Branches
Comments
[»]
Squid transparent proxy problem
by KidneyPi - Mar 3rd 2008 16:25:08
I have a problem with using ipkungfu to set up a transparent proxy with
squid. I had everything working on one network. I moved the machine to its
permanent home on another network and everything broke. I traced the
problem with the gateway configuration to too many conflicting rules not
getting cleared out when ipkungfu runs, so that is fixed.
/etc/ipkungfu/redirect.conf includes a line that says
tcp:80:3128:internal. This doesn't seem to be used in the actual
configuration. When I list the rules in iptables and grep for port 3128, I
find there is not rule. What can I do?
[reply]
[top]
[»]
Log gone awry
by lizard - Mar 6th 2007 18:51:02
Great tool! Much more functional than many of the competitors. One issue
that's cropped up is that my logging seems to be broken. Despite the conf
file pointing at syslog (which is right) and ipkungfu -c coming up as
loaded, nothing from it is showing up in syslog. Some attack analysis tools
seem to indicate that the firewall is working perfectly, but there ought be
a log of the attempts.
grep IPKF /var/log/syslog returns nothing.
I'm running mepis 6.0 (essentially dapper ubuntu). Any idea where my log
output could be going?
[reply]
[top]
[»]
Two question on ipkungfu
by Kim C. Callis - Jan 7th 2007 01:39:15
First off... I am thinking about running this on a WRT54gs under openwrt
RC6. Is there anyway to allow for time restrictions. I know that I can set
time restriction with iptables, but if I remember correctly, that is kernel
based.
Secondly, is there any real documentation on using ipkungfu?
--
K.C. Callis
[reply]
[top]
[»]
Error running ipkungfu, issue with bind9
by tboyko - Sep 18th 2006 17:21:03
First off, thank you for making this great tool! Now, if only I
could get two issues resolved!
When I run ipkungfu, i get the following error:
"/usr/sbin/ipkungfu: line 903: echo: write error: Invalid
argument"
This is under Ubuntu Linux. I installed via apt-get. I get the
same error during boot when ipkungfu runs. I'm not sure if
this is causing any real issues.
The other problem I have is with ipkungfu and Bind9. I have
port 53, both udp and tcp open. When I reboot the machine
and try to do a dig from an external computer, the
connection times out. When I do it locally, it works. Now, if
I reload bind9 or re-run ipkungfu, dig will work externally
again. Strange, no?
Taylor
[reply]
[top]
[»]
Errors when starting ipkungfu
by yellowtip - Sep 6th 2006 19:35:45
When starting ipkungfu 0.6.0 on my Ubuntu Dapper server, I get several
errors. All does seem to be working ok, but I just don't like the errors.
If there's any way i can resolve them, it would be great. Thanks in
advance!
root@server:/lib/modules# ipkungfu
Checking integrity: .. PASSED
Checking MD5 Hash of config files: OK
Restoring /proc settings from cache:/usr/local/sbin/ipkungfu: line 329:
echo: write error: Operation not permitted
/usr/local/sbin/ipkungfu: line 330:
/proc/sys/net/ipv4/icmp_echo_ignore_all: Operation not permitted
/usr/local/sbin/ipkungfu: line 334:
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts: Operation not
permitted
/usr/local/sbin/ipkungfu: line 341: echo: write error: Operation not
permitted
/usr/local/sbin/ipkungfu: line 344:
/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses: Operation not
permitted
/usr/local/sbin/ipkungfu: line 347: /proc/sys/net/ipv4/tcp_fin_timeout:
Operation not permitted
/usr/local/sbin/ipkungfu: line 348:
/proc/sys/net/ipv4/tcp_keepalive_intvl: Operation not permitted
/usr/local/sbin/ipkungfu: line 349: /proc/sys/net/ipv4/tcp_keepalive_time:
Operation not permitted
/usr/local/sbin/ipkungfu: line 350: /proc/sys/net/ipv4/tcp_window_scaling:
Operation not permitted
