FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 08-16-2011, 09:56 AM
Andre Speelmans
 
Default telnet on local LAN question

You say you tried telnet to port 25 at <other>, have you tried it to
the IP-address as well? It seems unlikely this will work, as ping to
<other> resolves fine, but just to be sure.
On other, is there actually a mailserver listening on port 25?
Is there a firewall on <name> or on <other>?

If needed you can always use tcpdump to se what traffic is going out,
and what traffic is coming in.

--
Regards,

André
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-16-2011, 11:11 AM
Rick Sewill
 
Default telnet on local LAN question

On Tuesday, August 16, 2011 12:04:57 AM Paul Allen Newell wrote:
> Greetings
>
> I am trying to figure out how to get communication between my F14 boxes
> on a local wired LAN. The best test case I can come up with to prove
> that I don't know what I am doing wrong is telnet.
>
<...snip...>
> Ping works great between all of the machines for both <otherX> and
> <otherX>.localdomain, lists the 192.168.10.x address like a happy camper
> should
>
> But a telnet <otherX> 25 or telnet <otherX>.localdomain 25 fails.
>
> I can't tell if I need to add information about the other machines
> somewhere else on <name> or if they really are known but something is
> blocking it.
>

You didn't say if you could telnet locally to your local host:
Does this command work: telnet localhost
If not, the telnet service needs to be enabled/started.

Another possibility, iptables might be blocking it.
See if your iptables allows new incoming connections on the tcp telnet port.

There are other possibilities, but these are the first two I'd check.

If you plan to use ssh instead of telnet anyway, is best to do ssh instead.
I believe ssh is normally enabled/started.
I believe iptables is normally set up to allow incoming ssh connections.

I'm not sure the default sshd settings in /etc/ssh/sshd_config.
I'd go through those options. Please see man sshd_config

I think the default is now only protocol 2 -- good if that's true.

I wish the default didn't allow PasswordAuthentication.
For testing and getting ssh working, password authentication may be okay.
Wouldn't want PasswordAuthentication as my default.
Is best to use PubkeyAuthentication, at a minimum, with good keys.

I think the default is to allow root login. Wish that were not the case.
Make the person ssh in on a normal user account and su to root.
Please change "PermitRootLogin yes" to "PermitRootLogin no"

Please limit which users can come in over ssh in /etc/sshd_config.
Use AllowGroups and/or AllowUsers.

Not sure if you want X11Forwarding or not.

Some object to security by obscurity,
but you might wish to change the ssh port from port 22 to some other port.
It doesn't stop hackers if they discover your open ssh port.
It slows down those hackers who only look for ssh on port 22.

Question for iptables/firewall GUI people...
is there a way to specify ip address ranges in any firewall GUIs?

Rather than allow new incoming ssh connections
from any IP address given by the rule,
"-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT"
I think the OP would like to specify acceptable IP address ranges.

The OP sounds like he only wants local hosts coming in.
By hand, I would have entries with the source IP address range specified
as in -s 192.168.0.0/16, -s 10.0.0.0/8, -s 172.16.0.0/12

I can muck up /etc/sysconfig/iptables manually...most people shouldn't.
Bad things can happen if they don't know what they are doing.
It would be nice if firewall GUIs did this for them.
Which firewall GUIs do?
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-16-2011, 11:11 AM
Craig White
 
Default telnet on local LAN question

On Mon, 2011-08-15 at 22:04 -0700, Paul Allen Newell wrote:
> Greetings
>
> I am trying to figure out how to get communication between my F14 boxes
> on a local wired LAN. The best test case I can come up with to prove
> that I don't know what I am doing wrong is telnet.
>
> Each machine has a /etc/hosts looking like (where <name> is the machine
> name and <other> is any other machine:
> +++
> 127.0.0.1 <name> localhost.localdomain localhost
> <name>.localdomain localhost4
> ::1 <name> localhost6.localdomain6 localhost6 <name>.localdomain
>
> 192.168.2.10 <other1>.localdomain <other1>
> 192.168.2.11 <other2>.localdomain <other2>
> 192.168.2.12 <other3>.localdomain <other3>
> +++
>
> For the other machines, its name is removed in the 192.168.10.x list and
> 192.168.2.13 <name>.localdomain <name> is added
>
> Each machines has a /etc/sysconfig/network of:
> +++
> NETWORKING=yes
> HOSTNAME=<name>.localdomain
> NTPSERVERARGS=iburst
> +++
>
> I didn't see any reference to <name> or <otherX> in
> /etc/sysconfig/network-scripts/ifcfg-eth0, so I am not including it ...
> if there should be something, I'd love to know! I can't think of any
> other place for <otherX> or <otherX>.localdomain, but that's out of
> ignorance as I haven't encountered this sort of problem before.
>
> The splash screen for all machines is <name>.localdomain. The command
> hostname returns <name>.localdomain.
>
> Ping works great between all of the machines for both <otherX> and
> <otherX>.localdomain, lists the 192.168.10.x address like a happy camper
> should
>
> But a telnet <otherX> 25 or telnet <otherX>.localdomain 25 fails.
>
> I can't tell if I need to add information about the other machines
> somewhere else on <name> or if they really are known but something is
> blocking it.
>
> I also can't use mail/mailx between the machines. I noticed that
> mail/mailx always resolves <otherX> to <otherX>.localdomain (and sending
> to self is resolved to <name>.localdomain), so I changed network to use
> the localdomain suffix and added it in /etc/hosts before the instance of
> <other>. Neither telnet or mail/mailx worked with just <name>, so I am
> pretty certain that I didn't break anything by changing <name> to
> <name>.localdomain.
>
> Some machines were already using hostname of <name>.localdomain and my
> records aren't good enough to know how I specified the name of the
> machine when I installed F14 (it never was an issue as everything worked
> until I tested mail/mailx and telnet so I never documented exactly how I
> should set machine name on install).
>
> It seems that the telnet problem is a simpler one than the mail/mailx
> and if I can at least get telnet working, then I am closer to getting
> mail/mailx working.
>
> Any suggestions?
----
by default, the typical smtp servers aren't listening for connections on
any interface other than 127.0.0.1 - which smtp daemon are you using? Is
it configured to listen on the 192.168.2.x interface?

As far as name resolution goes, unless you have a local dns server, you
will have to manage /etc/hosts file on each computer if you want
computers know each other by name. I much prefer using DNS over managing
separate files on separate computers but that is for you to decide.

localdomain is fine - some people also use .local (which comports with
other service providers such as avahi) - it really doesn't matter as
long as what you use is consistent from machine to machine and fits DNS
standards (alpha-numerics and dashes)

Also - I think you sort of discovered, on redhat systems (and Fedora is
of this class)... /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=lin-workstation.azapple.com
NTPSERVERARGS=iburst
is a reasonable configuration

Craig


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-16-2011, 11:16 AM
Craig White
 
Default telnet on local LAN question

On Tue, 2011-08-16 at 06:11 -0500, Rick Sewill wrote:
> On Tuesday, August 16, 2011 12:04:57 AM Paul Allen Newell wrote:
> > Greetings
> >
> > I am trying to figure out how to get communication between my F14 boxes
> > on a local wired LAN. The best test case I can come up with to prove
> > that I don't know what I am doing wrong is telnet.
> >
> <...snip...>
> > Ping works great between all of the machines for both <otherX> and
> > <otherX>.localdomain, lists the 192.168.10.x address like a happy camper
> > should
> >
> > But a telnet <otherX> 25 or telnet <otherX>.localdomain 25 fails.
> >
> > I can't tell if I need to add information about the other machines
> > somewhere else on <name> or if they really are known but something is
> > blocking it.
> >
>
> You didn't say if you could telnet locally to your local host:
> Does this command work: telnet localhost
> If not, the telnet service needs to be enabled/started.
----
you obviously missed that he was trying to telnet to port 25

Please use greater care in understanding what the OP is trying to do
before chasing him down a useless path. He doesn't need telnet server.

