Re: [leaf-devel] Mike Noyes

[Scott C. Best]

Phil:

Please pass along my wishes to Mike for a speedy recovery!

-Scott

On Mon, 12 Apr 2004, Phil Noyes wrote:

> Everyone,
>
> Mike was in a accident. He is in the hospital. He asked me to let you
> know that he would not be working on the WEB page for a while. He hit
> his head while riding his bicycle. He was in surgery for 3.5 hours.
> It looks good for a full recovery. I do not expect him to start work
> on the WEB page before next month.
>
> Phil Noyes




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

___
leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [leaf-devel] New use for firewalls?

[Scott C. Best]

Charles:

Heya. Don't even need a rogue WAP: LinkSys (now Cisco)
has a driverless wired-to-wired bridge, the WET11. Attach that
to any "secure" wired socket and a whole world of problems comes
down.
Partly, this has been a motivational driver behind the
Kaboodle project which conumes most of my cycles (www.Kaboodle.org).
It manages a visual "LAN poulation" GUI, updated automatically,
so you can see everything that's on the network at all times.
As soon as something joins, Kaboodle will sniff its ARP "who
has" requests, and present it into the GUI. It's not perfect (eg,
it uses MAC address for long-term identifiers) but I've cuaght my
neighbors using my WLAN more than once. :)

-Scott


On Tue, 25 Mar 2003, Charles Steinkuehler wrote:

> David Douthitt wrote:
> > I've been working with this new Airport (Apple's 802.11b wireless) and
> > finding out just how insecure America's wireless networks are.
> >
> > Seems like a good purpose for a 486 or Pentium with two network cards
> > would be to act as a firewall and proxy between wireless clients and
> > the rest of the network.  Each base station or access point could then
> > be isolated from the rest of the network, and only authorized clients
> > could be allowed in.
> >
> > Authorization could be done over SSL, and all access could be
> > controlled via web proxy and ftp proxy.  SSH could be used for terminal
> > access (through the firewall).
> >
> > Are people using these "wireless" solutions that way?  Is there one out
> > there already?
>
> Lots of folks are doing this with their wireless networks, and using
> linux based boxes to provide the firewalling.  Off the top of my head,
> check out the NoCatNet folks (mainly geared towards publicly available
> wireless lans, but requiring login/auth before use):
>
> http://nocat.net/
>
> There are, however, major problems with *ANY* access-point firewall type
> solution.  While your "wired" networks are protected from rogue wireless
> clients, what protects valid wireless devices from attack or sniffing by
> other wireless clients?  Going a step further, given the ease of
> installing a $50 WAP, exactly how secure are your internal networks that
> rely on a "physical access" security model?  Are you sure some bozo in
> sales didn't install a WAP just so he could browse the 'net from his
> laptop while on a smoke break?  If he did, how would you know, and how
> could you protect your network from this in advance?
>
> I think we're heading to a point where *ALL* communication across a
> network, whether internal or external, wired or wireless, will need to
> be encrypted, and/or authenticated for any reasonable expectation of
> security.
>
> --
> Charles Steinkuehler
> [EMAIL PROTECTED]
>
>
>
>
> ---
> This SF.net email is sponsored by:
> The Definitive IT and Networking Event. Be There!
> NetWorld+Interop Las Vegas 2003 -- Register today!
> http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
>
> ___
> leaf-devel mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-devel
>



---
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en

___
leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [leaf-devel] New use for firewalls?

[Scott C. Best]

David:

Heya. In my experience, wireless-access points are
always placed on the outside of a corporate LAN's firewall, on
a specific interface. And that interface is setup to deny all
traffic not of type IPSec or PPTP. A VPN server is then setup
behind the firewall, and all wireless members are then required
to authenticate with a VPN client to the VPN server.

Without this authentication, any wireless member can
still access the WAN connection...which turns out to be a big
feature, as contractors/partners/customers who come to visit
the facility can still VPN back into their own corporate LAN.

Otherwise...regarding firewall-authentication for
wireless users, I *think* that's what NoCat's all about. Along
those lines, I started a project called "Radiance" once that
was a lot like you described. I can dig up some details if
you're interested...

-Scott

On Tue, 25 Mar 2003, David Douthitt wrote:

> I've been working with this new Airport (Apple's 802.11b wireless) and
> finding out just how insecure America's wireless networks are.
>
> Seems like a good purpose for a 486 or Pentium with two network cards
> would be to act as a firewall and proxy between wireless clients and
> the rest of the network.  Each base station or access point could then
> be isolated from the rest of the network, and only authorized clients
> could be allowed in.
>
> Authorization could be done over SSL, and all access could be
> controlled via web proxy and ftp proxy.  SSH could be used for terminal
> access (through the firewall).
>
> Are people using these "wireless" solutions that way?  Is there one out
> there already?
>
> --
> David Douthitt
> [EMAIL PROTECTED]
> UNIX SysAdmin - HP/UX, UnixWare, Linux
> LPIC-1, Linux +
>
>
>
> ---
> This SF.net email is sponsored by:
> The Definitive IT and Networking Event. Be There!
> NetWorld+Interop Las Vegas 2003 -- Register today!
> http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
>
> ___
> leaf-devel mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-devel
>



---
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en

___
leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [leaf-devel] Java on Bering

[Scott C. Best]

Heyaz. Been a while since I posted. :)

Another Java-on-Linux is Blackdown: http://www.blackdown.org

Size requirements are:

JDK 1.02:  28M RAM, 10M Disk
1.1.8  35M RAM, 40M Disk
1.2.2  100M RAM, 61M Disk

So if your app runs with a 1.02 JDK, it doesn't look
impossible for LEAF...

-Scott


On Thursday 13 March 2003 05:17 am, S Mohan wrote:
> I want to run a Java App on Bering and build a dedicated, robust embedded
> box for a specific purpose. How do I do this? Is java available as an lrp
> on Bering?




---
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en

___
leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

[leaf-devel] OT: Job opening

[Scott C. Best]

Heyaz. Quick off-topic: my day-job is looking for
a *nix IT guy, 650 area code, fulltime (sal, bennies, etc)
if you're interested. I can pass your resume along.

cheers,
Scott




---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

___
leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re[3]: [Leaf-devel] Dave Cinege

[Scott C. Best]

Ray:
Akshally...I pinged the DNS servers that WHOIS reported
a few minutes after Mike first emailed. They were not responding
to pings. They are now, obviously. I think that's all that Mike
meant when he said "not working".

-Scott

On Thu, 8 Aug 2002, Mike Sensney wrote:

> Sorry. Didn't mean to cause offence.
>
> Thursday, August 8, 2002, 1:51:19 PM, Ray Olszewski wrote:
> RO> At 01:23 PM 8/8/02 -0700, Mike Sensney wrote:
> >>Thursday, August 8, 2002, 1:20:45 PM, Ray Olszewski wrote:
> >>
> >>RO> What do you mean by "DNS is not working"? My tests say it is working just
> >>RO> fine. Excerpts below:
> >>
> >>RO>  ray@waverly:~$ whois linuxrouter.org
> >>
> >>Whois only looks up the domain registration. It does not check to see
> >>if DNS is working.
>
> RO> Mike -- I'm not stupid (not that stupid, anyway). Please read my entire
> RO> prior message. After doing the whois check (to get the addresses of the DNS
> RO> servers), I used "host" to check that actual names resolved, and ping'ed
> RO> linuxrouter.org successfully. It's all there in what I posted.



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: Re[2]: [Leaf-devel] Dave Cinege

[Scott C. Best]

Charles:

Heya. I still haunt the LRP list, and Dave flipped the
"no spam" switch back in April or so. It was a fairly busy list
before he did that, mostly with some peculiar firewall/router
concerns regarding penis size and mortgage rates...

