Notes From Zone 4

Well I finally got the firewall mostly working: all the personal machines are behind charlesmartel on the 192.168.x.x private net, whilst bunter is doing all the hosting in the DMZ and Charlie routes and firewalls.

BTW, IMO DMZ is the wrong term. We’ve got a partial castle metaphor going with ‘bastion host’, let’s push it. It’s not a DMZ anyway…There’s a firewall on the router to keep out the most bogositous stuff, and then a tighter firewall protecting the family boxes. So it’s the outer bailey, between the layers of fortification. A DMZ is ‘no mans land’ which is different.

Anyway, it seems that everything except plain old http is broken. SMTP-Auth seems to still be working but it takes forever, but pop3s isn’t (bunter won’t talk to us), pop3 is also taking forever. I may have to park a workstation in the outer bailey for a while to figure out what the problem is. (I don’t trust charlesmartel, since he is the firewall.)

And I wrote an entry here earlier today and it seems to have gone to never-never land. This time I’ll verify its’ presence before closing the browser.

However it looks like things sort of work, and if we ever get a connection (Global Crossing can’t see the loop between our house and the CO) I can log on to bunter to get things running. I won’t activate the router firewall till the connection works.

In preparation for this exercise I read Red Hat Linux Firewalls, by Bill McCarty. Excellent book I could read it without tearing my hair, but still felt that I was learning stuff. For sure I still copied the example when setting up my own firewall (BTW, a download site for that multipage typing exercise would be a nice bit of lagniappe for the book), but when I then set out to modify it, I felt I really knew what I was doing.

However there were a few things I still had to puzzle out:

1. A range statement in dhcpd.conf needs to be inside a subnet statement. This is an error in the Red Hat 8 Bible from Sam’s.

2. You need to turn on IP forwarding if you want your firewall to work.

Traceroute and ping are also still not working fully. This is way too much like work.

Nonetheless, I think it’s time to get Lisa’s garden journal up. The seeds got started two weeks ago. This means getting “Gallery” running, then creating an MT script to show things the way she wants.

Sheesh, why do I want a day job. I have enough things I want to do to keep me busy 25 hours/day for years.

My next project while we’re offline is to get out mail system properly configured. Like everything else around here, we need the industrial strength version: Because Lisa travels she needs to check (and answer) her mail from the road, so we need SMTP-AUTH. And we run multiple domains.

I’ve looked, and I haven’t found an MTA except sendmail that will do both. And sendmail is a !@#$%^& to deal with. Cool mascot though.

I’ve been using Linuxconf’s vpop setup and it’s worked pretty well. Unfortunately, Linuxconf doesn’t support SMTP-Auth. The sendmail.cfs it generates seem support gssapi SMTP-Auth, which is Kerberos, but not plain old ‘plain’.

However, once I decided to fight my way through the jungle, getting SMTP-Auth working seems too easy to be true: I activated Cyrus-SASL (installed by default), did whatever I needed (sorry, forgot to write it down) to give myself a password ,went into sendmail.mc, told it it grokked ‘plain’ (just uncommented the appropriate entry) authentication, rebuilt sendmail.cf with m4, and presto it worked.

Of course this all after spending hours reading the docs for both Cyrus-SASL and Sendmail. The docs just aren’t that helpful, and the new Sendmail book hadn’t arrived from Amazon. But the sample file is pretty well documented, and my blind edit worked.

So Bunter is checking passwords before relaying. Now hopefully Lisa can get her mail without Earthlink calling us an open relay. (We weren’t).

Stay tuned for the next thrilling chapter in the saga.

Stiill no ‘net. Verizon was supposed to have their connection up by Friday, and GC would try to put bits on it today. At 1530 on Friday I got an email from GC that Verizon hadn’t called, and GC would call them first thing Monday (today). It’s now noon and no news.

But, on the good side, I actually seem to have the firewall up and NAT working. (We only have 14 working IPs down from 30, so it’s DHCP time, and from there, a real firewall. Anyway, I’m typing this on my box inside the firewall, and sending it out to bunter in the DMZ, so at least something is working.

(BTW, the castle metaphor is more fun and more accurate. There’ll also be a firewall on the router, and bunter and the other server are between the firewalls. That’s not a DMZ, it’s the outer bailey: It is defended, even if not as well as the individual workstations.

Anywho. Things still aren’t perfect: ping isn’t working quite right (I think I know the problem) and I’ve yet to test mail. But it’s getting real close.