Craig


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-16-2011, 02:43 PM
Tim
 
Default telnet on local LAN question

On Mon, 2011-08-15 at 22:04 -0700, Paul Allen Newell wrote:
> Each machine has a /etc/hosts looking like (where <name> is the machine
> name and <other> is any other machine:
> +++
> 127.0.0.1 <name> localhost.localdomain localhost <name>.localdomain localhost4
> ::1 <name> localhost6.localdomain6 localhost6 <name>.localdomain
>
> 192.168.2.10 <other1>.localdomain <other1>
> 192.168.2.11 <other2>.localdomain <other2>
> 192.168.2.12 <other3>.localdomain <other3>
> +++
>
> For the other machines, its name is removed in the 192.168.10.x list and
> 192.168.2.13 <name>.localdomain <name> is added

That's a rather complex explanation, which sounds like you're giving
each machine a unique hosts file, where their own hostnames are written
differently than the other machines on the LAN. I wouldn't do that.

Or that you've got two different subnets on the same LAN (192.168.10 and
192.168.2), and you're trying to talk between them. Again, I wouldn't
do that, unless I had to. You've either got to have a gateway between
them, at the boundary between the two networks (and all the computers
have to be configured to appropriately use the gateway). Or, if they
actually are all on the same LAN, you'd set the netmask to be
255.255.0.0 instead of 255.255.255.0 (so they don't try to reach the
other subnet through a gateway).

Presume that I have about four machines, I've called them fred, george,
martha, and dave. They'll all have the same hosts file on them, like
this.

127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6

192.168.1.1 fred.localdomain fred
192.168.1.2 george.localdomain george
192.168.1.3 martha.localdomain martha
192.168.1.4 dave.localdomain dave

None of them will have any part of their hostnames inserted into the
local loopback lines. That /can/ cause problems with reverse look-ups,
when you want the looked-up IP of a hostname to actually be their IP on
the LAN, not the loopback address (which is identical on each machine).

It gets messier if a box has two addresses (whether or not it has two
network interfaces. In that situation, I don't try associating the same
hostname with two different addresses, it causes problems. I'll have a
variation for the second address.

e.g. 192.168.1.1 fred.localdomain fred
192.168.2.1 fred-two.localdomain fred-two


Do you really have:

> NTPSERVERARGS=iburst

In the /etc/sysconfig/network file?

> I didn't see any reference to <name> or <otherX> in
> /etc/sysconfig/network-scripts/ifcfg-eth0, so I am not including it ...
> if there should be something, I'd love to know! I can't think of any
> other place for <otherX> or <otherX>.localdomain, but that's out of
> ignorance as I haven't encountered this sort of problem before.

You don't need to put hostnames into specific interface configuration
files. The computer *works* *out* its host name from its IP.

i.e. From the computer's point of view, it's told I'm 192.168.1.2 (by
any of several means of configuring an IP). I do a reverse look-up of
that IP, and find out that it's george.localdomain. I do a forward
look-up of george.localdomain and find out I'm 192.168.1.2 (I could have
more than one, and if it's different, I cycle through looking forward
and back). I work out that my hostname is george, and my domain name is
localdomain (there's a configuration option of how many dots in a name,
to handle multiple dots in fully-qualified domain names, to work out the
separation between hostname and domain name).

The point being that name resolution of what name is associated with
what IP, tells me what the hostname is (whether by hosts file, DNS
look-ups, or some other method). Rather than hardcoding I am george,
into some configuration file. Although that is also possible.

> Ping works great between all of the machines for both <otherX> and
> <otherX>.localdomain, lists the 192.168.10.x address like a happy camper
> should
>
> But a telnet <otherX> 25 or telnet <otherX>.localdomain 25 fails.

The default configuration for a mail server has it only listening to the
local loopback addresses, it needs customising to accept connections
from another machine. And may need customising for the domain names
that you are using. And, you may have fun with mail is you don't use a
DNS server, since hosts files can't answer MX queries. Mailservers will
also do the IP/name look-up game that I've already detailed.

> I also can't use mail/mailx between the machines. I noticed that
> mail/mailx always resolves <otherX> to <otherX>.localdomain (and sending
> to self is resolved to <name>.localdomain), so I changed network to use
> the localdomain suffix and added it in /etc/hosts before the instance of
> <other>. Neither telnet or mail/mailx worked with just <name>, so I am
> pretty certain that I didn't break anything by changing <name> to
> <name>.localdomain.

You might want to expand upon *why* you're wanting to use different
FQDNs for machines. That may point out where the snag is.

As I outlined, above, how a machine works out its address. When it
comes to multiple addresses, the sequence will determine which out of
many it may make use of.

e.g. I'm 192.168.1.1. If there are two different names attached to that
IP, the first answer is the answer. If I do a look-up for that name and
a different IP is the answer, the cycle is repeated to find the name for
that IP.

This gets fun with DNS records and CNAMES that point to other CNAMES
(i.e. aliases, to describe CNAMES in another way).

> Some machines were already using hostname of <name>.localdomain and my
> records aren't good enough to know how I specified the name of the
> machine when I installed F14 (it never was an issue as everything worked
> until I tested mail/mailx and telnet so I never documented exactly how I
> should set machine name on install).
>
> It seems that the telnet problem is a simpler one than the mail/mailx
> and if I can at least get telnet working, then I am closer to getting
> mail/mailx working.

It does sound like IP and name resolution is your prime problem.

For anything more than about three machines I prefer using DNS than
hosts files. It gets a pain having to synchronise changes across
several computers, particularly if you experiment and change names and
IPs around.

Years ago I did mess around with the notion of each machine being its
own mail server, and being able to directly mail between machines. But
it was more painful than setting up one machine as the server for all,
and less practical.

--
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-16-2011, 07:18 PM
Paul Allen Newell
 
Default telnet on local LAN question

Thanks to everyone for replies ... lot of information that I need to
learn about before I can test. I wanted to make sure I got this "thanks"
out now rather than waiting for me to sort through it all.

Paul
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-17-2011, 05:51 AM
Andre Speelmans
 
Default telnet on local LAN question

Hi Tim,

> That's a rather complex explanation, which sounds like you're giving
> each machine a unique hosts file, where their own hostnames are written
> differently than the other machines on the LAN. *I wouldn't do that.

It sounds to me quite normal what he says.
Every host has a hosts-file where all other machines are listed as
<ip> <fqdn> <short name>
And the local machine has its name added to the 127.0.0.1 line.

> It gets messier if a box has two addresses (whether or not it has two
> network interfaces. *In that situation, I don't try associating the same
> hostname with two different addresses, it causes problems. *I'll have a
> variation for the second address.

I don't see any problem with a machine that has the same name on
different addresses. One of our servers actually does have 10 NIC's,
of which some are bonded and some have aliases, leaving it with about
a dozen IP-adresses. It still has only one hostname. Depending on who
or what is talking to it, it will know which IP to use. (Of course,
you know that.)

> You don't need to put hostnames into specific interface configuration
> files. *The computer *works* *out* its host name from its IP.

Normally the hostname is put into the file /etc/sysconfig/network.
And regarding the working out the hostname: it does not even need to
know its own name to send or receive data. All it needs to know is the
IP-address of the remote machine. It will not do reverse or any
look-up to resolve its own hostname to do a telnet to a remote server.

>> Ping works great between all of the machines for both <otherX> and
>> <otherX>.localdomain, lists the 192.168.10.x address like a happy camper
>> should

This part from OP is a dead give-away that his hosts file are
apparently working fine, that his network configuration is okay and he
has packets going out and being received. Name resolving, gateways,
whatever has no part of it. If that would be the case, ping would not
work.