-Scott


On Thu, 8 Aug 2002, Charles Steinkuehler wrote:

> I suppose it's possible...
>
> One odd thing now that linuxrouter.org is back up...there seems to be a
> lot of traffic listed in the list archives that doesn't make it to the
> Geocrawler archive, including a lot of SPAM.  Mike:  Since it sounds
> like you're still subscribed, do you get all this SPAM & traffic from
> the linuxrouter list, just the stuff that's listed at geocrawler, or
> something in-between?  IIRC, when I was subscribed to the linuxrouter
> list, the geocrawler site wasn't doing a very good job of archiving the
> list...maybe this is still a problem?
>
> Oh...linuxrouter.org wasn't working for me when I initially wrote my
> reply either, I just thought to check psychosis.com before I clicked
> "send", and lo-and-behold, everything was back online...
>
> - Charles
>
> > Very strange. It is working for me now also. But I had tried accessing
> > the linuxrouter site just before sending my message. And now it is
> > working for me also. Maybe DC reads this list. :-)
> >
> > Thursday, August 8, 2002, 12:47:16 PM, Charles Steinkuehler wrote:
> > CS> And the Geocrawler archive of the linuxrouter lists only 11
> messgaes for
> > CS> all of July, with the last one on 7/24/2002...none yet in August,
> and
> > CS> only 364 messages for the entire year!
>
>
>
> ---
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
>
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-devel
>



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Dave Cinege

[Scott C. Best]

Mike:
I was just wondering about this last night. You're right
about the network trouble: none of the DNS servers in the WHOIS
record for linuxrouter.org are responding to pings (four machines
in the Linkscape.net domain).

-Scott

On Thu, 8 Aug 2002, Mike Sensney wrote:

> News Flash for what it is worth...
>
> I tried to get through to www.linuxrouter.org and couldn't. Further
> checking shows that DNS is not working on the following domain names,
> all of which are owned by Dave Cinege.
>
> linuxrouter.org, Linkscape.net, psychosis.com
>
> I'm subscribed to the LRP list (still.) The last message I got from
> that list is dated 7/24/2002.
> --
> Mike Sensney
>
>
>
> ---
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
>
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-devel
>



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] is Bering GNU?

[Scott C. Best]

George:

I just wanted to point out the obvious:

>  Is Bering GNU?
> [snip]
> ...I know asking for doc is a lot, but
> maintaining a file of command lines used to make the binaries
> from source would be an excellent first step.

While I'm no expert, this is a new definition of GNU for
me: requiring "a file of command lines used to make [all of] the
binaries [in the whole distribution]".

The source code for Bering (kernel, modules, patches,
packages, etc), and all of the precompiled binaries that come
with it, is freely available to anyone who requests it. Further,
any modifications to GPL'd code that Jacques and Eric made are
also GPL'd.

That's GNU. Perhaps you are more accustomed to compiling
a standalone binary, most of which utilize a "./configure" script
(itself a GPL'd item), at the command line of a full *nix distro.
However, adhering to such a *convention* (that's all it is) is not
mandated within the precepts of the Copyleft. Nothing is more or
less GNU for doing it or not doing it in this fashion.

Also, obviously, you're quite welcome to take Bering,
modify it as you wish, put it on an EEPROM for your own use, and
never distribute it. That's GNU too.

-Scott

PS: Bering being central to LEAF, I've restricted my cross posting
to just the LEAF lists.



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] How do I request help FAQ

[Scott C. Best]

A quick comment:

> 1. Is incorporating a "diagnostics" script in into each LEAF
> distribution a good idea? Probably (as long as it doesn't get
> so big as to cause problems with fitting on a floppy).

This is a good idea. We could ask for users to post
*at a minumum* the results of "~root/diagnose", which creates a
file called "SENDME". That will provide a 90-percent solution,
which sometimes is as good as you can get.

-Scott


___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Telnet script

[Scott C. Best]

Heh. Cool. The elegant things impress me these
days. :)

-Scott, who enjoyed the Ticker thread...

On Mon, 28 Jan 2002, Mike Sensney wrote:

> Here is an interesting little telnet client written in bash.
> I haven't tried it so I don't know if it works...
> Author: Tim Waugh at Red Hat.
>
> http://people.redhat.com/twaugh/ftp/pmt/pmt
>


___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Greetings from the wonderful world of NoCat...

[Scott C. Best]

S:
Thanks for your patience with me on this. :)

> > > In a typical setup, no sensitive information is stored on the firewall
> > > machine (or gateway, as we call it), so I'm afraid I don't understand
> > > your question.
> >
> > My impression was that the NoCatAuth process verified this
> > login-password-MAC thing, and so would need to storesomething?
>
> True, but in a typical setup, none of this information is ever sent to
> or stored on the gateway. That all happens over SSL to a (theoretically)
> secure box elsewhere on the Internet. A large part of the design of
> NoCatAuth is intended to preserve trust -- you don't give your password
> to a gateway you don't necessarily trust, and the gateway doesn't trust
> *you* to tell it who you think you are.

Ah! This was one of my "other questions". :) There's another
box (say, a RADIUS server) that the user authenticates with, then?
Upon which...a go/no-go is delivered back to the gateway? I guess
I thought the gateway/firewall box *was* this authentication server.

> > From my perspective, I see 'theft of service' as, well, the
> > point of any authentication scheme. Perhaps my perspective isn't
> > that aligned with NoCat's?
>
> I'm afraid I don't understand your question, then. In a nutshell,
> NoCatAuth severely limits a client's access to network services (in a
> customizable fashion) until authentication occurs. What would we need a
> TCP hack like LaBrea for?

Well...not that I've done this...I was thinking that one way
of preventing a user from getting onto the WLAN in a useful way (say,
to attack another WLAN user that's behind the firewall) would be to
make LaBrea (on the gateway) consume all of the subnet address space.
Only after a user is authenticated would it "release" a specific IP
address from the tarpit, and give out that address to the user in a
DHCP lease. Again, just thinking out loud here: if the unused IP space
was tarpitted, it'd seem to me more difficult for someone to spoof their
way onto the WLAN and cause mischief.

-Scott


___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Greetings from the wonderful world of NoCat...

[Scott C. Best]

Clarifying...

> > 1. What were your design considerations in regards to putting the
> >authorization info and server on the firewall itself? The
> >alternatives are harder, but strike me as possibly more secure
> >than putting such important stuff on boxes whose physical
> >security cannot be assured.
>
> In a typical setup, no sensitive information is stored on the firewall
> machine (or gateway, as we call it), so I'm afraid I don't understand
> your question.

From the NoCat whitepaper:

|-The Client then makes an HTTPS POST request to the Authentication
| Service (probably via an SSL enabled browser.)  The POST request
| includes the member's login, password, and optional MAC address
| information.>
|-The Authentication Service validates the request, and returns an>
| appropriate response to the Client.

My impression was that the NoCatAuth process verified this
login-password-MAC thing, and so would need to storesomething?


> > 2. Any thoughts about HereUAre.com? I met with them last year
> > downin Santa Clara, CA., though nothing came of it.
> Don't know anything about it, but last we heard they were trying to
> make money on a public radio band, so we weren't especially interested.

So radio's and radio silicon is okay to sell, but not radio
service? :*) Not trying to bait you here -- I'm a big proponent of
public-access 802.11 hotspots. So much so that I wish it could move
at the velocity of something driven by capitalism rather than altruism.

> > 3. I was curious if you've looked at LaBrea at all, to tarpit the
> >unused IP's on the WLAN until someone authenticates with your
> >NoCatAuth.
>
> Never looked at it before you mentioned it, but I'd say it's basically
> outside the scope of our project. Other wireless groups have expressed
> an interest in RIDS, to prevent luser antics on the wireless network,
> and our attitude is basically the same. We do require transparent port
> forwarding on the gateway firewall, however.

From my perspective, I see 'theft of service' as, well, the
point of any authentication scheme. Perhaps my perspective isn't
that aligned with NoCat's?

Thanks again!

-Scott


___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Greetings from the wonderful world of NoCat...

[Scott C. Best]

Schuyler:

Hello! Welcome to LEAF. I got about a dozen questions
about NoCat (*great* name, btw), but I'll start with just three.
Feel free to reply on-list or off-list or whatever you think is
best:

1. What were your design considerations in regards to putting the
   authorization info and server on the firewall itself? The
   alternatives are harder, but strike me as possibly more secure
   than putting such important stuff on boxes whose physical
   security cannot be assured.

2. Any thoughts about HereUAre.com? I met with them last year
   down in Santa Clara, CA., though nothing came of it.

3. I was curious if you've looked at LaBrea at all, to tarpit the
   unused IP's on the WLAN until someone authenticates with your
   NoCatAuth.

Again, welcome! Looking forward to your thoughts...

cheers,
Scott


On Thu, 24 Jan 2002, Schuyler Erle wrote:

> Hi, everyone. I've been invited to represent the NoCat development team
> on this list. For a while, we had been developing an LRP derivative for
> wireless projects called WRP. After putting some work into it, we ran
> into the
> fundamental limitations of the floppy media, especially considering that
> our flagship project (NoCatAuth) was being developed in perl, of all
> things, which would *never* fit on a floppy.
>
> A few things have revived my interest since then. OpenAP, in particular,
> shows that there is a great need for free wireless network software in
> embedded environments. Recent developments in uClibc have restored my
> faith in the possibility of fitting useful linux applications in
> floppy-sized distributions. Finally, demand for a C port of NoCatAuth
> suggests that we revisit the notion of supporting a platform for it.
>
> So here we are. You can find all of our work at http://nocat.net. Right
> now, WRP is kind of in disrepair, but I'll be looking shortly at
> bringing it up to date with the latest busybox, uClibc, and linux
> kernels, or perhaps merging functionality with other LEAF projects. Your
> comments and advice are welcome. Please feel free to direct any
> questions my way, especially those relating to wireless networking
> distros.
>
> SDE
>
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-devel
>


___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] New LEAF user Choose version FAQ

[Scott C. Best]

Jack:
That's a really good point: the biggest advantage that
a LEAF system has over a low-end LinkSys/Sonicwall/Netscreen
appliance is that LEAF *really is* a Linux system. A user can
add software to it almost as easily as adding software to a
RedHat desktop; just find the package.lrp file and "lrpkg -i"
it. Install ssh/scp clients, perl, IPSec endpoints, nmap, even
FTP servers. Can't do that to PIX nevermind a LinkSys box.

-Scott


On Tue, 8 Jan 2002, Jack Coates wrote:

> On Tue, 8 Jan 2002, Scott C. Best wrote:
> > > that you can make from old spare parts or find laying out in the trash
> > > or a friends garage?
> >
> > Well...it's not as if you build it from paint cans and nerf
> > footballs. :) It does turn the doorstop of an old PC into something
> > that becomes one of the most important pieces of a broadband network,
> > though.
> >
> > > Do you need a cheap VPN gateway solution without
> > > the thousands of dollars in licensing fees?
> >
> > Akshally, the low-end LinkSys and Sonicwall stuff do VPN
> > passthru and one-notch up they do VPN endpoint, without the licensing
> > that (say) Cisco or Watchguard would charge.
> >
>
> these days, the opportunity cost of building a LEAF system instead of
> buying an OTS unit for <$100 is getting to be arguable... I'd focus on
> flexibility rather than cheapness.
>
> --
> Jack Coates
> Monkeynoodle: A Scientific Venture...
>
>


___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] New LEAF user Choose version FAQ

[Scott C. Best]

Lynn:
Heya; some quick feedback on your FAQ. Very qualitative
stuff, so take from it what you will. :)

> Also, should Seattle Firewall, ShoreWall, and OpenWall be covered
> in this FAQ? It wouldn't be a problem.

There's a fair parallel: choosing which firewall package
to use is similar to choosing what LEAF distro to use.

>  The LEAF (Linux Embedded Appliance Firewall) project are one of my
> favorite IT tools. Do you need a small Linux distribution that will
> scale down to a single floppy disk or is expandable to span several
> floppies, a flash disk, or a CD?

I think you're touting the distro's flexibility here, but
I think most Linux distro's can claim to run from a CD. The very
small media (floppy, DoC) is really more impressive.


> Do you want a STRONG home firewall
> that you can make from old spare parts or find laying out in the trash
> or a friends garage?

Well...it's not as if you build it from paint cans and nerf
footballs. :) It does turn the doorstop of an old PC into something
that becomes one of the most important pieces of a broadband network,
though.

> Do you need a cheap VPN gateway solution without
> the thousands of dollars in licensing fees?

Akshally, the low-end LinkSys and Sonicwall stuff do VPN
passthru and one-notch up they do VPN endpoint, without the licensing
that (say) Cisco or Watchguard would charge.

>  Some old versions of LEAF can run on a 386SX, but for the more recent
> versions/branches a 486DX33 with 16Meg's of RAM is suggested for a
> floppy versions (24 Meg's for the cdrom versions) for cable modem users
> and an old Pentium 133 with suggested 24Meg's of RAM should saturate a
> T1 WAN connection unless you running an encrypted VPN gateway.

That's a busy sentence. :) Content wise, the "old versions"
of LEAF were actually called LRP: LEAF didn't "start" until Eigerstein
really. Also, cable-modem users could fairly be called "cable/dsl modem
users". Lastly, the saturation capability is primarily a function of
whether the NIC is an ISA card or a PCI card, not so much the processor
speed. Any Pentium-1 class PCI-based machine with 24MB RAM could saturate
a T1, even with being a VPN endpoint.

> The
> coolest part is run on a write-protected floppy or a cdrom, if the
> machine is compromised, you can just restart it and it is back to the
> original setup...not even Cisco can guarantee that.

A very good point. However (based on recent experience), the
downside to a floppy system is the reliability: the disk will die after
a while, long before a HD would. So be careful of celebrating the
floppy part too much.


>  All parts are
> common PC hardware typically, so you can always find and buy hardware
> for it if something goes bad.

I'd say a system suitable for LEAF costs about $50 to $100.
You may want to spell it out: 486 66MHz, 16MB RAM, no HD, 2 ethernet
NICs...maybe even a URL to a good site for used stuff cheap.

> Another major difference between LEAF
> distributions and your regular Linux distributions is that LEAF is
> "embedded" Linux. This means that the system runs in a virtual disk in
> RAM, which is the fastest once booted, and safe from system crashes if
> they may occur because there is no data loss of the boot/configuration
> disk(s).

I'd move this to near the top of the description. It is
fundamental to how LEAF works, really, and describes why the system
is primarily constrained by RAM siz.

>  Dachstein
>

I'd point out here, or maybe above, that LEAF s primarily
used as a *masquerading* firewall, also called a NAT'ing firewall, or
a "firewall/router". it can be "just" a firewall too, sure, but
most people used it to masq. Also, I'd emphasize that Dachstien's
target user is the new-to-LEAF user, as it's optimized to get
working quickly by focusing 90-percent of the required configuration
into a single file: network.conf. It comes with no development tools,
but it packs all of the essential packages in: SSHd, VPN passthru,
DHCP client and server, DNS cache, a web-based monitor. Not sure what
you meant with "SSL". Lastly, the stock firewall is good, but it
requires a fair amount of TCP/IP know-how to customize, and it
tends to, IMO, log too many unimportant packet events which can
be disconcerting to a novice user.

>  Oxygen
>

Oxygen is definitely for those who want more than a Linux
network appliance, but rather want a box that doubles as a full
fledged Linux system, complete with development tools.

>  LRP-the Original
>

It's hard to know what to say about LRP. It's certainly
true that LEAF branched (pun!) out of LRP, in an effort to make
LRP systems more accessible and better supported. Dachstein is
really what Dave Cinege would have called an "idiot image" meaning,
"if your a Linux idiot (aka, new user), use this". Dave did some
great work to get LRP started, but he's not exactly known for
"playing well with others", and he ignored the contribu

Re: [Leaf-devel] cryptographically signed .LRPs

[Scott C. Best]

Thought I'd contribute my brief understanding of
package signing using openssl. I believe this package can
be customized on install so that it only provides the
tools you need. Package signing only needs (I believe) 4:
md5, rsautl, genrsa, and rsa.

