ClarkConnect

[stanger]

yesterday I installed CLARKCONNECT in gateway mode on an old machine:
850mb hd, 48 mb ram, cdrom ,2 netcards, pentium 200 MHz.
i wondered that it was easy to get it working (well min required 1gb hd and 64mb ram)
the gateway is now conected to the internet and a switch.
the switch to my machine(win2k).

clarkconnect uses Redhat 9.0 and offers IDS,apache,ftpd,webproxy,webmin..etc.
pointclark.net gives an easy way to use dynDNS.
everything can be easily setup per webinterface.

check it out:
http://clarkconnect.org

but i have one little problem now:
when i come to IRC my eggdrop doesn't dcc chat (partyline) with me anymore?
do you have an solution? how to open the port it wishes to connect to me,
'coz can't know wich port will be used,can i?
is there a way to force it to use specific ports i then can open in the gateways firewall incoming and forwarding options.

thx in advance,
yours,

stanger

[ghostintheruins]

hi there,

i strongly reccomend you to read that software manual since it has a lot of features - the one that you need is the firewall section - that one blocks your DCC connections... find wich are the DEFAULT rules and what services and ports are blocked!

It is a good thing to have it so think how you want to solve it: e.g.: unblock those ports (most likely they are under 1024 - NOT SAFE for you), unblock them ONLY for the egg IP (safer but still not good!) or check your irc client DCC OUTGOING ports and set them to high ones!


heh, i didnt understand quite well but also if u connect your_putter(new_putter)-->gateaway(old_machine)-->eggy_server and back - check if the gateaway does also IP masquarading meaning the eggy can't determine your IP... hence you'll need IP - forwarding

Good luck with it!

[stanger]

thx for reply,dude...

i forgot to tell ...i'm coming thru a bouncer...does not makes it easier to go?

open ports...yeah,i tried to set the possible ports dcc is allowed to use 1024:something
and opened the port range on the firewall,does not succeed.
the prob is the eggdrop's security settings for dcc connections.
(unbound it)
it gets my correct ip, but also knows that i'm forwarded and so ignores my chat request

is there a way, may be masquerading or something (or other methodes of identify'n)?

uh,i'm using telnet to connect to the egg now...and will go on to resolve thiz lil prob.
i will try the squid proxy for dcc now

greetz,stanger

[ghostintheruins]

rofl dude,

from what i understood it seems your bot (eggdrop) security settings may be the problem, meaning the IP's allowed to connect from dont contain your current IP.

If it's so - you should check your bot's logs for the connections requests.

If this is the problem here is how to solve it: just connect to any irc server, do a /whois /host on your nick, write down your IP and add it to your mask, for security reasons you should add the hole mask with ident too like your_ident@your.ip.goes.here

If the dcc isnt passed through the proxy / bouncer - ask a friend (good trust in him!) to start a dcc chat connection with you and then to do a "netstat" to get your IP - add that IP to the bot too.


as far as it concerns the squid proxy - thats a http CACHE proxy meaning that the CONNECT method is usually blocked with it for some ports (maybe not for https) - good security and i suggest you not to play with it or you'll end up K-Lined for open proxy or even worst, your proxy being used for abuse.

I think this covers all

Good luck!

[IKnowNot]

Probably the best thing you can do is post your question to the Clarkconnect Forums

The OS is based on RedHat 9, and says it is using a stateful firewall, but it does not say specifically what firewall they are using. I am assuming it is based on Netfilter ( iptables ), and is using their own GUI interface to help build and manage it ?

Netfilter does not natively support eggdrop, but there is a patch which supplies the support in Patch-O-Matic . With a normal Linux distro you would use Patch-O-Matic to patch the netfilter source, then build you own Linux kernel and include the eggdrop-conntrack in the netfilter options while building. ( See Patch-O-Matic Listing – Summary for a complete list of patches available )

As I am not familiar with the Clarkconnect distro I can not tell you if this would work. The eggdrop-conntrack patch is known not to work with some of the other patches, and the Clarkconnect distro seems to redirect some of the base iptables firewall links to links of their own.

All in all, this seems like it might be a little too involved for someone looking for an out-of-the-box gateway. But like I said at the start, it might be best to ask the question on the Clarkconnect Forums; Maybe they have already included the patch into their kernel or have found another way around it.

[stanger]

Big Tnx to all of you postin here...

so ... i FIRST checked the CLARKCONNECT forums,
i saw the patch... thats completely other problematic.
they are talking 'bout running the egg on the gateway.

but :
I got it working!

