[SOLVED and UPDATE] has networking changed?

[Trio3b]

WRT54G wireless router at 192.168.1.1 / DSL modem at 192.168.0.1
Desktop running MDV2008.1 / lappy was running PCLOS 2009.1 now running PCLOS 2010.12 KDE4.6.1
ssh running on both .
Trying to transfer files between lappy and desktop.
[forgot to add] - someone(not here) told me to setup each PC network interface in PCC as dynamic and let the router do the assigning so none have static IPs.

Router has dhclient table and lists IP but doesn't ID host so use /sbin/ifconfig to determine IP of each machine, then on pclos 2009.1 (laptop)  I  used to enter IP of desktop in Konq (sftp://xxx.xxx.x.x) and returns with a string.  I must enter this into the laptop /etc/hosts.allow and then can access desktop.

This procedure is no longer working in Dolphin or Konq on laptop running PCLOS 2010.12 w/KDE4.6.1. Desktop is still MDV2008.1
error in Dolphin is "could not connect to host. connection timed out.

from console lappy can ping itself but pinging desktop gives:
--- 192.168.1.100 ping statistics ---
208 packets transmitted, 0 received, 100% packet loss, time 207000ms

router DHCP clients table is:

(desktop according to desktop /sbin/ifconfig)  ->    192.168.1.100   00:0C:F1:B0:24:07   15:52:27   
  ?                              -->                                   192.168.1.101   00:22:69:81:36:C4   22:20:43   
rachel-laptop(kids lappy) -->                                  192.168.1.102   00:22:3F:FC:6F:0E   10:50:14

My lappy /sbin/ifconfig returns:  -->                             but no 192.168.1.109 entry in router dhcp clients table



wlan0     Link encap:Ethernet  HWaddr 00:21:6B:B7:2D:40
          inet addr:192.168.1.109  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::221:6bff:feb7:2d40/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5843 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5598 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2075770 (1.9 MiB)  TX bytes:753614 (735.9 KiB)   


Obviously my laptop is connecting to router as I can access it and am posting from it but no joy in seeing desktop. We have been adding removing several kids laptops to network over the past week or so but shouldn't the router see the xxx.xxx.1.109? maybe reset the router?
Any tips?

Thanks

[Trio3b]

OK. Reset laptop to static via PCC - no luck so changed back to dynamic

1. unplugged router to see if misread IP addresses reset i -it did! apparently the router hangs on to the address assignments even if some other PCs were off (and they were). Still can't figure out why this lappy IP was misread by router since this laptop has been on almost continuously.. Anyway, all machines that HAD been assigned except the desktop (whether off or on) were wiped clean and new DHCP client table was refreshed even though I had refreshed it before. - still no go

2. Checked to make sure ssh active on both desktop and lappy - lappy ssh off (not selected at boot) so turned it on - no go

3.Curious about firewall on desktop - checked personal firewall in MCC desktop (running MDV). allow everything was unchecked. So checked SSH - no go

4. Tried to connect again from lappy to desktop via Dolphin entering new IP addresses listed in /sbin/ifconfig on both PCs. Dialog came up that key fingerprint xx.xx.xx.xx  blah is not recognized. I knew I was on to something(been here before)

5. Entered the host fingerprint into the laptop /etc/hosts.allow

6. Can now "see" and transfer files to desktop

SUCCESS!

Questions:

1. By allowing internet to connect to ssh in desktop firewall isn't this security risk? and why does this need to be on?
2. In older MDV PCLOS)versions when warning dialog box came about unkown host key fingerprint, I'm pretty sure the warning also advised where to put the fingerprint but didn't this time. The only reason I know where is b/c been here before but took a while to remember that it goes in /etc/hosts/allow. Where would the dialog box text warning be found so I can edit it and remind myself where to put the fingerprint 8 months from now when I have to do this again?

Will check transfers both ways and marked solved.

Hope this helps someone.

[muungwana]

I think you are not getting responses because it is hard to understand your problem.