> The default configuration for a mail server has it only listening to the
> local loopback addresses, it needs customising to accept connections
> from another machine.

That is a very probably answer. And easy for Paul to test.
If he can do locally a telnet to 127.0.0.1 on port 25, but not
remotely to the IP of the server, his most likely case is the
mailserver not listening, or a firewall.

> *And may need customising for the domain names
> that you are using. *And, you may have fun with mail is you don't use a
> DNS server, since hosts files can't answer MX queries. *Mailservers will
> also do the IP/name look-up game that I've already detailed.

He is not doing any MX-queries, he is telnetting to the mailserver.
Only after the mailserver responds will it do a reverse look-up. And,
as the remotes IP is in the hosts file, will happily continue. It
would even if it were not, accept it can't list the hosts name then in
logfile, but will only use the IP-address.

> You might want to expand upon *why* you're wanting to use different
> FQDNs for machines. *That may point out where the snag is.

As far as I see, he is not.

> It does sound like IP and name resolution is your prime problem.

No, after all he can ping them by name. Name resolving works. And
reverse lookups by the mail server are done after it has made a
connection.

> For anything more than about three machines I prefer using DNS than
> hosts files. *It gets a pain having to synchronise changes across
> several computers, particularly if you experiment and change names and
> IPs around.

DNS is indeed the way to go for a larger environment. Three computers?
I would probably use hosts files. But then, you tell you switch the
IP's often. And although off topic I really wonder: why??
A servers IP-address is about one of the most static things I can think of.

Note: sorry if this sounded a bit like nit-picking, Tim (as it feels
to me now I read it over again). That was not the intention, although
I want to make clear to the OP that name resolving is *not* his
primary problem, seeing he can ping by name.


--
Regards,

André
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-17-2011, 06:25 AM
Paul Allen Newell
 
Default telnet on local LAN question

On 8/16/2011 10:51 PM, Andre Speelmans wrote:

I have been going through all the responses I got so far and am now in
process of going through this. I can't test the 127.0.0.1 as I've got my
systems somewhat horked trying to sort things out ... after this email I
am backing everything up to "factory install" to try out this and the
other suggestions for tests.

What I do know at this point is that it is not a matter of name
resolution as I tried telnet <name> 22 to use ssh which I know works and
the name resolved with a connection made (though utterly useless to use).

Aside from the concerns about "why is my network the way it is" which I
intend to address, I am pretty certain the problem is in iptables. I can
telnet to cs.cmu.edu, so I know telnet is working on all my machines.

My iptables is the default per F14 installation:
+++
# Generated by iptables-save v1.4.9 on Tue Aug 16 22:13:30 2011
# Used command "iptables-save > iptables_F14_ORIGINAL_yoyo"
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9950:627381]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Aug 16 22:13:30 2011
+++

I don't understand the OUTPUT as it is different for each of the three
machines I am working with, but from what I can tell from the iptables
literature, my issue is with INPUT

I added a LOG on input immediately before rejecting and can see that, on
the destination machine, there is an entry corresponding to the request
"telnet <name>" (note I have dropped the port number to allow telnet to
use its default port):
+++
Aug 16 22:39:58 chalupa kernel: [ 2784.447580] IN=eth0 OUT=
MAC=00:e0:81:00:4c:b0:00:e0:81:00:62:94:08:00 SRC=192.168.2.11
DST=192.168.2.10 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=49145 DF PROTO=TCP
SPT=36385 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
+++

I don't see anything in /var/log/message on the machine that I did the
telnet request on (which would be the 192.168.2.11 in the above message)

I have been trying what I think is the correct edit in all permuations I
can think of ... as in:
+++
iptables -I INPUT <where every the log entry is> -{s,d}
192.168.2.{10,11} -p tcp -{destination,source}-port telnet -j ACCEPT
+++

I am not having success and the messages in the log are showing me that
I am making a mess. One of the interesting things is I am now getting
"connection refused" rather than "no route to host" and I need to see
what change I made caused that (which is also interesting as I would
have expected "connection refused" if the resolution was "REJECT"?)

