Re: [Leaf-devel] Dachstein port forwarding FAQ

[Matt Schalit]

guitarlynn wrote:
> If everyone is not bothered by anything contained in this FAQ,
> I'll format it and submit it to the docmanager in the next day or two.
> 
> Thanks,
> ~Lynn


You probably caught this one already, but if not, you're missing
a word in the second sentence of para 4.


>>4) You are now finished with all the configuration. You should now
>>the "lrcfg" menu system (if you are not using it already) and
>>choose the backup option.


Many thanks for all that you've done to help the cause.
You've really done a lot since you joined up.
Matt


___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Reduce size with newer glibc (no more old Debian)

[David Douthitt]

On 3/28/02 at 1:32 PM, Takuya Satoh <[EMAIL PROTECTED]> wrote:

> Hi, just a suggestion how to further reduce executable
> sizes while using up-to-date glibc - why not to use
> uClibC?
> 
> http://uclibc.org/

Some have suggested this.  In the case of Oxygen, it is necessary for
many utilities to have a fully functional glibc - as well as things
like libpcap, libm, libcap, libz and others.

Oxygen does, however, use a busybox statically linked with uClibc in
order to boot.

> Another interesting set of basic utilities even smaller
> and faster than busybox is the asmutils package:
> 
> http://linuxassembly.org/

Oxygen uses date, chroot, and lsmod I think - maybe others.  busybox
was designed to be portable; it can run on MIPS and ARM and others -
m68k I think too.

asmutils only work on ix86.

Good things to look at.
--
David Douthitt
UNIX Systems Administrator
HP-UX, Unixware, Linux
[EMAIL PROTECTED]

___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Dachstein port forwarding FAQ

[guitarlynn]

If everyone is not bothered by anything contained in this FAQ,
I'll format it and submit it to the docmanager in the next day or two.

Thanks,
~Lynn

> ##  start of FAQ  
>
>
> Q. How do I port forward a service through my Dachstein firewall to
> the my internal network?
>
> A. There are four steps to port forwarding in Dachstein. They are as
> follows:
>
> 1) Edit /etc/modules and uncomment the "IP_masq_portfw" module.
>Save the file and exit. You may need to download this module
>and copy it to /lib/modules on your running LEAF system if you
>are using the floppy version.
>
> 2) Edit /etc/network.conf to open the desired external port you would
>like to to forward with one of the two available options:
>
>  # TCP services open to outside world
>  # Space separated list: srcip/mask_dstport
>  EXTERN_TCP_PORTS="0/0_www"
>
>  # -or-
>
>  # Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]"
>  #EXTERN_TCP_PORT0="5.6.7.8 domain 1.1.1.12"
>  EXTERN_TCP_PORT0="0/0 www"
>
>
> Use only one of these two forms of entry. If you use both, only the
> one you use first will have any effect. Whichever one appears second
> in the file will be disregarded. Be sure that the one you are not
> using is "commented out" with a "#" at the beginning of the line.
>
> You can use either the actual port number itself (for example, "80"),
> or you can use the symbolic name for the port that appears in the
> file /etc/services (in the same example, "www").
>
>
>
> 3) While you're editing /etc/network.conf, you will also need to
> specify the port forwarding itself. You do this with:
>
>  # Uncomment following for port-forwarded internal services.
>  # The following is an example of what should be put here.
>  # Tuples are as follows:
>  #  
> 
> INTERN_SERVERS="tcp_${EXTERN_IP}_www_192.168.1.1_www"
>
>  #-or-#
>
>  # These lines use the primary external IP address...if you
> need to # port-forward
>  # an aliased IP address, use the INTERN_SERVERS setting
> above #INTERN_FTP_SERVER=192.168.1.1  # Internal FTP server to make
> available INTERN_WWW_SERVER=192.168.1.1   # Internal WWW server to
> make available
>
>   As with Step 2, you can use one of the options or the other of
> these options, but not both. I suggest using the first option, since
> all ports and addresses are explicitly stated and you can use
> different ports coming into and forwarded out of the firewall. It
> also allows more
>   flexibility for using non-standard ports.
>
>   I personally use port 81
>   for my external web-services, but use port 80 on the internal
> network. The first syntax allows for forwarding the external port 81
> to the internal port 80 with a line like this:
>
>  INTERN_SERVERS="tcp_${EXTERN_IP}_81_192.168.1.1_80"
>
>   After you are finished with the configuration here, save the file
> and exit the editor.
>
>
>
> 4) You are now finished with all the configuration. You should now
> the "lrcfg" menu system (if you are not using it already) and
> choose the backup option. You will need to backup the "etc" and
> "modules" packages. After both of the packages are backed up, exit
> the menu system and reboot the Dachstein machine. Your new port
> forwarding setup should now be operational.
>
> # end of FAQ  

-- 

~Lynn Avants
aka Guitarlynn

guitarlynn at users.sourceforge.net
http://leaf.sourceforge.net

If linux isn't the answer, you've probably got the wrong question!

