"Scott C. Best" wrote: > > Matt: > Heya. Some quick comments inline: > > > > Sounds good! I haven't checked echoWall on Oxygen yet, > > > so good going. > > > > Thanks Scott, but they don't make it easy. There's no /etc/version > > or convenient uname switch so a script can determine what OS it's > > running on. > > Gah. I was wondering about that. The only thing preventing > echoWall from running on Oxygen is that it needs a different gatping > binary.
Um, I thought I posted that, even with a working gatping, Echowall chokes on the lack of ipfwd. I don't know if it gathers the ip addresses or network addresses correctly, because I never could get anyone to compile ipfwd for me. > Which we have, sure. Trick is to install the right one, either > when the package is first installed via "lrpkg -i" or when it detects > that it's being run for the first time. That I know I can detect. But > now I need to consider how to detect the glibc version... I don't think you have to worry about glibc, just worry that the fixed gatping runs on Charles' os's. It should, being it has better c code. > > Well I wasn't sure what you were going to release. > > I took a look at your website and it seems like > > you're making good progress at echogent.com from the looks > > of things. > > Heh. :) Our major release is on target for the end of the > year. It's a "personal VPN" application called Kaboodle. That's a good name. [snip] > The BSD license says yes to both. That's very nice for simple shell scripts like ours. [snip] > Thanks! I should give it some more thought, perhaps release > a more conventional tarball with a more conventional INSTALL script. > Once I get the which-gatping-to-use issue settled, I should go > for this. I actually got 2/3 the way through a configure script that was going to generate a custom pfw (small, no comments). I got stuck when it got complicated with 3 or 4 nics. I don't have a network with enough real ip's to test everything thoroughly (proxy are, bridging). I decided my future was not trying to write the best firewall for linux with easy web based setup and monitoring. I have a killer app in mind, and I just wanted get pfw out so I could move on. > > > Quick question: when you start it up, does it blow > > > away what was there by default, or will there be conflict? > > > > Yes it runs a global flush and clobbers any of the good work > > that Charles runs by default. Funny thing is, I always thought > > it was just called Dachstein, not Dachstein Firewall. Once I ran > > it, though, I realized that Charles had gone past a general router, > > hardened it, and added a lot of nice touches like dnscache, and load > > balancing. As I was near completion, I rolled it out for Dachstein, > > anyway. > > The ram-disk log partition is my favorite. I've had to > reboot my ES2B router once a month because of the firewall log > filling the ramdisk... > > > Got to code some Java now for a break. Btw, do you have any idea > > why a Nessus scan of my firewall would say that port 0 is open to > > udp and tcp in the form a bonk attack? I have those ports blocked > > the usual way, so I'm thinking they're spurious report items. > > I didn't know there was a usual way to block those. That > is, I didn't think the stock ES2B firewall rules addresses the > non-standard port-0. I should check "ipchains -ln" the next time > I boot sans echoWall... I wasn't concerned about es2b rules, just a general question. Even rc.pf would have block any protocol to port 0, because it's not expressly allowed. So the default rules at the end catch it. That's how I noticed it in my pfw syslog entries. The www.vulnerabilities.com scan included port 0, and rule #56 or whatever caught it. So then I made an explicit rule to catch tcp and udp to port 0, and the scan still came back that it was susceptable to an attack using that traffic in the form of a bonk attack. My guess is that it's a bogus result. But I figure I need to analyze a bonk attack and get into some gory details if I want to be sure. Thanks, Matthew > cheers, > Scott _______________________________________________ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