If I know what 192.168.2.x machines I want to be able to telnet to and I
modify all machines to have the necessary in iptables to allow a telnet
to/from, what am I missing?

Thanks in advance (this iptables stuff is a bit daunting ...),
Paul

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-17-2011, 01:07 PM
Rick Sewill
 
Default telnet on local LAN question

> My iptables is the default per F14 installation:
> +++
> # Generated by iptables-save v1.4.9 on Tue Aug 16 22:13:30 2011
> # Used command "iptables-save > iptables_F14_ORIGINAL_yoyo"
> *filter
>
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [9950:627381]
>

iptables entries are processed in the order found...

> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Above line jumps to "ACCEPT" for any packet with an established connection.

> -A INPUT -p icmp -j ACCEPT
Above line jumps to "ACCEPT" for any icmp packet.

> -A INPUT -i lo -j ACCEPT
Above line jumps to "ACCEPT" for any packet from the loopback interface.

> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
Above line jumps to "ACCEPT" for any ssh packet establishing a new connection.

May I suggest inserting an entry, at this spot, for mail, something like the
following.
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
The goal of the previous line is to jump to "ACCEPT" for any mail packet
establishing a new connection.

Instead of the above line, you might want to specify a source IP address range
to limit which IP addresses can send mail to your machine.
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -s 192.168.2.0/24 -j
ACCEPT
The goal of -s 192.168.2.0/24, in the above line, is to only accept incoming
connections to port 25 (the default smtp port), if the source IP address of
the packet is in the range 192.168.2.0 - 192.168.2.255.

> -A INPUT -j REJECT --reject-with icmp-host-prohibited
Above line jumps to "REJECT" for any packet destined to the host.
As I said the order of entries is important.

> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
Above line jumps to "REJECT" for any packet the host might forward.

> COMMIT
> # Completed on Tue Aug 16 22:13:30 2011
> +++
>

I apologize for not reading your original message and going off on a telnet/ssh
tangent in a previous email.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-17-2011, 01:36 PM
Tim
 
Default telnet on local LAN question

Tim:
>> That's a rather complex explanation, which sounds like you're giving
>> each machine a unique hosts file, where their own hostnames are written
>> differently than the other machines on the LAN. I wouldn't do that.

Andre Speelmans:
> It sounds to me quite normal what he says.
> Every host has a hosts-file where all other machines are listed as
> <ip> <fqdn> <short name>
> And the local machine has its name added to the 127.0.0.1 line.

The complex part I was referring to wasn't about the local loopback
addresses, but the name.localdomain versus othername.localdomain
descriptions, and the two subnets:

"For the other machines, its name is removed in the 192.168.10.x
list and 192.168.2.13 <name>.localdomain <name> is added"

Generally speaking, it's better to give specific examples of what you're
doing, rather than trying to boil it down to something generic. Some
important details may get lost in the translation. And it makes it
harder to give advice; and that advice will need translation into your
specifics, too.

> I don't see any problem with a machine that has the same name on
> different addresses. One of our servers actually does have 10 NIC's,
> of which some are bonded and some have aliases, leaving it with about
> a dozen IP-adresses. It still has only one hostname. Depending on who
> or what is talking to it, it will know which IP to use. (Of course,
> you know that.)

It depends on what use you're making of the hostname. If you're merely
trying to say that "fred" is this box, and "george" is that box, no
problem. But if you're trying access a box through a particular
interface, but are addressing it by a /name/ that doesn't have a
correlation to a specific interface, /that/ may be a problem.

>> You don't need to put hostnames into specific interface configuration
>> files. The computer *works* *out* its host name from its IP.

> Normally the hostname is put into the file /etc/sysconfig/network.