First, you need the md5 hash of the package you're
going to distribute:

% openssl md5 package.lrp > package.md5

Then use an RSA or DSA private key to sign the hash
value. I'll use RSA here cuz the docs at www.openssl.org
refere to rsautl a lot more than dsautl:

% openssl rsautl -sign -in package.md5 -inkey priv.key -out package.sig

Note that 'rsautl' requires version 0.9.6 or above.
I'm pretty sure all of this is doable without it, but it'd
take more poking around to be sure.
Anyhow...the signature file is written to package.sig.
This presumes you have a RSA private key in the priv.key file.
To generate one, do this:

% openssl genrsa -rand /dev/random -out priv.key

That generates a private key into priv.key. To get the
public key you should distribute along with package.sig, do this:

% openssl rsa -in priv.key -out pub.key -pubout

Now you got package.sig and pub.key which you can send
out to anyone. The remote user verifies everything's cool with:

% openssl rsautl -in package.sig -verify -inkey pub.key -pubin


I think all the details are there. Hope this helps...

-Scott



> > And Jack Coats pointed out gpgv that might fit on a CD (283932 bytes),
> > to which Jeff Newmiller reminded all that gpg will take that much
> > ramdisk + RAM to run in...
> >
> > gpgv is the verification only part, and looking through the source code,
> > most of it is gpg "stubbed out" (to be as small as possible.)  From the
> > looks of it, it is pretty close to what you were describing:
> >
> > gnupg 1.0.6 (gpgv), stripped and upx'ed down to 113522 bytes
> >
> > That's still pretty big.  Or do you think that would be small enough?  I
> > don't
> > see any way to get a pgp-like app smaller than that.
>
> I'm not looking for something general purpose.  The code has to do one
> thing, and one thing only: Given a file, a signature, and a public key,
> verify the signature (and hence the file's) authenticity.  The public key
> and signature can be in a pre-defined format, if desired, although it might
> be nice to support varying key lengths.
>
> No pass-phrase encryptions of files, no complex code trying to keep secrets
> from other users of the system (that all belongs on the development side,
> when the package creator signs the package in the first place), no webs of
> trust, just a simple public-key signature verification.











___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] gatping 0.3 ALPHA released

[Scott C. Best]

BTW...if anyone could compile this package for a
libc 2.0.x ES/Dachstein system, setting the DEFAULT in the
first line of the Makefile to the default internal interface
IP for ES/Dachstein (192.168.1.1, I think), I'd greatly
appreciate it!

-Scott


On Sat, 1 Dec 2001, Ray Olszewski wrote:

> For anyone who is interested, we just finished up the latest iteration of
> the "gatping" utility, a small program that rapid-fire pings a /24 network
> range, then list all the hosts that show up in the pinging host's arp table.
> It's a quick way of determining what machines are actually connected to a
> LAN at any moment.
>
> The program is still rough, which is why it has a low version number and the
> ALPHA label. It is also, by design, limited in scope -- it does just one
> thing, but it does that very fast, its size is small, and it needs only
> libc6. (People wanting a more general-purpose replacement for standard ping
> might want to consider fping or arping instead.)
>
> A complete tarfile of gatping -- binary (against glibc-2.1.x), source,
> License, Makefile, and notes -- can be picked up at URL
>
> ftp://ftp.echogent.com/gatping/gatping_0.3f.tgz
>
>
> --
> "Never tell me the odds!"---
> Ray Olszewski-- Han Solo
> Palo Alto, CA  [EMAIL PROTECTED]
> 
>
>
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-devel
>


___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] pfw.lrp v.0.94 - A Packet Firewall using ipchains

[Scott C. Best]

David:

Hey, thanks for the script idea. I'll try that:

> GLIBC_VERSION=$(basename /lib/libc-*.so .so)
> GLIBC_VERSION=${GLIBC_VERSION##*-}
>
> ...or better yet, follow that with:
>
> GLIBC_MAJOR_VERSION=${GLIBC_VERSION%%.?}


Regarding the GPL, you make a good point. Not only can
GPL'd code not be combined (and then released) with non-open code,
it can only be combined (and then released) with *any* other code
if that code itself inherits the GPL license. Many other "GPL
compatible" open-source licenses, such as the Sleepycat license,
don't specify *which* license the new source code must be released
under, only that it must be open-source.

Again...I'm playing fast & loose with the word "combine"
up there. The GPL FAQ (www.gnu.org/licenses/gpl-faq.html) dedicates
more than a few lines to "what is the difference between mere
aggregation and combinining two modules into one program",
addressing details as low-level as the means one portion invokes
the other (fork, exec, pipes, rpc) and the semantics of the
communication.
Which, I don't believe, has hit the courts yet. It's
a question of legality that will eventually be presented to
judge. And that'll be an interesting event...

-Scott


> > Here's how I keep them straight: there are basically
> > two things an open-source license speaks towards: can the code
> > be combined with non-open code; can modifications be taken
> > private into closed apps. The GPL says no to both. The LGPL
> > says yes to the first, no to the second. The BSD license says
> > yes to both.
> > Playing fast and loose here, but AFAIK that's a good
> > rule of thumb(s).
>
> Of course, there are MORE things than that.  One of the most important:
> GPL is "viral" in that any code that uses GPL-licensed code MUST be GPL
> licensed; BSD licenses don't have that.  The X Consortium caused quite a
> stir when they tried to take X into the commercial realm as a
> proprietary private product - which they could do under their license.
> Under a GPL license, they couldn't do that.
>
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-devel
>


___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] pfw.lrp v.0.94 - A Packet Firewall using ipchains

[Scott C. Best]

Matt:
Heya. Some quick comments inline:

> > Sounds good! I haven't checked echoWall on Oxygen yet,
> > so good going.
>
>   Thanks Scott, but they don't make it easy.  There's no /etc/version
> or convenient uname switch so a script can determine what OS it's
> running on.

Gah. I was wondering about that. The only thing preventing
echoWall from running on Oxygen is that it needs a different gatping
binary. Which we have, sure. Trick is to install the right one, either
when the package is first installed via "lrpkg -i" or when it detects
that it's being run for the first time. That I know I can detect. But
now I need to consider how to detect the glibc version...

> Well I wasn't sure what you were going to release.
> I took a look at your website and it seems like
> you're making good progress at echogent.com from the looks
> of things.

Heh. :) Our major release is on target for the end of the
year. It's a "personal VPN" application called Kaboodle. It's
designed to let average Internet users (ZDNet called them "the
clueless" in a recent article; Dave Cinege's sobriquet for them
was "idiots") create a peer-to-peer VPN connection without needing
to know anything about IP address, nevermind what their own is.
The intent is to allow any TCP/IP app to tunnel across that
connection, and so become point-to-point secure. Am starting with
VNC, a personal favorite.
It's a Windoze app, it's built in VC++, it's open source,
and I'm working on the sourceforge website in my spare time
(whatever that expression means, I cannot recall).

> >It's a BSD license, and gawd knows I learned most
> > of the basics from your rc.pf to begin with. :)
>
> Shucks.  I don't know much from licenses, though.
> That's my brothers side of the family.

Here's how I keep them straight: there are basically
two things an open-source license speaks towards: can the code
be combined with non-open code; can modifications be taken
private into closed apps. The GPL says no to both. The LGPL
says yes to the first, no to the second. The BSD license says
yes to both.
Playing fast and loose here, but AFAIK that's a good
rule of thumb(s).

> > Honestly I'm flattered that anyone's using it all besides me...
>
> I'm not.  You made it very well.  It's was cool of you to analyze
> all those inbound services and script them in the rules file.  That's
> looks like a neat hobby.  Have you announced if for any other os or
> just for LEAF users?  If you haven't, that's an awful lot of succinct
> data on inbound services to hide at LEAF.

