Looks good! Comments inline...
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
> For idea on how LEAF should perform on your hardware, an old Pentium 1
> with suggested 24Meg's of RAM can saturate a T1 WAN connection running
> PCI network cards. It should be noted that PPPoE users have noticed
> sizable bandwidth gains running a Pentium1 166-233 Mhz boxes, but as a
> cable user myself running straight DHCP, a 486DX2 has provided me with
> maximum possible bandwidth for my connection.
Um...actually, a 386 should have no problem saturating a T1 WAN. Perhaps
something like:
486 systems can typically route 3-6 MBits/s, more than enough for the
average cable-modem/xDSL connection. Users with a PPPoE connection or a VPN
gateway (both CPU intensive) will likely see speed increases using a
Pentium-1 class system. Another big advantage to most Pentium systems is
the availability of PCI slots, allowing the use of modern, inexpensive (and
easy to configure!) PCI network cards. As a cable user myself running
straight DHCP, a 486DX2 has provided me with maximum possible bandwidth for
my connection.
> Dachstein
<snip>
> This is generally the choice version for those new to LEAF, being that
> 90% of the configuration is in one file (network.conf) and includes a
> dhcp server, a DNS cache-proxy, a web-based system monitor, and SSH
> (server and client) on the default disk. VPN passthrough is also
> configurable and working with IPSec and PPtP protocols. Dachstein
> can be used as a masquerading firewall, a non-masquerading firewall,
> or a non-firewalling router.
NOTE: SSH is only included by default on the CD-ROM...I think above, you're
talking about the floppy, but I'm not sure...
> #######################
> ## LRP COMMAND HELP ##
> #######################
>
> The network script will bring up or down any network card:
> # svi network
> Usage: network start|stop|reload
> network ifup|ifdown|ifreset eth0|eth1|eth2|all
> network ipfilter load|flush|reload
> network ipfilter list [input|output|forward|autofw|mfw|portfw]
> network ipfilter list masq|masquerade
>
> you can also use the net command
> # net
> Usage: net start|stop|reload
> net ifup|ifdown|ifreset eth0|eth1|eth2|all
> net ipfilter load|flush|reload
> net ipfilter list [input|output|forward|autofw|mfw|portfw]
> net ipfilter list masq|masquerade
IIRC, some of these commands are unique to the 'mountain' series, especially
the "net ipfilter ..." commands. Any 2.9.x or Oxygen users care to comment?
> ADDING A NEW PACKAGE
> # lrpkg -i <packagename>
> *NOTE* Also add to syslinux.cfg or lrpkg.cfg on your boot device
> to load at boot.
Does Oxygen still support lrpkg -i, or do you have to use apkg?
> # to set the SILENT_DENY (no logging) option to Dachstein Firewall.
>
> #SILENT_DENY="ProtoNumber_SourceAddress/Netmask_DestinationPort"
> #Netmask and DestinationPort are optional
>
> # rule in network.conf script to quit logging on certain packets
> SILENT_DENY="[protocol#]_[source ip address]/[netmask]_[destination
> port#]
> *note*-the netmask and destination port# are optional
>
>
> FIREWALL RUNNING RFC PRIVATE CLASS ADDRESS ON WAN CONNECTION
> # edit /etc/ipfilter.conf and comment out the applied line of the
> function:
>
> # #A function to filter out martian source addesses
> stop martians () {
> #RFC 1918/1617/1597 blocks
> $IPCH -A $LIST -j DENY -p all -s 10.0.0.0/8 -d 0/0 -l $*
> $IPCH -A $LIST -j DENY -p all -s 192.168.0.0/24 -d 0/0 -l $*
>
> #then have it take effect with "svi network reload".
Maybe something that makes it a bit clearer the above (silent deny and
private IP mods) only applies to the 'mountain' firewalls...not to Oxygen or
LRP 2.9.x
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel
