Re: [Rule-list] RULE and Networking (Observations)

[Geoff Burling]

(My first copy of this response didn't get to the mailing list due
to a human error on my part. But it offered me a chance to correct one
error I made.

(BTW, the address for the RULE home page is wrong in the footer. It
should not be ``http://www.rule-project.org/rule/"; but
``http://www.rule-project.org";.)

On Mon, 29 Jul 2002, Michael Fratoni wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Monday 29 July 2002 01:37 am, Geoff Burling wrote:
> > First, I am aware that RULE is alpha-quality software. It is very
> > reliable in many respects (unlike the software of a certain US
> > corporation located to the North of me), but unreliable in
> > others. The point of this post is to document some of these
> > unreliable characteristics.
>
> Thanks for the feedback. Specific comments below.
>
> > 1. I installed the networking packages of RULE -- selecting the
> > network, sendmail, & sshd options -- but found the network abilities
> > less than complete. One item I noticed that was not installed was the
> > rpm for xinetd, 7.x's replacement for the more familiar inetd demon.
> > Since I haven't been following the RULE mailing list from the
> > beginning, I don't know if the omisison was intentional -- & done
> > for good reaons -- or an oversight.
>
> In the default install, there should be no packages installed that need
> xinetd functionality. Even in a more complete RedHat install, the only
> things requiring xinetd are portmap (for nfs) and sgi_fam, which also
> requires portmap. If I'm mistaken here, please correct me.

Hmm. That might explain some of the weirdnesses with nfs.
>
> > 2. Although the ethernet card link light is showing green, I do not
> > have full functionality. For example, I cannot telnet to my main
> > computer on my LAN, although I could telnet to it when I was running
> > an old version of Slackware on my 486, & I can also telnet into it
> > from my SparcStation 10. (This is running an incomplete installation
> > of Debian Linux.) However, I can ssh into the 486 from my main computer
> > with no problem.
>
> How are you calling ping? By ip address or FQDN?

Both. I have defined the other computers on the LAN in the /etc/hosts
file.
Output follows:
address@hidden nmap-2.53]$ ping joan
PING joan (168.192.1.100) from 192.168.1.101 : 56(84) bytes of data.

--- joan ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
address@hidden nmap-2.53]$ ping 198.168.1.101
PING 198.168.1.101 (198.168.1.101) from 192.168.1.101 : 56(84) bytes of data.

--- 198.168.1.101 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
address@hidden nmap-2.53]$ ping -b 192.168.1.255
WARNING: pinging broadcast address
PING 192.168.1.255 (192.168.1.255) from 192.168.1.101 : 56(84) bytes of data.
64 bytes from 192.168.1.101: icmp_seq=0 ttl=255 time=75.304 msec
64 bytes from 192.168.1.100: icmp_seq=0 ttl=255 time=75.304 msec (DUP!)
Warning: time of day goes back, taking countermeasures.
64 bytes from 192.168.1.101: icmp_seq=1 ttl=255 time=8.173 msec
64 bytes from 192.168.1.100: icmp_seq=1 ttl=255 time=17.434 msec (DUP!)

--- 192.168.1.255 ping statistics ---
2 packets transmitted, 2 packets received, +2 duplicates, 0% packet loss
round-trip min/avg/max/mdev = 8.173/44.053/75.304/31.422 ms

> What is the output of '/sbin/route -n'?
address@hidden nmap-2.53]$ /sbin/route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.1.100   0.0.0.0         UG    0      0        0 eth0

> What is the output of /sbin/ifconfig?
address@hidden nmap-2.53]$ /sbin/ifconfig
eth0      Link encap:Ethernet  HWaddr 00:20:AF:5D:C2:A8
          inet addr:192.168.1.101  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:38016 errors:0 dropped:0 overruns:1 frame:0
          TX packets:73558 errors:0 dropped:0 overruns:0 carrier:0
          collisions:49 txqueuelen:100
          RX bytes:4918802 (4.6 Mb)  TX bytes:83549925 (79.6 Mb)
          Interrupt:15 Base address:0x300

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1002 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1002 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:72090 (70.4 Kb)  TX bytes:72090 (70.4 Kb)

> Have you defined a nameserver and gateway?
No. I didn't think that was necessary for a local network. I didn't do
that on the SparcStation, & it appears to work satisfactory.

Besides, wouldn't it make more sense to first confirm that the ethernet
card works on the LAN, _then_ add the necessary steps to allow it to
see the rest of the Internet? (And if I were to allow this, I'd have
to setup IP Forwarding, since local IP numbering needs to be hidden
from the rest of the Internet.)

> What are the contents of /etc/hosts and /etc/resolv.conf?

> Did kudzu detect the network card and offer to configure it on the first
> reboot after install?
No. I had to copy a working ifcfg-eth0 file from my main computer &
modify it to get it to work on the testbed. Which is odd, since this is a
used 3Com 503 card I bought for a dollar.

That got me thinking: the first time I let kudzu find the network card,
the computer wasn't connected to the LAN. So I renamed the ifcfg-eth0
file & rebooted the testbed. Kudzu failed to notice the card. Just to
make sure this install of kudzu wasn't corrupt or misinstalled, I added
the serial mouse to the testbed, rebooted again . . . & kudzu saw the
mouse.

Just to take the testing another step, I had an NE2000 card available,
so I swapped cards & let the computer boot. Kudzu didn't see *that* card
either. Was Kudzu ``upgraded" to ignore objects on an ISA bus?
>
> I'll look at adding more complete network setup to the installer, if
> necessary.
>
> > 3. Further, ping has been demonstrating some, er, interesting
> > qualities. I can ping the testbed 486 from the main computer, but from
> > the testbed cannot ping the main computer, nor the SparcStation.
> > However, if I do a ``ping -b 192.168.1.255" (my LAN is on the
> > 192.168.1.0 subnet), the testbed can ping all of the other computers.
>
> See above.
>
> > 4. The following is an nmap probe of the 486 from my main computer:
> >
> > Starting nmap V. 2.53 by address@hidden ( www.insecure.org/nmap/ )
> > Interesting ports on zander (192.168.1.101):
> > (The 1519 ports scanned but not shown below are in state: closed)
> > Port       State       Service
> > 22/tcp     open        ssh
> > 111/tcp    open        sunrpc
> > 827/tcp    open        unknown
> > 2048/tcp   open        dls-monitor
> >
> > Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
> >
> > (I have enabled nfs by running ``/sbin/service nfs start"; the relevant
> > script in /etc/init.d doesn't appear to properly start it.)
>
> Have you manually installed the xinetd package, and is portmap configured
> to start at boot time? The /etc/init.d script should work, as that is the
> same script called by 'service nfs start'. I'll have to look into this
> more.

Yep, I installed xinetd. I'm not sure that it made any difference: by
default it is configured to start about 8 trivial services, & if any
aren't installed xinetd will ignore them. So the logs record. Further,
the logs id not show xinetd finding the nfs demons running & add them
to its list. (Not sure what I need to do to make this work.)
>
> > Although sendmail was installed by default, neither port 25 or 110
> > (the assigned SMTP & POP ports) are visible. However, sendmail *is*
> > running:
>
> By default, Red Hat's sendmail listens on only 127.0.0.1. To change it,
> you have to edit /etc/mail/sendmail.mc, adjust (or comment out) the
> DAEMON_OPTIONS line, and regenerate /etc/sendmail.cf using mc.
> For example:
> In /etc/mail/sendmail.mc,
> Change "DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')"
> to:
> "dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')"
> then:
> 'm4 /etc/mail/sendmail.mc > /etc/sendmail.cf'

Aha, a step that probably needs documenting. It's been about 2 years
since the last time I installed Sendmail, so I wasn't sure where it
gets its information.

One positive thing: RULE installs the sendmail-cf rpm by default, which
RedHat doesn't do -- at least version 6.2. Thanks. I'll twiddle with the
/etc/mail/sendmail.mc, compile /etc/sendmail.cf, & see if that works.
>
> > 5. Lastly, running nfs has some interesting problems. While I admit
> > that I'm not an nfs guru (I only started making this function work
> > a week ago), I'm having problems mounting mounting directories under
> > the / filesystem. I suspect this is because the testbed computer is not
> > opening transient ports (I can supply log entries if someone
> > wants to challenge my nfs configuratin skils). What makes this even
> > more puzzling is the fact I can successfully mount any removable disk
> > -- /mnt/floppy, /mnt/floppy1 (the 5-1/4 inch floppy drive), &
> > /mnt/cdrom -- via nfs. (I entertained myself by taking an iso file on
> > the nfs-mounted cdrom drive & burning it to a cdrom on my main
> > computer. The iso image works quite nicely.)
>
> I'm not an NFS guru, so bear with me.
> Have you listed the filesystems in /etc/exports, and exported them?
> I don't believe it is enough to just export /, as I remember, you have to
> export specific directories. You might (for example) try exporting
> /home/{username} and see if that works. Please let me know.
>
Geez, a case of the blind leading the blind . . . ;-)

I've also found (by trial & error & a little research) that not only
do you need to edit the /etc/exports file, but run the following
demonstrated command:

address@hidden nmap-2.53]# /sbin/service nfs start
Starting NFS services:                                     [  OK  ]
Starting NFS quotas:                                       [  OK  ]
Starting NFS mountd:                                       [  OK  ]
Starting NFS daemon:                                       [  OK  ]

But back to your question. Yes, I mentioned them in the /etc/exports
file, Which currently reads:

#/home                  joan(rw,no_root_squash)
/tmp                    joan(ro,all_squash)
/mnt/cdrom              *(ro,all_squash)
/mnt/floppy             *(ro,all_squash)
/mnt/floppy1            *(ro,all_squash)

When I attempt to mount either /home or /tmp, on the client I get an
error message with the explanation that the nfs server has in turn
passed the error message ``permission denied". The /var/log/message
file records the following error:

localhost rpc.mountd: refused mount request from 192.168.1.100 for /home (/):
no export entry

I did a little Googling, & found someone with the same error message
who solved it by running the ``/usr/sbin/exportfs -r" command, but it
didn't work in this case.

I'd say that I am just not configuring nfs correctly on the 486 . . .
if it weren't for the fact I can mount removeable disks like cdroms
& floppies. It was this nfs problem that led me to the ping & telnet
problems. In short, my 486 is just not talking proper TCP!

Geoff