how quickly it went. I didn't have to tell it anything.
Problems arose when I tried to punch through 22 to my box, so I could ssh in. I added 22 to the allowed ports, but nothing happened.
After trying `ipkungfu -t`, I realized (eventually) that it was using eth1 as my external interface, rather than ppp0. "How is that possible" you say? It turns out that (at least in Toronto), Bell supplies modems which also act as silly little pseudo-routers. Debian was searching for a DHCP server on eth1 by default. When the modem saw a DHCP request, it slipped into "Gateway" mode, and made a connection, giving eth1 a private IP, and forwarding no ports back inside.
I set eth1 to manual in /etc/network/interfaces, brought it down-then-up to clear the ip and route information, then `pon dsl-provider` brought me back online, with the ports forwarded properly.
Now that I've got everything running smoothly, I can't sing the praises of ipkungfu highly enough. I am very impressed with it's smarts, as far as automagically configuring itself to fit the network, and making things work, even when they really aughtn't.
I downloaded ipkungfu, which allowed me to NAT to my network by changing "GATEWAY" from 0 to 1. I restarted, everything worked. From my days with ipfw and ipchains, I was very impressed with how quickly it went. I didn't have to tell it anything.
Problems arose when I tried to punch through 22 to my box, so I could ssh in. I added 22 to the allowed ports, but nothing happened.
After trying `ipkungfu -t`, I realized (eventually) that it was using eth1 as my external interface, rather than ppp0. "How is that possible" you say? It turns out that (at least in Toronto), Bell supplies modems which also act as silly little pseudo-routers. Debian was searching for a DHCP server on eth1 by default. When the modem saw a DHCP request, it slipped into "Gateway" mode, and made a connection, giving eth1 a private IP, and forwarding no ports back inside.
I set eth1 to manual in /etc/network/interfaces, brought it down-then-up to clear the ip and route information, then `pon dsl-provider` brought me back online, with the ports forwarded properly.
Now that I've got everything running smoothly, I can't sing the praises of ipkungfu highly enough. I am very impressed with it's smarts, as far as automagically configuring itself to fit the network, and making things work, even when they really aughtn't.
Comments on this Entry
Excellent article. Thanks for sharing. I learned lots of things from it.
Why didn't you submit it as contributed article? I think it well worth it.
[ Parent | Reply to this comment ]
Posted by Anonymous (64.231.xx.xx) on Sun 12 Feb 2006 at 18:06
It seems fairly specific, and if anyone googles for "ipkungfu sympatico" they'll get here. Glad you were able to get something from it.
[ Parent | Reply to this comment ]
Posted by Anonymous (216.195.xx.xx) on Fri 3 Mar 2006 at 23:03
I'm the author of ipkungfu, so I ego-surf and google it from time to time, and this article made me grin. I'm glad you're enjoying it!
[ Parent | Reply to this comment ]