Thanks! I should give it some more thought, perhaps release
a more conventional tarball with a more conventional INSTALL script.
Once I get the which-gatping-to-use issue settled, I should go
for this.

> > Quick question: when you start it up, does it blow
> > away what was there by default, or will there be conflict?
>
> Yes it runs a global flush and clobbers any of the good work
> that Charles runs by default.  Funny thing is, I always thought
> it was just called Dachstein, not Dachstein Firewall.  Once I ran
> it, though, I realized that Charles had gone past a general router,
> hardened it, and added a lot of nice touches like dnscache, and load
> balancing.  As I was near completion, I rolled it out for Dachstein,
> anyway.

The ram-disk log partition is my favorite. I've had to
reboot my ES2B router once a month because of the firewall log
filling the ramdisk...

> Got to code some Java now for a break.  Btw, do you have any idea
> why a Nessus scan of my firewall would say that port 0 is open to
> udp and tcp in the form a bonk attack?  I have those ports blocked
> the usual way, so I'm thinking they're spurious report items.

I didn't know there was a usual way to block those. That
is, I didn't think the stock ES2B firewall rules addresses the
non-standard port-0. I should check "ipchains -ln" the next time
I boot sans echoWall...

cheers,
Scott


___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] pfw.lrp v.0.94 - A Packet Firewall using ipchains

[Scott C. Best]

Matt:
Sounds good! I haven't checked echoWall on Oxygen yet,
so good going.
BTW, please *do* feel free to "plagiarize" from what
I wrote. It's a BSD license, and gawd knows I learned most
of the basics from your rc.pf to begin with. :) Honestly I'm
flattered that anyone's using it all besides me...

Quick question: when you start it up, does it blow
away what was there by default, or will there be conflict?

cheers,
Scott

On Wed, 14 Nov 2001, Matt Schalit wrote:

>
>   Packet Firewall  -  pfw
>Version 0.94
>
> New Package:  pfw.lrp
>
> I'm posting today about the first release I'm making available
> of my ipchains firewall, pfw.  It's based on an ipfwadm firewall
> that I wrote a couple of years ago, called rc.pf.
>
>  ftp://ftp.schalit.net/pub/Pfw/
>
> pfw is a simple shell script with a few other files
> containing functions and variables that starts an
> ipchains based, default DENY, set of firewall rules.
>
> It's meant for the following setup:
>
> internet --- LEAF --- hub/switch
>  eth0eth1 |  |  | |
>  lan computers
>
> where eth0 is a static ip or assigned by dhcp.
>
> pfw is Dachygen certified :-)
> (It runs on Dachstein and Oxygen out of the box)
>
> If you get pfw.lrp and load it onto your LEAF router during
> boot, it will install but not be running.  To get help, type
> pfw.  To run the Packet Firewall, type pfw start.
>
> There's no files to edit unless you want to enable inbound
> services.  If so, you can use lrcfg or acfg and edit the
> configuration file for optional services,   /usr/local/etc/popts
>
> Simply type 'pfw' at a command prompt for more help.
> Then give it a 'pfw start' to raise the firewall and
> give yourself all the standard outbound access you
> expect.
>
> Usage:  pfw 
>
> pfw is not as powerful as Echowall, in that it can not
> handle dmz's or complex inbound services as easily.  pfw was
> developed without analyzing Echowall so as to not plagiarize
> the work of others.  pfw requires one to spell out the exact
> rule for an inbound service, unlike Echowall's convenient labels,
> but hey, it runs on Dachygen, which was one of the main goals.
>
> Best regards and thanks to Jeff N. and Paul B.,
> Matthew Schalit
>
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-devel
>


___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

[Leaf-devel] netmeeting.o module

[Scott C. Best]

Am CC'ing this to Jeff Pierce; am not sure if he's on
the leave-devel list or not. His post to the LEAF list (CC'd
below) got me thinking
Could you kernel-owners post a netmeeting.o module
for Dachstein and Oxygen? Jeff seems to have been able to
get Netmeeting to work, which is nothing to sneeze at. AFAIK,
Netmeeting uses H-323 for host calling, *along with* a buncha
other protocols which also embed IP address information in the
data payload (which breaks masq'ing...grrr).

Since this netmeeting.o module appears to address
all of them, it seems to me a worthwhile replacement for
the more limited ip_masq_h232 one.

Thoughts?

-Scott

--

Message: 2
Date: Thu, 08 Nov 2001 13:03:19 -0500
From: Jeff Pierce <[EMAIL PROTECTED]>
To: Blanton Lewis <[EMAIL PROTECTED]>,
[EMAIL PROTECTED]
Subject: Re: [Leaf-user] netmeeting

I am using the following script on Eigerstien2 after starting module
netmeeting.o

#!/bin/sh
IPMASQADM=/usr/sbin/ipmasqadm

EXTERN_IP=`ip addr list label ppp0 |
grep inet |
sed '1!d'|
sed 's/^[^.0-9]*\([.0-9]*\).*$/\1/'`
echo Extern IP: $EXTERN_IP

$IPMASQADM portfw -a -P tcp -L $EXTERN_IP 389 -R 192.168.2.205 389
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP 522 -R 192.168.2.205 522
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP 1503 -R 192.168.2.205 1503
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP 1720 -R 192.168.2.205 1720
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP 1731 -R 192.168.2.205 1731

I don't really want it running all of the time.
And this seems to work fine.

Also, goto:
http://support.microsoft.com/support/kb/ARTICLES/Q158/6/23.asp
It explains what is needed to get netmeeting through a firewall.

Now, I have a question, I use netmeeting.o for netmeeting from:
http://netmeetingmasq.sourceforge.net/
However I see mention of ip_masq_h323.o, what are the differences and
which is the better to use?




___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] gatping with debugging symbols

[Scott C. Best]

Jacques Nilo wrote:
> 
> - Original Message -
> From: "arne @ loopback . org" <[EMAIL PROTECTED]>
> > I would go a step further. make a minimal busybox
> > only containing very few
> > applets(tar,msh as shell,mount,ls,cat,...)
> > And link it statically with
> > uClibc. This will result in a quite small binary and you don't need to
> > include a big libc...

> I do not [understand] the interest of doing that in
> an LRP distro. You will need libc
> and ld-linux libraries anyway so why not putting them in initrd.gz ?
> If you compile statically even with uClibc you would
> loose disk space at the end...

Oxygen development had busybox compiled with uClibc and this is very
useful, actually.  It permits the removal of glibc from root.lrp, which
means that glibc can be updated just by adding the appropriate glibc
package - with appropriate room, of course.

My thought, too, is that all packages EXCEPT root.lrp could be put on
the network on an FTP host or such like - and thus, not only could the
system be updated on the fly, but if you had multiple hosts they would
all have their sources updated at the same time, and so on.

>From a development standpoint, it is also nice because it shrinks
root.lrp down by about half, and also means that loading root.lrp goes
faster.

Only thing is, MY compiled busybox is contains dozens and dozens of
applications - not the minimalist version envisioned by Arne.

> > The Problem with your previous post is, that you can not load the
> > loadmod.lrp from the boot medium cause you need the modules
> > from there to access your boot medium.

> I do not understand that. If you need to mount a special driver to read
> your boot medium, obviously you cannot have either the original root.lrp
> nor my boomod.lrp package on this boot medium.

The bootable CDROM is a perfect example of this quandry.  Syslinux can
boot the CDROM, and load the Linux kernel, and so on - but the "floppy"
image is not accessible by Linux (only by syslinux).  So once the kernel
is loaded and running, all packages must come from the CDROM itself, not
from the bootable image.

> Well I guess we will have to move to glibc 2.1 or 2.2
> at some point. But we all know that will lead to
> a somewhat bigger LRP distro...

Oxygen is using glibc 2.1 on floppy in its development versions - and it
works well.  Converting to glibc 2.2 is a little scary - just how much
space would I lose THEN?