/usr/local/sbin/ipkungfu: line 351: /proc/sys/net/ipv4/tcp_sack: Operation
not permitted
/usr/local/sbin/ipkungfu: line 352:
/proc/sys/net/ipv4/tcp_max_syn_backlog: Operation not permitted
/usr/local/sbin/ipkungfu: line 354: /proc/sys/net/ipv4/tcp_syncookies:
Operation not permitted
/usr/local/sbin/ipkungfu: line 358: /proc/sys/net/ipv4/tcp_timestamps:
Operation not permitted
/usr/local/sbin/ipkungfu: line 362:
/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses: Operation not
permitted
/usr/local/sbin/ipkungfu: line 377: echo: write error: Operation not
permitted
/usr/local/sbin/ipkungfu: line 377: echo: write error: Operation not
permitted
/usr/local/sbin/ipkungfu: line 377: echo: write error: Operation not
permitted
/usr/local/sbin/ipkungfu: line 377: echo: write error: Operation not
permitted
/usr/local/sbin/ipkungfu: line 392: echo: write error: Operation not
permitted
/usr/local/sbin/ipkungfu: line 393: echo: write error: Operation not
permitted
/usr/local/sbin/ipkungfu: line 392: echo: write error: Operation not
permitted
/usr/local/sbin/ipkungfu: line 393: echo: write error: Operation not
permitted
/usr/local/sbin/ipkungfu: line 392: echo: write error: Operation not
permitted
/usr/local/sbin/ipkungfu: line 393: echo: write error: Operation not
permitted
/usr/local/sbin/ipkungfu: line 392: echo: write error: Operation not
permitted
/usr/local/sbin/ipkungfu: line 393: echo: write error: Operation not
permitted
OK
Restoring iptables rules from cache: OK
--
--
YellowTip Reservations: The Ultimate Scheduling
Software
http://www.yellowtip.com
[reply]
[top]
[»]
Re: Errors when starting ipkungfu
by Trappist - Sep 6th 2006 19:52:05
I've never seen those before. It looks like something's gone horribly
wrong with your /proc mount. I would advise rebooting and trying again.
If that doesn't work, meet me on irc (irc.freenode.net) in #ipkungfu and
we'll see what we can figure out.
--
If it ain't broke, tweak it!
[reply]
[top]
[»]
Where's the MD5 Checksum of the tarball?? for 0.6
by apusone - Sep 3rd 2006 13:46:39
Hi,
I'm probably to daft to find it, on the site.
A checksum would be good to allow confirmation of origin.
Thanks
ApusOne
[reply]
[top]
[»]
Re: Where's the MD5 Checksum of the tarball?? for 0.6
by Trappist - Sep 3rd 2006 15:33:45
% I'm probably to daft to find it, on the
> site.
> A checksum would be good to allow
> confirmation of origin.
Good point. I added it to the front page of http://linuxkungfu.org with
the release announcement.
--
If it ain't broke, tweak it!
[reply]
[top]
[»]
strange errors upon startup after upgrade to 2.6.17 kernel
by Andrew - Jun 23rd 2006 10:08:33
I'd be very grateful for any hints what should be done to take away these
errors. They did not show up while the kernel was 2.6.16 and i wonder what
went wrong, perhaps some kernel options should be enabled. My kernel config
is accessible at http://unofficial.portaone.com/~marduk/.config
gentoo tmp # /etc/init.d/ipkungfu start
* Starting ipkungfu ...
Bad argument `10.0.0.0/255.0.0.0'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `10.0.0.0/255.0.0.0'
Try `iptables -h' or 'iptables --help' for more information.
getsockopt failed strangely: No such file or directory
getsockopt failed strangely: No such file or directory
getsockopt failed strangely: No such file or directory
getsockopt failed strangely: No such file or directory
[ ok ]
--
Thanks,
Andrew
[reply]
[top]
[»]
Re: strange errors upon startup after upgrade to 2.6.17 kernel
by Trappist - Jun 23rd 2006 10:45:28
Andrew,
Ipkungfu hasn't been tested yet on 2.6.17. There were a lot of changes to
the netfilter code there, and it's very possible that it's incompatible
with ipkungfu. I'll get around to testing it soon, and if necessary I'll
release an update for compatibility.