5. Entered the host fingerprint into the laptop /etc/hosts.allow

The above quotes part raises more questions than it answers.
What was in the file, what did you add in it, why are you modifying this and i assume related configuration files? You seem to be touching a lot of places and its kind of scary to jump in start offering assistance.

1. By allowing internet to connect to ssh in desktop firewall isn't this security risk? and why does this need to be on?

Most routers automatically act as a firewall and your local network is behind a firewall and not accessible from the internet unless you specifically told your router to pass through ssh traffic from the internet to that computer on your local network.

Since the router provide a firewall from internet traffic, the firewall on your computer only see incoming traffic from other computers on your local network and though it is more secure to have it active, it is not doing that much since all traffic it sees is from computers you own on your local network.

That statement is not correct in the context of your set up. It is correct only if you have that computer facing the open web and yours isnt. You dont have to worry about this.

[Trio3b]

I have always used Konq (now Dolphin) when trying to network two local linux PCs to communicate via sftp by entering sftp://xxx.xxx.x.xxx into URL.  IF THE CLIENT HAS NEVER CONNECTED TO THE HOST, as it was in this case ( a fresh PCLOS install on new lappy) connecting to long time MDV2008.1 desktop, I have always received some dialog box indicating some untrusted condition involving a host key fingerprint (which the dialog box provides in the form xx:xx:xx:xx:xx:xx:xx:xx:xx:xx) and until I write this key into /etc/hosts.allow on the client, I cannot connect to the host.  It has been this way for me since MDV 10.2. once this fingerprint is placed in client in /etc/hosts.allow,  it is persistent and all is well.

This fingerprint has nothing to do with wireless WPA pre-shared key as all machines were 'net connected just fine, I just could not see/sftp/connect BETWEEN machines.

In addition, I have to open the MCC>security>personal firewall on host (desktop) and uncheck "allow  internet to con,ect to everything" but DO check SSH then it works. I just confirmed this by unchecking "allow SSH" on the host machine and then connection from laptop to desktop does not work. recheck it and all OK. that's what I don't get. I DO NOT want Internet to access the desktop via SSH but unless I have it checked on host (desktop MCC personal firewall), the client (laptop) cannot communicate with desktop.

I also believe that the router held on to some incorrect IP addresses as shown in post above. and once I reset the router, then the IP addresses shown in the router DHCP client table then correctly ID'd each PC as I confirmed with /sbin/ifconfig on each machine.

This is my setup:

 'net <->DSL modem<->router<->wired eth0 (desktop)
                                                <>wireless wlan0 (laptop)

It appears I had several issues at once, but I believe all is well now and will marked solved as soon as I confirm communications between laptop and desktop both ways.

Hope this clarifies.

[muungwana]

I just looked at the security section you are talking about and the title of that section is wrong. It now reads "which services would you like to allow the internet to connect to". It should read "which services would you like to allow other computers over the network to connect to".

"Computers over the network" will mean "computers on the internet" only if this computer is connected directly to the internet. Yours in not.

"Computers over the network" will mean "computer on local network" if the computer is connected on a local network, like in your case.

Your computer is connected to a local network and hence the title in your case is wrong and i think it should be changed to accommodate offering networks services over local networks.

You are safe, allowing those services will only expose them to other computers on your local network, not to the internet.

May i ask why are you using sftp to share files over local network? Most people use NFS or samba.

[Trio3b]

I just looked at the security section you are talking about and the title of that section is wrong. It now reads "which services would you like to allow the internet to connect to". It should read "which services would you like to allow other computers over the network to connect to".

I think you nailed it! I have puzzled over this since MDV 10.0

"Computers over the network" will mean "computers on the internet" only if this computer is connected directly to the internet. Yours in not.

"Computers over the network" will mean "computer on local network" if the computer is connected on a local network, like in your case.

Your computer is connected to a local network and hence the title in your case is wrong and i think it should be changed to accommodate offering networks services over local networks.

You are safe, allowing those services will only expose them to other computers on your local network, not to the internet.