At least the upgrade is easy:

# rm libc6.lrp
# cp /tmp/new/libc6.lrp /mnt/floppy

:-)

___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] gatping with debugging symbols

[Scott C. Best]

Jeff:

Akshally...no. :) Gatping wasn't released so much
as it was wrapped into the echowall distribution for the
purpose of brute-force updating the ARP cache. It doesn't
have much utility beyond that...which is NOT to say that
I wouldn't welcome any improvements that yield a version
compatable with Oxygen. :)

-Scott


On Wed, 31 Oct 2001, Jeff Newmiller wrote:

> On Wed, 31 Oct 2001, David Douthitt wrote:
>
> [...]
>
> > Breakpoint 1, send_ping (s=5, h=0x804ac58) at gatping.c:161
> > 161 buffer = ( char * ) malloc ( ( size_t ) ping_pkt_size )
> > ;
> > (gdb) n
> > 162 memset ( buffer, 0, ping_pkt_size * sizeof ( char ) )
> > ;
> > (gdb) p buffer
> > $1 = 0x804a398 "P\235\020@P\235\020@\020"
> > (gdb) n
> > 166 icp->icmp_type = ICMP_ECHO  ;
>
> This trace doesn't seem to show the whole story.  From the Scott's code:
>
> 157 buffer = ( char * ) malloc ( ( size_t ) ping_pkt_size ) ;
> 158 memset ( buffer, 0, ping_pkt_size * sizeof ( char ) )   ;
> 159 icp = ( struct icmp * ) buffer  ;
>
> To my way of thinking, this code shows poor programming practice.  It
> should look something like:
>
> 157   icp = ( struct icmp * )
> calloc ( 1
>, ( size_t ) ( sizeof( struct icmp )
>   + sizeof( PING_DATA ) ) );
>
> The ping_pkt_size value is initialized in main, using an uninitialized
> value for ping_data_size.  The buffer size of 8 is too small, and the icp
> (well, pdp) initialization code is overwriting memory beyond the buffer.
>
> Yecch.  This was released?
>
> ---
> Jeff NewmillerThe .   .  Go Live...
> DCN:<[EMAIL PROTECTED]>Basics: ##.#.   ##.#.  Live Go...
>   Live:   OO#.. Dead: OO#..  Playing
> Research Engineer (Solar/BatteriesO.O#.   #.O#.  with
> /Software/Embedded Controllers)   .OO#.   .OO#.  rocks...2k
> ---
>
>
>
>
>
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-devel
>


___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] gatping with debugging symbols

[Scott C. Best]

Matt:

Perhaps David's using the patched version he posted
to the list last week?

-Scott

> Ok.  I don't think I can help much.  I don't have the right
> gatping.c apparently.  I just used the one Scott sent.
> Matt



___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Echowall on Oxygen needs ipmasqadm and ipfwd

[Scott C. Best]

David:

Not ipfwadm, but ipfwd. Different beast; it's used
to forward other IP protocols besdies just 6 (tcp) and 17
(udp). So it's needed for IPSec and PPTP forwarding...

-Scott

On Tue, 30 Oct 2001, David Douthitt wrote:

> Matthew Schalit wrote:
>
> > I found ipmasqadm, but not ipfwd.
> > I couldn't even find ipfwadm as a
> > .lrp package any more.  If I had
> > that, I could continue running rc.pf,
> > and not have to deploy echowall or
> > seawall.
>
> I thought with Linux 2.2 ipfwadm was no longer used, and instead
> ipchains was used.  Thus ipfwadm is gone and replaced by ipchain.


___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Echowall on Oxygen needs ipmasqadm and ipfwd

[Scott C. Best]

Matt:
I *doubt* this will work, but have you tried
lifting the ipfwd utility from an ES2B disk, and see if
it just happens to work on a Oxygen disk?
I was surprised myself when I found ipfwd on
ES2B by default.

You can find its source here:

http://www.cag.lcs.mit.edu/~cananian/Projects/IPfwd/release/

-Scott

On Fri, 26 Oct 2001, Matthew Schalit wrote:

> Matthew Schalit wrote:
> >
> > I guess I need ipmasqadm and ipfwd for Echowall
> > to work on Oxygen, but I can't find them in
> > .lrp format.  Are they compiled, David?
> >
> > Thanks,
> > Matt
>
>
> I found ipmasqadm, but not ipfwd.
> I couldn't even find ipfwadm as a
> .lrp package any more.  If I had
> that, I could continue running rc.pf,
> and not have to deploy echowall or
> seawall.
>
> Thanks,
> Matt
>
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-devel
>


___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] gatping segfault in Oxygen

[Scott C. Best]

David:

Great, thanks! I'll update the package on my ftp
site.
BTW, have you been able to build the patched code
on a glibc2.0 system? I used to use c0wz for my building,
but can't now with Rick's situation...

-Scott

On Thu, 25 Oct 2001, David Douthitt wrote:

> "Scott C. Best" wrote:
>
> > Heya. Actually, yea, gatping is a play on Gatling. :)
> > It essentially sends out 256 minimum-sized icmp echo requests,
> > ignoring the responses, so as to get a freshened-up ARP
> > table.
>
> In compiling gatping (0.2), I get lots of interesting things :-/
>
> # make
> gcc -s -O2 -Wall -o gatping gatping.c
> gatping.c: In function `main':
> gatping.c:106: warning: unused variable `buf'
> gatping.c:104: warning: unused variable `j'
> gatping.c:104: warning: unused variable `i'
> gatping.c:143: warning: control reaches end of non-void function
> gatping.c: In function `send_ping':
> gatping.c:183: warning: control reaches end of non-void function
> gatping.c: In function `make_target_list':
> gatping.c:217: warning: implicit declaration of function `inet_aton'
> gatping.c:218: warning: implicit declaration of function `inet_ntoa'
> gatping.c:218: warning: assignment makes pointer from integer without a
> cast
> gatping.c:192: warning: unused variable `j'
> gatping.c:191: warning: unused variable `buflen'
> gatping.c:236: warning: control reaches end of non-void function
> gatping.c: In function `search_arp':
> gatping.c:248: warning: unused variable `testbuf'
> gatping.c:246: warning: unused variable `m'
> gatping.c:246: warning: unused variable `k'
> gatping.c:246: warning: unused variable `j'
> gatping.c:246: warning: unused variable `i'
> gatping.c:288: warning: control reaches end of non-void function
> gatping.c: In function `in_cksum':
> gatping.c:295: warning: unused variable `answer'
> gatping.c:307: warning: control reaches end of non-void function
>
> I created a patch to fix most of them; it is attached.  I also created a
> minimal Makefile to allow a make.
>
> I've also created a lrp/* directory for gatping (but not Echoware)..
>
> I've also created a gatping package - also included.


___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] gatping segfault in Oxygen

[Scott C. Best]

David:
Heya. Actually, yea, gatping is a play on Gatling. :)
It essentially sends out 256 minimum-sized icmp echo requests,
ignoring the responses, so as to get a freshened-up ARP
table. I emailed the source tarball out to the list a
couple of days ago; it's also availble on ftp.echogent.com
in the EchoWare directory.

cheers,
Scott

On Thu, 25 Oct 2001, David Douthitt wrote:

> Matthew Schalit wrote:
>
> > Not so big a deal as that, David, but still,
> > gatping was compiled against 2.0.7.
>
> Shouldn't matter.  glibc 2.0.7 binaries run against glibc 2.1.3 all the
> time.
>
> > Could you compile if for me agains 2.1.3?
>
> Sure.  Where do I find it?
>
> Is it related to Gatling Guns?  :-)
>
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-devel
>


___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] gatping segfault in Oxygen

[Scott C. Best]

Matt:

Heya. I just used "gcc -o gatping gatping.c". Didn't
seem to warrant a Makefile. :)

-Scott

On Tue, 23 Oct 2001, Matthew Schalit wrote:

> "Scott C. Best" wrote:
> >
> > Matt:
> >
> > Heya. Source code attached. If you could send
> > back to me a compiled working versionI'd be thankin
> > ya. :)
> > BTW, yes, echoWall has gatping built for ES2B
> > only, glibc-2.0 (I believe).
> >
> > -Scott
>
> Hi Scott,
> Thanks I got the archive.  It has
>
>gatping
>gatping.c
>
> in it.  I don't have the setup to compile it,
> though.  Do you?  How was the gatping in the
> archive you sent compiled?
>
> Thanks,
> Matt
>
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-devel
>


___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] gatping segfault in Oxygen

[Scott C. Best]

Matt:

Heya. Source code attached. If you could send
back to me a compiled working versionI'd be thankin
ya. :)
BTW, yes, echoWall has gatping built for ES2B
only, glibc-2.0 (I believe).