> I'd be very grateful for any hints what
> should be done to take away these
> errors. They did not show up while the
> kernel was 2.6.16 and i wonder what went
> wrong, perhaps some kernel options
> should be enabled. My kernel config is
> accessible at
> http://unofficial.portaone.com/~marduk/.config
>
> gentoo tmp # /etc/init.d/ipkungfu start
> * Starting ipkungfu ...
> Bad argument `10.0.0.0/255.0.0.0'
> Try `iptables -h' or 'iptables --help'
> for more information.
> Bad argument `10.0.0.0/255.0.0.0'
> Try `iptables -h' or 'iptables --help'
> for more information.
> getsockopt failed strangely: No such
> file or directory
> getsockopt failed strangely: No such
> file or directory
> getsockopt failed strangely: No such
> file or directory
> getsockopt failed strangely: No such
> file or directory [
> ok ]
--
If it ain't broke, tweak it!
[reply]
[top]
[»]
Re: strange errors upon startup after upgrade to 2.6.17 kernel
by baly - Apr 16th 2007 00:58:39
> Andrew,
>
> Ipkungfu hasn't been tested yet on
> 2.6.17. There were a lot of changes to
> the netfilter code there, and it's very
> possible that it's incompatible with
> ipkungfu. I'll get around to testing it
> soon, and if necessary I'll release an
> update for compatibility.
>
>
> % I'd be very grateful for any hints
> what
> % should be done to take away these
> % errors. They did not show up while
> the
> % kernel was 2.6.16 and i wonder what
> went
> % wrong, perhaps some kernel options
> % should be enabled. My kernel config
> is
> % accessible at
> %
> http://unofficial.portaone.com/~marduk/.config
> %
> % gentoo tmp # /etc/init.d/ipkungfu
> start
> % * Starting ipkungfu ...
> % Bad argument `10.0.0.0/255.0.0.0'
> % Try `iptables -h' or 'iptables
> --help'
> % for more information.
> % Bad argument `10.0.0.0/255.0.0.0'
> % Try `iptables -h' or 'iptables
> --help'
> % for more information.
> % getsockopt failed strangely: No such
> % file or directory
> % getsockopt failed strangely: No such
> % file or directory
> % getsockopt failed strangely: No such
> % file or directory
> % getsockopt failed strangely: No such
> % file or directory
> [
> % ok ]
>
>
>
You can fix this by commenting the following line out of
/etc/ipkungfu/cache/rules.cache
-A PREROUTING -s 10.0.0.0/255.0.0.0 -d ! 10.0.0.0/255.0.0.0 -j RETURN
[reply]
[top]
[»]
great product
by mike reavey - Jul 10th 2005 07:06:15
I've been using ipkungfu for 2 years now on a 3 nic linux system.
I highly recommend it.
http://mreavey.homeip.net
thanks to trappist
mike reavey
[reply]
[top]
[»]
excellent utility
by rvwinkle - Feb 15th 2004 12:39:36
After days of frustration and failure with manual scripting of iptables and
numerous other iptable configurators I was shocked and stunned just how
easy ipkungfu made it to get my firewall/router up and running with just
one nic. I think it took me about 15 minutes from having heard a rumor
about this package until I had my NAT Forwarding and stealth firewall modes
in place and working better than I could have even hoped for. Outstanding
work !
--
Linux 2.4.22-10mdksmp #1 SMP i686 Mandrake 9.2
[reply]
[top]
[»]
Issues with forwarding GRE Protocol 47
by Rob - Jan 29th 2004 22:57:51
Great job on writing an incredibly easy script for configuring a firewall.
Problem i'm having right now is trying to configure vhost.conf to allow GRE
portocol 47 through the firewall for a VPN connection.
Apparently it doesn't know what protocol 47 is cause when i ask it to
forward 47 it fails to start.
Any suggestions?
[reply]
[top]
[»]
Great Job--Again :)
by H4wkwind - Jan 12th 2003 11:47:40
Trappist,
Great job once again man. You've written the easiest firewall there seems
to be. Keep up the good work, and ermmm yeah, a mailing list will be nice
too :) I recommend IPKF to every new user i switch over to linux, simply
cuz it works so good, and because its so darn easy to install and run.