May be... May not be. You can also have differences where /you/ may
set up your computer, and call it "fred." But, as far as the LAN is
concerned, the DHCP server has assigned IPs, and the DNS server says
that IP will be referred to as george. In that case, working name
resolution is very important as to how other computers access it. A
computer can call itself whatever it cares to, but how the /other/
computers know it is important for networking.

> And regarding the working out the hostname: it does not even need to
> know its own name to send or receive data. All it needs to know is the
> IP-address of the remote machine. It will not do reverse or any
> look-up to resolve its own hostname to do a telnet to a remote server.

It depends on the network activity. Reverse lookups are used to work
out hostnames and domain names, when they're not preset in some other
way.

The original poster isn't trying to "telnet," they're using the the
telnet client as a diagnostic tool for other services. A mail
server /is/ one of those services that does do forward and reverse name
look-ups, particularly if you configure things to minimise being used as
a spam service.

>>> Ping works great between all of the machines for both <otherX> and
>>> <otherX>.localdomain, lists the 192.168.10.x address like a happy camper
>>> should

> This part from OP is a dead give-away that his hosts file are
> apparently working fine, that his network configuration is okay and he
> has packets going out and being received. Name resolving, gateways,
> whatever has no part of it. If that would be the case, ping would not
> work.

Partially... Remember that he had two subnets (192.168.10 and
192.168.2)

> He is not doing any MX-queries, he is telnetting to the mailserver.

Now... But, later, if he wants to do full email service between all
machines, it may be important to do everything properly.

>> You might want to expand upon *why* you're wanting to use different
>> FQDNs for machines. That may point out where the snag is.

> As far as I see, he is not.

It looked to me like he was. But his original post was far from clear.

>> It does sound like IP and name resolution is your prime problem.

> No, after all he can ping them by name. Name resolving works. And
> reverse lookups by the mail server are done after it has made a
> connection.

That /is/ part of name resolution.

>> For anything more than about three machines I prefer using DNS than
>> hosts files. It gets a pain having to synchronise changes across
>> several computers, particularly if you experiment and change names and
>> IPs around.

> DNS is indeed the way to go for a larger environment. Three computers?
> I would probably use hosts files.

Been there, done that, don't want to do it again.

I've found that /three/ computer networks tends to be the boundary.
When you get to that level, people start using servers, or things
between the computers (rather than just using a computer as a solo
machine, or accessing the internet). Some servers are better with
proper DNS. And you may find that such LANs /normally/ have three
computers, but /occasionally/ more get connected.

> But then, you tell you switch the IP's often. And although off topic I
> really wonder: why?? A servers IP-address is about one of the most
> static things I can think of.

Not me, but it's the sort of thing I see happening. And this is one the
cases where using the hosts file is a big problem: People using a LAN
with a DHCP server that automatically doles out IP addresses without
specific rules (so the same machines always get the same IPs), such as
their modem/router. They try setting names and IPs in their hosts file,
that don't accord with how their LAN is actually set up.

/Sometimes/ I occasionally change IPs to test things, such as plugging
in a test computer using different IPs so you can test firewall rules.

Then you have things, like a laptop, which has wireless interface and a
wired interface, either of which may be used at different times.
They'll have different IPs, if left to automatic configuration. They'll
only have the same IP if you have custom configurations (either on the
client, or the DHCP server). They'll have to have different IPs if both
interfaces are connected simultaneously.

And it's certainly been with things like a laptop where I've noticed
that name resolution rears its ugly head.

e.g. If my laptop is usually 192.168.1.10 wired or 192.168.1.11, and the
hostname is tied to one of them, but the laptop is booted up with that
interface offline, you'd have things like logging in taking forever and
day, because of some NFS issue, or X wanting to that hostname's
interface to be alive.

> I want to make clear to the OP that name resolving is *not* his
> primary problem, seeing he can ping by name.

>From subsequent postings, that would appear to be the case. But not
originally. And it does still look like there's some strangeness to the
network (or certainly lack of detail that makes it clear).

--
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 07:01 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org