-Scott

On Tue, 23 Oct 2001, Matthew Schalit wrote:

>
> Is there a way to code around gatping?
> It's stopping me from deploying echowall.
> If someone has a few minutes, make me debug
> version of gatping I can run through gdb.
> As usual, mine has no symbols.
>
> It's probably a library mismatch.  I did
> an ldd and it it found the three libs.  I
> forget which.  Sorry it's not booted.  I think
> this latest Oxygen uses glibc-2.1.3 or something.
>
> Thanks,
> Matt
>
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-devel
>

 gatping2.tgz

Re: [Leaf-devel] Framebuffer & vnc

[Scott C. Best]

David:
Point taken about Xvnc. But I was thinking more along the
lines of redoing vncserver so that it wasn't a nice interface to
Xvnc, but rather was a nice interface to sshd or telnetd.

A VNC viewer/server uses the RFB protocol, so really
the idea is to create an RFB-to-ssh or RFB-to-telnet interpreter.
The benefit to supporting the RFB service is that you can now use
any VNC viewer as, effectively, an ssh/telnet client.

I still think it's groovy. Though I won't put aside
my MindTerm stuff just yet. :)

-Scott

On Wed, 26 Sep 2001, David Douthitt wrote:

> "Scott C. Best" wrote:
> >
> > Hmmm. I think I see the idea: a lotta folks use VNC
> > as their remote-admin tool of choice, as it's OS independant.
> > To that end, it'd be interesting to port a VNC server for use
> > in LEAF. Unlike other VNC servers, though, it wouldn't be very
> > graphical at all, rather it's just present a VT100/xterm'ish
> > interface like SSH does.
> > Then the same remote VNC viewer could be used to
> > connect with a Win2k box, a Mac, and the LEAF router which
> > gateways them to the Internet. Groovy. I wonder how lean it
> > can be built?
>
> As I look at it here, vncserver is just a Perl program to provide a nice
> interface to Xvnc.
>
> Xvnc requires libm and libdl, and is 1.3M in size uncompressed and
> stripped.
>
> Sounds doable, as long as you have lots of memory and lots of disk
> space.
>
> However, I'd question the usefulness of an X server running on a LEAF
> router for admin purposes.  Running X (Xvnc is just a Xserver with all
> of the display stuff ripped out in favor of a network connection) -
> Running X means that you'd have Xclients added in - which means lots of
> X libraries, and all new binaries, such as rxvt, et al.
>
> I agree with Jeff - ssh works fine.
>
> If you want graphical administration, run a Xclient on the LEAF system
> and display on a X server elsewhere.  You could even, if you wanted, run
> a vnc client on the LEAF box, displaying a remote display, where your
> graphical administration tools run on the LEAF system are displaying.
>
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-devel
>


___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

RE: [Leaf-devel] Framebuffer & vnc

[Scott C. Best]

Hmmm. I think I see the idea: a lotta folks use VNC
as their remote-admin tool of choice, as it's OS independant.
To that end, it'd be interesting to port a VNC server for use
in LEAF. Unlike other VNC servers, though, it wouldn't be very
graphical at all, rather it's just present a VT100/xterm'ish
interface like SSH does.
Then the same remote VNC viewer could be used to
connect with a Win2k box, a Mac, and the LEAF router which
gateways them to the Internet. Groovy. I wonder how lean it
can be built?

-Scott


On Wed, 26 Sep 2001, Jeff Newmiller wrote:

> On Wed, 26 Sep 2001, Luis.F.Correia wrote:
>
> >
> > Let me explain it better:
> >
> > A router/firewall LEAF box running a framebuffer-enabled kernel,
> > has a vncserver that we as admins could connect to using a very
> > normal vncviewer with any platform to perform our remote
> > administration.
> >
> > Is this possible, or the overhead is huge and sshd is better?
>
> Isn't a framebuffer used for graphics modes? What LEAF runs a windowing
> environment? If one did, why would it do so?
>
> Sshd is quite effective.
>
> >
> >
> >
> > -Original Message-
> > From: David Douthitt [mailto:[EMAIL PROTECTED]]
> > Sent: Wednesday, September 26, 2001 2:55 PM
> > To: LEAF Devel
> > Subject: Re: [Leaf-devel] Framebuffer & vnc
> >
> >
> > "Luis.F.Correia" wrote:
> >
> > > I read some time ago, that someone was triyng to make a
> > > Framebuffer & vnc combination for remote administration.
> > >
> > > Is there something that I can test?
> > >
> > > The kernel, distro does not mind, I just want to see the results
> >
> > I created a vnc client package which uses SVGAlib, not Frame Buffers.  I
> > don't know if this is relevant to what you want to do, but I thought I'd
> > mention it.
> >
> > ___
> > Leaf-devel mailing list
> > [EMAIL PROTECTED]
> > https://lists.sourceforge.net/lists/listinfo/leaf-devel
> >
> > ___
> > Leaf-devel mailing list
> > [EMAIL PROTECTED]
> > https://lists.sourceforge.net/lists/listinfo/leaf-devel
> >
>
> ---
> Jeff NewmillerThe .   .  Go Live...
> DCN:<[EMAIL PROTECTED]>Basics: ##.#.   ##.#.  Live Go...
>   Live:   OO#.. Dead: OO#..  Playing
> Research Engineer (Solar/BatteriesO.O#.   #.O#.  with
> /Software/Embedded Controllers)   .OO#.   .OO#.  rocks...2k
> ---
>
>
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-devel
>



___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] ipchains redirect

[Scott C. Best]

Charles:

Ah...I get it now, sure. Some vendors, I think LinkSys
is one, call this "DMZ mode" where everything not explicitely
directed somewhere is sent, by default, to a "DMZ host". Not
sure if that host is masq'd or proxy-arp'd though, in those
implementations.

I wonder, though, what this would do as a last
port-forward rule:

ipmasqadm autofw -A -r tcp 1 65536 -h $DMZ_HOST

Am not sure if autofw is parsed serially until
a match is found, like ipchains does things.

-Scott


On Tue, 25 Sep 2001, Charles Steinkuehler wrote:

> > > I haven't played with this much, but one of the things on the list of
> stuff
> > > to "play with one of these days" is using redirect to provide for an
> > > 'internal server' machine, similar to the way the low-end firewall boxes
> do.
> > > I *think* this would work properly for everything from game servers to
> VPN
> > > access, although security in such a situation isn't the greatest
> (although
> > > it's not too bad if combined with port-forwarded DMZ rules).
> >
> > Not sure I follow: would you use redir instead of
> > portfw rules? Or do you see it being used on the internal
> > interface's input chain?
>
> No, the redirects go on the external interface input rules.
>
> The basic idea is to mimic the functionality of the firewall 'bricks'
> available from Linksys, D-Link, Netgear, &c that provide for a single
> internal "server" IP.  Basically, any inbound packets that are not either
> destined for local services or existing masqueraded connections, get
> forwarded (redirected) to an internal system.  I *think* this can be used
> like a partial static-NAT, essentially splitting the single available IP
> between several systems.
>
> The fundamental difference between doing this with a redirect and using
> port-forwards, is the flexability of IPChains.  I think the redirect rule
> could send anything not dealt with by previous rules to a remote system
> (even non-TCP/UDP traffic), providing a 'catch-all' port-forwarding I don't
> think it's possible to implement with portfw.
>
> Charles Steinkuehler
> http://lrp.steinkuehler.net
> http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
>
>
>



___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] ipchains redirect

[Scott C. Best]

David:
Yeah, a transparent web-proxy or web-cache gets handled
pretty nicely by this. If the proxy could http forward you could
even redirect the packets to an external, remote proxy.
That'd be useful for apps which used a LEAF router to
gateway a wireless-LAN into wide-area access, where you want to
restrict user access, requiring them to "login" on a remote https
server before access is granted. So when a new DHCP lease is
granted, you tie-in a hook to insert a REDIRECT rule for that
IP-address. The proxy gets it, and passes it along.