Hawkwind
[reply]
[top]
[»]
error .. perhaps :-)
by Martin - Nov 19th 2002 16:53:03
Hi
i had a problem with deny_hosts.conf:
the line:
if [ ! -z $BADGUY_HOSTS ] ; then
should be changed to:
if [ ! -z "$BADGUY_HOSTS" ] ; then
[reply]
[top]
[»]
Re: error .. perhaps :-)
by Trappist - Nov 20th 2002 22:05:52
Martin: Thanks! Fixed for the next release
> i had a problem with deny_hosts.conf:
--
If it ain't broke, tweak it!
[reply]
[top]
[»]
good job
by starfan - Nov 10th 2002 00:17:43
I have used ipkungfu since it was released, and have had no problems with
it. It was very easy to configure - I know a little about iptables, but I
doubt I could have written a better or more thourogh scipt. It covers
things I would not have thought of. Thanks and keep up the good job. I look
forward to the next release.
[reply]
[top]
[»]
forwarding/tunneling
by Mark Maxey - Oct 7th 2002 14:11:53
I'm using ipkungfu on a webserver
However, i'm trying to setup an ssh tunnel to direct ftp through from my
local machine to the remote one for dreamweaver (not my choice, i'd use
sftp, but a client needs it).
What do I need to change in your firewall script in order to allow me to
redirect a local port over an ssh tunnel to a remote machine?
please email me at markmaxey_work@yahoo.com instead of replying here if
you don't mind.
[reply]
[top]
[»]
DHCP
by Geert Theys - Sep 25th 2002 04:55:33
Situation:
Internalnet - Externalnet
got a machine masqerading. But it is also the DHCP server for ther
internal machines. When I'm very strict in my script, I can't seem to let
the DHCP communication pass on the internalnet.
I'm very strict inside as outside. I'm not a network-engineer, but I'm
trying to understand why it doesn't work. I still use ipchains, but I'm
going to switch to iptables. But it's the principle I'm trying to grasp.
My ipchain rules trying to allow DHCP:
${IPCHAINS} -A input -s ${LAN} -d ${ETHIP} \
-i eth0 -p tcp --dport 67:68 -j ACCEPT
${IPCHAINS} -A input -s ${LAN} -d ${ETHIP} \
-i eth0 -p udp --dport 67:68 -j ACCEPT
Does your script handle my situation correctly? My internalnet will get
his DHCP ip???? Then I'll use yours and drop mine :)
[reply]
[top]
[»]
Re: DHCP
by Trappist - Sep 25th 2002 16:50:54
As long as the ip addresses handed out by your dhcp server are within the
range you specify for LOCAL_NET it should work fine. However, if you want
to be strict with traffic on the internal network, this may not be for you
(yet). All traffic is currently allowed on the internal network. As for
your ipchains rules, I'm not familiar with ipchains syntax.
> Situation:
>
> Internalnet - Externalnet
>
> got a machine masqerading. But it is
> also the DHCP server for ther internal
> machines. When I'm very strict in my
> script, I can't seem to let the DHCP
> communication pass on the internalnet.
>
> I'm very strict inside as outside. I'm
> not a network-engineer, but I'm trying
> to understand why it doesn't work. I
> still use ipchains, but I'm going to
> switch to iptables. But it's the
> principle I'm trying to grasp.
>
> My ipchain rules trying to allow DHCP:
>
> ${IPCHAINS} -A input -s ${LAN} -d
> ${ETHIP} \
> -i eth0 -p tcp --dport 67:68 -j
> ACCEPT
> ${IPCHAINS} -A input -s ${LAN} -d
> ${ETHIP} \
> -i eth0 -p udp --dport 67:68 -j
> ACCEPT
>
>
> Does your script handle my situation
> correctly? My internalnet will get his
> DHCP ip???? Then I'll use yours and drop
> mine :)
--
If it ain't broke, tweak it!
[reply]
[top]
[»]
Re: DHCP
by Trappist - Oct 15th 2002 22:05:23
What you are trying to do will work with ipkungfu. However, all traffic on
and from the internal network is currently allowed, so if you wish to
maintiain strict control of internal traffic, you may want to wait until I
add support for that. Thanks.
--
If it ain't broke, tweak it!
[reply]
[top]
|
