RE: Network troubleshooting, any experts?

From: Rotariu Bogdan (bogdan_at_alterox.ro)
Date: 05/01/04

  • Next message: J.L. Coenders: "Re: Corruption" 
    To: For users of Fedora Core releases <fedora-list@redhat.com>
Date: Sat, 01 May 2004 08:41:01 +0300

    lol, he just spoofed his addresses so the list can't see the real ips.

    On Sat, 2004-05-01 at 08:13, Eric Diamond wrote:
    > Wednesday, April 28, 2004 2:04 PM Elam Daly asked:
    > > At this particular company we have a webserver, that sits behind a
    > > firewall/router. All incoming port 80
    > > traffic is directed to this server. All computers in the
    > > company reside
    > > internally on 123.123.123.* ip addresses.
    > > All DNS resolution is done externally.
    >
    > How did you get the 123.123.123/24 address space assigned to your
    > network?
    >
    > According to IANA:
    >
    > <start clip>
    > INTERNET PROTOCOL V4 ADDRESS SPACE
    >
    > (last updated 28 April 2004)
    >
    > The allocation of Internet Protocol version 4 (IPv4) address space to
    > various registries is listed here. Originally, all the IPv4 address
    > spaces was managed directly by the IANA. Later parts of the address
    > space were allocated to various other registries to manage for
    > particular purposes or regional areas of the world. RFC 1466 [RFC1466]
    > documents most of these allocations.
    >
    > Address
    > Block Date Registry - Purpose Notes or Reference
    > ----- ------ --------------------------- ------------------
    > 000/8 Sep 81 IANA - Reserved
    > 001/8 Sep 81 IANA - Reserved
    > 002/8 Sep 81 IANA - Reserved
    > 003/8 May 94 General Electric Company
    > ...
    > 122/8 Sep 81 IANA - Reserved
    > 123/8 Sep 81 IANA - Reserved
    > 124/8 Sep 81 IANA - Reserved
    > 125/8 Sep 81 IANA - Reserved
    > 126/8 Sep 81 IANA - Reserved
    > 127/8 Sep 81 IANA - Reserved See [RFC3330]
    > <end clip>
    >
    > The 123 address space is clearly a reserved Class A Address.
    >
    > Are you using NAT? I sincerely hope so. But if so, then why not use one
    > of the private address spaces? If not, you're lucky you're getting any
    > traffic back at all.
    >
    > > Now the problem is that all computers on the network can browse the
    > > internet and do various chores like
    > > telnet and ssh with no problem, except for the web server. I
    > > can ssh,
    > > telnet etc. to other computers on the internal network
    > > from the web server but not to the outside world.
    >
    > For the rest of your network, see above.
    >
    > For your web server, the question of NAT applies but is compounded by
    > issues regarding the way your ISP is forwarding the web traffic in their
    > router.
    >
    > > I have no firewall running, and just to be sure I've flushed the
    > > iptables and ran the /etc/rc3.d/iptables script with the
    > > -stop flag. I've also talked to the isp( it's their router )
    > > and they claim that if
    > > all the other computers can get web access then so should
    > > the webserver.
    >
    > Now, I have seen cases where ISPs will limit outgoing connections from
    > known, world accessable servers connected to their network, over which
    > they have no direct security control. But in this case, I have a gut
    > feeling that another 123.123.123.240 exists somewhere out there (someone
    > else using a reserved address) and some of your traffic is just getting
    > lost. The general purpose router protocols are supposed to keep this
    > sort of thing from happening, but when unassignigned addresses are added
    > into the mix, unpredictable things can start popping up (or dropping out
    > as the case may be.)
    >
    > Eric Diamond
    > eDiamond Networking & Security
    > 303-246-9555
    > eric@ediamond.net
    > 

    -- 
Rotariu Bogdan <bogdan@alterox.ro>
Alterox Sistem



    


    -- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
  • Next message: J.L. Coenders: "Re: Corruption"

    Relevant Pages

    • Re: Working on a Web Server 2003
      ... I'm not trying to install the web server on a DC. ... > Are you trying to setup and secure a webserver on a DC? ... > A built in account that has a high level of access rights ... Network Service: ...
      (microsoft.public.windows.server.active_directory)
    • Re: Working on a Web Server 2003
      ... I'm not trying to install the web server on a DC. ... > Are you trying to setup and secure a webserver on a DC? ... > A built in account that has a high level of access rights ... Network Service: ...
      (microsoft.public.inetserver.iis)
    • RE: website inside or outside the domain?
      ... it is better not to have domain authentication traffic ... publicly accessible web server in a DMZ, with a DC also in the DMZ ... > webserver is ... network) its not the best model to use. ...
      (Focus-Microsoft)
    • Problem viewing network computers/shares
      ... c6's web server via a different internal IP address. ... is to say that my PDA can connect to c6 from two different network subnets ... Explorer, I get a message "The network path was not found.", followed by ... Computers on both of my networks ...
      (microsoft.public.pocketpc)
    • Re: Internal Web Server with cisco 1841 problem
      ... I have a web server in the 192.168.1.x network that is up and running. ... I setup nat so that the computers in 172.16.32.x can access the web ... address and doesn't reply directly back to the clients. ...
      (comp.dcom.sys.cisco)