Correct , I'm behind the router.

May i ask why are you using sftp to share files over local network? Most people use NFS or samba.

That's just the way I learned. Believe me I read for weeks about networking way back when and FINALLY after all command line pinging was successful but still could not use GUI to drag and drop files between PC's someone said just enter sftp://192.168.x.xxx into your file manager and it will work and I did and it does!

For what it's worth I could never get networking in Windows properly either so maybe I just don't understand the mishmash of DNS,HOST, ftp,DHCP, CLient, Zeroconf, gateway, hub, switch, router, firewall, proxies, MAC, IP, spoofing, ports, squid, samba, NFS, ssh, and the fact that each one of these services can be running, or need to be running on one, some or all machines in order to "see" another machine on a local network. It really is confusing. Too much for my little peanut.

For me most of the time, GUI drag and drop of directories and files between PCs is just faster so that's how I went. I have heard of NFS and Samba for years but don't know if they are daemons/services/backends that CAN use a GUI frontend or if they are GUI themselves. Maybe you can clear that up.

Off topic: An example was DansGuardian I tried to get working years ago until I realized that it was a SERVICE running in the background and had to be configured manually! I still have the printout of DG manual and there is no mention of how to "launch" the program in a GUI. I had just come from the Windows world and was dead in the water when after installation there was no menu entry and then when I launched from console it returned " DG is already running". Somewhere in those docs it should have mentioned this little tidbit and would have saved me hours. I think the same situation  is going on here.

Slightly more on topic: I know for a fact that in an unrelated issue years ago I found another place where wording was ambiguous, so I found the text script ( not shell executable) of that warning and altered it to be more accurate and it worked! That's why I was asking where the text was located about the host fingerprint text so I can rewrite it. Now that you mention it I would love to alter the "What services would you like the internet to connect to" title. Looked in /usr/share/docs but no luck.


Thanks

[muungwana]

Changes to the heading of that security section should be made at the distro level so that all users of pclinuxos can benefit. I hope somebody responsible for this tool is following the thread and will make the necessary changes. I have no idea where to go look for those text to change and i think they are buried somewhere in a binary executable and cant easily be changed.

samba and nfs are services aka "daemons". In pclinuxos, services are listed and can be started, stopped, set to autostart at boot time at PCC -> system -> manage system services by enabling and disabling them. "DansGuardian" would show up at the same section in pclinuxos.

If you want to know how to set up samba, then do the following when you have time and post back any problems, observations you find.

If you want to use samba, then install packages called "samba-server" and "samba-client". Then go to the services section and make sure samba(smb) service is running.

Then follow instructions on this post: http://www.pclinuxos.com/forum/index.php/topic,82772.msg686326.html#msg686326

after you are done with the above instructions, open the terminal and then type "smbtree -N" and post its output.

What desktop environment do you use? you can drag and drop files using samba to move them around. Each desktop environment and its associated file manager does it different and i have to know which one you are using before i can tell you how to do it

setting up samba shares is very easy for some and very complicated for others for some reason.

[Trio3b]

muungwana:

Thanks for your help and responses. Am using KDE4.6.1

I found the file called drakfirewall.pm located in: /usr/lib/libDrakx/network.

I made a copy of that file and saved in my /home for a backup.Then, in Dolphin> right click>edit as root and changed line 256 to read "Which services may networks connect to on this computer" . Saved, fired up PCC and voila fixed the title!

Some other options might be:


Which services may networks connect to on this computer?
Which services on this computer may have access by the network?
Here you can allow or disallow network access to services on this computer.
Allow or Disallow network access to these services.

 ( it would be cool to have a mouse hover explaining that security is dependent on whether the PC is directly interfaced with the internet or behind a router)

As of today I am able to ftp between desktop and lappy using file managers although initial authentications seem squirrely. I believe the router is still freaking out. I never had this issue when I used a hub and all wired connections. Once the connection is made however all is fast and proper and working through reboots so will marked solved.


I am going to try some of your recommendations as well.

Thanks again