___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

[Leaf-devel] Basic IPSec HowTo

[guitarlynn]

I am posting a first draft of a "Basic IPSec HowTo" for consideration 
and advice. It should be compatible with any IPSec-enabled LEAF
release. I would like to add some "Dia" .jpg's to it for clarity, if the
docmanager will allow it (???). 

Thoughts?

# start of HowTo ###

# Basic IPSec VPN HowTo  ##
By Lynn Avants

Virtual Private Networking (aka "VPN") is very popular for low-cost 
connections
between remote offices, employees that need a connection to the company 
LAN from home,
and mobile users that need to access a private LAN while on the run. 
This document
covers several different connection types that are commonly used with a 
LEAF
firewall or router running the IPSec VPN program. IPSec is known to 
integrate with Windows
2000 VPN, Cisco VPN, UNIX IPSec, the SSH Sentinal, and many other 
commercial VPN
solutions. Hopefully this will answer many questions regarding VPN 
setup and use.



TABLE OF CONTENTS


1) General Information

2) Connection Types

3) Firewall Considerations

4) Firewall Pass-Through

5) Host to Host Connections

6) Host to Subnet Connections

7) Subnet to Subnet Connections

8) Gateway to Gateway Connections

9) /etc/ipsec.conf

10) /etc/ipsec.secrets

11) Bringing up the Connection

12) Troubleshooting

13) Links




1) GENERAL INFORMATION

IPSec is an OpenSource program for VPN connections that has been 
packaged
for LEAF use. This document is based off of my custom Dachstein-IPSec 
enabled 
floppy image, but is totally compliant to the Dachstein CDROM release 
and is 
configurable to any LEAF or Linux system using IPSec. 

I will describe using Preshared Secret Keys (PSK) and RSA Key 
authentication 
within the scope of this document. 509 certificates may be used with 
IPSec, 
but additional licensing may be needed to create the certificates. 
Certificate 
type authentication is described thoroughly in other documents, and 
explained
better by someone that has more experience than myself.

A "Pre-shared Secret Key" (PSK) is a secret alpha-numeric key that is 
created by the
person setting up the IPSec configuration. This "secret password" is 
the exactly the 
same on all the computers authenticating the connection and 
case-sensitive.

A "RSA Key" is an authentication method that uses a program to generate 
a set of 
authentication keys. This program is built into IPSec. Each computer 
should generate 
its own set of keys. The private key is kept secret by the computer 
that generated it, 
and the public key is copied to the remote computer(s) for use to 
authenticate the connection. 
A basic way of describing this is accessing a safe-deposit box at a 
post office or bank. The 
post office or bank keeps one key and the person renting the box keeps 
a different key. To 
gain access to the box, both keys must be used to open the door. RSA is 
an electronic 
equivalent of this. This authentication method is also used with other 
programs, 
such as "ssh" and "cvs". This is the suggested method for 
authentication.

There are several different encryption alogarthims that can be used for 
closed source
versions of IPSec, however the strongest one available for the open 
source version of
IPSec at this time is the "3DES" alogarthim. This is the only one that 
I suggest using.


Required packages for connections (other than Firewall-Pass-Through):

an IPSec-patched kernel for your distribution/version
ipsec.lrp
ifconfig.lrp
mawk.lrp
ipsec509.lrp (if using 509 authentication certificates instead of PSK 
or RSA Keys)



2) CONNECTION TYPES

Firewall-pass-through: This connection is for an individual computer 
behind a 
firewall to make a connection to a remote computer or network. The 
firewall that is protecting the individual computer does not 
participate in the 
VPN connection or authenticate it, but rather allows the connection 
"through" 
the firewall. A home connection that is protected to an company network 
is an 
example of this type of connection.

Host to Subnet: This connection is for a single computer to connect to 
a remote 
network. This is typically known as the "Road Warrior" connection and 
the remote 
computer is not behind a firewall. The ip address that the remote 
computer will 
be using is normally not known for configuration. 

Subnet to Subnet: This connection is for remote offices to connect 
their respective 
private networks to each other. The IPSec Gateway boxes do NOT 
participate in the 
actual network tunnel, but rather only setup the connection and forward 
the traffic 
between the locations.

Gateway to Gateway: This connection is very similar to the 
Subnet-to-Subnet connection 
but differs in that the IPSec Gateway boxes themselves participate in 
the tunneled 
connection. The Gateways may be used for  WINS and/or DNS services 
through the tunnel.



3) FIREWALL CONSIDERATIONS

IPSec uses protocols 50 and 51 and port 500 for communication. You will 
need to
allow 

[Leaf-devel] Reduce size with newer glibc (no more old Debian)

[Takuya Satoh]

Hi, just a suggestion how to further reduce executable sizes while using
up-to-date glibc - why not to use uClibC?

http://uclibc.org/

Another interesting set of basic utilities even smaller and faster than
busybox is the asmutils package:

http://linuxassembly.org/

Regards,  Taka



___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel