[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Martian source... Need to have route to other networks via internal interface. What to do?



Your linux box can't send packets outside the LAN unless you use NAT on 
the router since your diagram does not include a proxy (cisco can NAT but 
it isn't a proxy).

EIGRP is not going to work on a Linux system it is proprietary.
Futhermore the Linux system is a host. It is not supposed to run dynamic 
routing protocol. The Cisco router is supposed to have routes for all your 
other subnets -- interface routes not dynamic ones. This can be from 
subinterfaces or physical ones.

The linux host gets 1 static route: default , with gw 192.168.0.254

Send packets to router let it do its job.
Don't go running zebra and stuff on linux unless you want it to be a 
router. that only makes sense for more sophisticated situaitons where the 
cost of a cisco interface is much more expensive than a PC. 
Also remember that a cisco router WILL forward packets MUCH faster than a 
PC. It has special hardware inside for this purpose. 

On Tue, 22 Nov 2005, Sergei Keler wrote:

> Yes. Thats right.
> 
> But..
>                            217.x.x.y
> Internet --- [ cisco router ] -----------------+ eth0 217.x.x.x
>                      |192.168.0.254           [linux box]
>                    [switch] --------------------+ eth1 192.168.0.1/24
>                      |
>                    Several LANs including 192.168.1.0/24 for example...
> 
> Linux box dont need to route outside LAN. It must use specified GW  
> for route other LAN networks.
> If I use YAST to add rotes it works strange.
> Manual adding route like:
> route add -net 192.168.1.0/24 gw 192.168.0.254
> works! [censored]! Still [censored] with yast and its environment to  
> keep reached configuration :-)
> 
> Next step will be adding dynamic routing driven by cisco :-(
> 
> 
> Sergei Keler
> General DataComm
> IT-manager
> tel.:     +7(812)325-1085
> fax:     +7(812)325-1086
> 
> 
> On 22.11.2005, at 17:38, Dana Hudes wrote:
> 
> > 192.168.0.254 is a legitimate RFC1918 address.
> > Its not publicly routable but its fine to use behind a proxy or NAT
> > gateway in a private network.
> >
> > On Tue, 22 Nov 2005, Dirk Schreiner wrote:
> >
> >> Hi*,
> >>
> >> anyway there will never be a net 192.168.0.254/24.
> >>
> >> Syv Ritch wrote:
> >>> Sergei Keler wrote:
> >>>>
> >>>> Next, what you recommend as linux implementation of Cosco's EIGRP?
> >>>> Ciscos use EiGRP to keep routes between them using  
> >>>> 192.168.0.254/24 net.
> >>>
> >>> 1. EIGRP is proprietary to Cisco, and only runs on Cisco gear.
> >>> 2. There is nothing in EIGRP that "keep routes between them using
> >>> 192.168.0.254/24 net".
> >>> For a simplified explanation of EIGRP:
> >> [...]
> >>
> >> Dirk
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> TRIA IT-consulting GmbH
> >> Joseph-Wild-Straße 20
> >> 81829 München
> >> Germany
> >> Tel: +49 (89) 92907-0
> >> Fax: +49 (89) 92907-100
> >> http://www.tria.de
> >>
> >>
> >> Registergericht München HRB 113466
> >> USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600
> >> Geschäftsführer: Richard Hofbauer
> >> kaufm. Geschäftsleitung: Rosa  
> >> Igl--------------------------------------------------------
> >> Nachricht von: Dirk.Schreiner@xxxxxxx
> >> Nachricht an: suse@xxxxxxxxxxxxxxx, skiller@xxxxxx, suse- 
> >> security@xxxxxxxx
> >> # Dateianhänge: 0
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> --
> >> Check the headers for your unsubscription address
> >> For additional commands, e-mail: suse-security-help@xxxxxxxx
> >> Security-related bug reports go to security@xxxxxxx, not here
> >>
> >>
> >
> 
> 

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here