Solution:

1.
in CLARKCONNECT firewall configuration FORWARD ident on port 113 (to e.g.192.168.1.25)

2.
in eggdrop.conf (if editable for you) uncomment and set:

set reserved portrange 2010:2020

3.
in your IRC client set in options/DCC/options dcc ports to first: 2010 last: 2020

4.
in CLARKCONNECT firewall configuration FORWARD portrange 2010:2020 (to e.g.192.168.1.25)

5.
hmmm.. i bound all sockets in IRC client in
Connect/options/Advanced to the IP where it got forwarded(e.g.192.168.1.25)
[doing so you may not need to edit the eggs conf, but i'm not sure about that.]

6.
have Phun

veryBIGtnx to ghostintheruins ... I got it while discussing with ya...

[IKnowNot]

I’m glad to see you checked out the Clarkconnect Forums. Ah, yes, I should have researched further before responding.
After reading the eggdrop-conntrack source I see what you mean, it is not ready for what you had in mind. Damn, I got sucked in!

The eggdrop-conntrack patch still needs some work, maybe someone would volunteer to help ???? ( my coding sucks)

But I have a few questions as to your solution.

You said you

1.
in CLARKCONNECT firewall configuration FORWARD ident on port 113 (to e.g.192.168.1.25)

This would send the ident requests from the IRC server ( for those that still use it ) to your IRC client ( 192.168.1.25 )

2.
in eggdrop.conf (if editable for you) uncomment and set: set reserved portrange 2010:2020

This would open these ports on the client machine for eggdrop, when it is open?

3.
in your IRC client set in options/DCC/options dcc ports to first: 2010 last: 2020

This tells the IRC client to listen to these ports?

4.
in CLARKCONNECT firewall configuration FORWARD portrange 2010:2020 (to e.g.192.168.1.25)

This forwards ALL these port transactions to the client machine ( 192.168.1.25 )

5.
hmmm.. i bound all sockets in IRC client in
Connect/options/Advanced to the IP where it got forwarded(e.g.192.168.1.25)
[doing so you may not need to edit the eggs conf, but i’m not sure about that.]

You bound the ports in the IRC client to the IP address which was running it ??

So in effect you NATed port 113 ( ident ) and ports 2010 through 2020 to the IRC client machine on your LAN which has been set up to listen to and reserved ports 2010 through 2020 when the IRC program eggdrop is open.

OK, you said it works for you, good for you. ( have I heard that before from an admin?)

Since this site is security related I have a few questions:

1. What if you have a LAN with 1000 machines and more then one person wishes to run IRC with eggdrop ??

2. What happens if someone sends malformed or “crafted” packets to those ports?

3. How does the client machine respond to the ident requests?

4. What happens if the client machine ( 192.168.1.25 ) is running and IRC is not ?

5. What happens if IRC crashes on the client machine ??


Those ports are now open to the NET, and thus your entire LAN through the client machine. How are you protecting them??

I believe these questions need to be answered before your solution can be considered viable.

[stanger]

uh,fine....

1. What if you have a LAN with 1000 machines and more then one person wishes to run IRC with eggdrop ??

would be nice. never thought about.

2. What happens if someone sends malformed or “crafted” packets to those ports?

and

4. What happens if the client machine ( 192.168.1.25 ) is running and IRC is not ?

hmmm...if there's no owner i hope it will be blocked by the software firewall running on the client

3. How does the client machine respond to the ident requests?

with nick and IP(dnslookup)
ah, i see what could be a problem.

5. when it crashes? nothing will happen(won't it?)

btw: one eggdrop runs on a "commercial" shell ,the other on my server, none at home.

and about 1000 client IPs:
haha,you did mathematics...10 ports / for each IP == 10000 ports reserved ...
no way
o.k. forget about forwarding the ident...I'm the only client,must be managed if the LAN grows up?
and...i'm thinking 'bout connectin' my neighbour to the LAN to make him available my internet connection (if it works we will go to upgrade to a faster one)

and big thx to you, IKnowNot, for the discussion points

[stanger]

back again:

i made rules now to deny any access to the forwarded (dcc)ports and allowed only the irc client to use them.

...but what's the best way to connect my neighbour to the net to make him use my inetconnection ?
he will be plugged to the switch where my windows pc and the gateway are on at moment.
may i make him use the gate as his default?
or would it be a better way installing a proxy on the gatewaymachine?

[ghostintheruins]

Welcome back and you're welcomed! (just saw the "BIGthnx" now )

Your solution depends a lot on what your friend will need from your shared connection and what you will allow...

The best way will be to have him connected through a proxy on your gateway (btw doesnt clarckconnect has such thing?), you might want to give him restricted connection regarding the bandwidth and some other things...