Re: networking with mol/molvconfig

Subject: Re: networking with mol/molvconfig
From: R Shapiro (reshapiro@mediaone.net)
Date: Fri Nov 10 2000 - 06:11:56 MST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: R Shapiro: "Re: audio cds"
• Previous message: Ewen Bell: "Re: audio cds"
• In reply to: Gérard Degrez: "networking with mol/molvconfig"
• Next in thread: Philip Good: "Mouse buttons"
• Reply: R Shapiro: "Re: networking with mol/molvconfig"

Gérard Degrez writes:
> BTW, apart from its use together with MOL, what kind of things
> could ethertap be used for?

I haven't heard of any other practical use. But in theory, a
user-space network device is a nice concept :)

> So, I first configured my virtual LAN over the ethertap device using
> the instructions of Takeshi Oe

I did this too, and was then told by Samuel that it was out of date.
This is what happens when everyone answers questions by saying "check
the archives"....

> > Configure tap0

You don't want to make /dev/tap0 anymore, or at least you don't have
to.

> /sbin/ifconfig tap0 192.168.0.1 netmask 255.255.255.0 up arp
> /sbin/route add -host 192.168.0.1 tap0

These are still required, using whatever address and netmask you
prefer.

> echo "1" > /proc/sys/net/ipv4/conf/tap0/proxy_arp
> /sbin/arp -s 192.168.0.2 FE:FD:00:00:00:00 pub

These are not required any more and probably shouldn't be done.

> - the initial connection was rather slow (no big deal, but has this
> been experienced by others as well?), after which the file transfer
> themselves were really fast.

I haven't noticed this. Do you mean the first tcp conection after
booting mol, or the initial traffic of every connection you make?

> - from MOL, I couldn't connect by ftp (Fetch) as root.

Others have responded to this. It's a security feature which you
don't want to disable.

As for using scp instead of ftp - sure, you can do that and it will be
a little more secure. But there really aren't any serious issues
sending non-root passwords over ethertap, or at least no more so than,
say, typing a password in a local X window. This is particularly true
if you're running a single-user machine. An ftp client with a nice
gui is really a lot more convenient than scp.

> The next step now is to get the masquerading working.

It's pretty simple. In the most common case you only need two
ipchains rules: one to configure the timing parameters for masqueraded
connections and one to forward packets from the ethertap net to
whatever physical device you're using for your real net connection
(eth0, ppp):

  ipchains -M -S 7200 10 160 [choose whatever numbers you prefer]
  ipchains -A forward -i $DEVICE -s $LOCALNET -j MASQ

where DEVICE is the physical net device and LOCALNET is the ethertap
network (in your case "192.168.0.0/24"). The numbers in the first
rule are for tcp, tcpfin, and udp timeouts, respectively, in seconds.

If you're running a firewall on your main device (which you probably
should be) and if your default input and output polices are DENY
(which they probably should be) you'll also need to ensure that you're
not blocking the LOCALNET traffic:

  ipchains -A output -i $LOCALDEV -s $ANY -d $LOCALNET -j ACCEPT
  ipchains -A input -i $LOCALDEV -s $LOCALNET -d $ANY -j ACCEPT

-- 
reshapiro@mediaone.net

• Next message: R Shapiro: "Re: audio cds"
• Previous message: Ewen Bell: "Re: audio cds"
• In reply to: Gérard Degrez: "networking with mol/molvconfig"
• Next in thread: Philip Good: "Mouse buttons"
• Reply: R Shapiro: "Re: networking with mol/molvconfig"

This archive was generated by hypermail 2a24 : Fri Nov 10 2000 - 06:11:50 MST