Time to read-up on LEAF proxies...

-Scott


On Mon, 24 Sep 2001, David Douthitt wrote:

> "Scott C. Best" wrote:
>
> > Heyaz. Saw this on security-basics this AM. Never
> > saw it mentioned on LRP/LEAF before; anyone ever try it?
> > Alternatively, is "IP Transparent Proxy" enabled in any
> > LEAF kernels? Seems terribly powerful to me.
>
> I've done this before, I think; it can be nice, especially for things
> such as web cache.  However, for a router with no hard disk it isn't all
> that useful.
>
> The basic idea is that ALL web traffic going out is passed through the
> proxy itself; helps if you want to add a web cache but don't want any
> client reconfiguration to be needed.  Its also good for proxies such as
> JunkBuster or filtering proxies.
>
> > -- Forwarded message --
> >
> > Date: Wed, 19 Sep 2001 20:19:19 +0200 (CEST)
> > From: Bosko Radivojevic <[EMAIL PROTECTED]>
> > To: Daniel Chojecki <[EMAIL PROTECTED]>
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: ipchains, ipmasqadm
> >
> > On Tue, 18 Sep 2001, Daniel Chojecki wrote:
> >
> > > Is it posible to redirect all traffic comming for 0.0/0 80 to local
> > > squid proxy using ipchains and ipmasqadm.
> >
> > Using ipchains - yes. I'm not sure for ipmasqadm (I've never used it)
> >
> > I'm using those lines for that. Of course, you have to enable 'IP
> > Transparent Proxy' in your kernel.
> >
> > ipchains -A input -p TCP -d YOUR_IP/32 www -j ACCEPT (in case you have
> > your own web server)
> > ipchains -A input -p TCP -d 0/0 www -j REDIRECT 8080
>
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-devel
>





___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

[Leaf-devel] ipchains redirect

[Scott C. Best]

Leaf'rs:

Heyaz. Saw this on security-basics this AM. Never
saw it mentioned on LRP/LEAF before; anyone ever try it?
Alternatively, is "IP Transparent Proxy" enabled in any
LEAF kernels? Seems terribly powerful to me.
TIA!

-Scott

-- Forwarded message --

Date: Wed, 19 Sep 2001 20:19:19 +0200 (CEST)
From: Bosko Radivojevic <[EMAIL PROTECTED]>
To: Daniel Chojecki <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Subject: Re: ipchains, ipmasqadm

On Tue, 18 Sep 2001, Daniel Chojecki wrote:

> Is it posible to redirect all traffic comming for 0.0/0 80 to local
> squid proxy using ipchains and ipmasqadm.

Using ipchains - yes. I'm not sure for ipmasqadm (I've never used it)

I'm using those lines for that. Of course, you have to enable 'IP
Transparent Proxy' in your kernel.

ipchains -A input -p TCP -d YOUR_IP/32 www -j ACCEPT (in case you have
your own web server)
ipchains -A input -p TCP -d 0/0 www -j REDIRECT 8080

> Conf:
> 2.2.19
> ipchains

It works for me: 2.2.18 & ipchains 1.3.9, 17-Mar-1999

Greetings





___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Is this a CodeRed scan?

[Scott C. Best]

Luis:
Heya. I think the page you're asking about is this one:

www.echogent.com/cgi-bin/fwlog.pl

I sent Mike the code to get that running on the LEAF site,
I suspect he's been way too busy though. Also, you may want to
visit SecurityFocus.com. Tina Bird has started a new email list
all about log analysis:

[EMAIL PROTECTED]

Regarding the packets your seeingif you're seeing
3 attempts in a row, from the same IP source, then it's likely
CodeRed. That's its signature. If you're seeing different ports
probed from the same IP source, I'd suspect Nimda. Hard to
say without seeing the data payload, of course.
Though...if you're running Apache anywhere on your
LAN, it's much easier to tell. The error.log file would be
filled with:

[Thu Sep 20 23:28:15 2001] [error] [client 193.13.81.201] File does not
exist: /home/www/http_docroot/default.ida

The "default.ida" is a CodeRed certainty. I got tons of
those on my server.

cheers,
Scott


On Fri, 21 Sep 2001, Luis.F.Correia wrote:

>
> Last night, while browsing around I started to get entries
>  like this on my logs.
>
> I'm using an ES2B modified version (PPP)
>
> Is this a CodeRed scan?
>
> Sorry that it is not properly formatted.
>
> Also I lost the link to that page on where we could put lines
> like this to get extra info. Could someone post it again? Thanks!
>
> -
>
>
> Sep 20 23:28:15 porteiro kernel: Packet log: input DENY ppp0 PROTO=6
> 193.13.81.201:1201 193.126.171.3:80 L=48 S=0x00 I=46155 F=0x4000 T=112 SYN
> (#37)


___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] YATALWI

[Scott C. Best]

Etienne:

Heya. Over the last year, I pitched my company's
'echoWare' solution to a number of OEMs, including heavy-iron
OEMS, SOHO-router OEMs, and garage-mode last-mile broadband
wireless gateway startups. Everyone I've spoke with agrees
it's a strong model for the future, but faces an enormous
"adoption" problem: a Fortune-500 OEM simply *cannot* put
anything into the box unless it's an industry standard. Put
another way...even if a sh!tty, insecure, bloatware protocol
becomes an industry standard, they don't just feel compelled
to support it, they are *proud* to support it. It can be very
frustrating: talk to them about a novel, lean, SSH-based
remote-management architecture, and they ask for SNMP, UPnP,
Passport, or 802.1X.
Not that this surprises me. :) But the doubly
frustrating part is that this resistance affects my ability
to raise funds to support a development staff to actually
release some code that could, who knows, someday actually
become pervasive. Perhaps it's a Peter-principle of mass
market products: they are forced into this awful state of
standardized mediocrity.



Anyhow.
The idea behind echoWare is that you run an SSH
service on the machine you want to administer, and exchange
simple ascii directives to that machine to affect its
configuration. You can make these directives as machine
friendly as you want: importantly, the actual *user
interfaces* is "filtered" by a remote web-server. So, the
end user connects to this website, and that server opens an
SSH connection back to the end-user's gateway, pulling out
ascii config info, and turning it into an HTML picture. Only
takes a second or two in our demo. End-user can now point
and click to make configuration changes, which go "up" to
the server over SSL, and back "down" to the gateway over
SSH.
The primary benefit is the "cost" of the software.
The gateway only needs to run an SSH daemon (which usually
comes from free), and an ascii parser, which bash and sudo
handle well enough. Might be worthwhile to customize the
shell, too, so that only a limited set of commands is
available to the ASP server. Given this...you can load up
all the "heavy lifting" (graphics, os-specific ifdef's,
etc) on the server, which has the CPU, memory, and storage
to spare.

Anyhow, we call it echoWare here, and someday it'll
actually move beyond the demo phase: I'm hoping to attach
EchoWall 2.0 to this service. So instead of editing the
echowall.conf file by hand, you'd connect to a website, tell
it what services to enable, and it sends the sed commands
into the box, and updates the echowall.rules file if needed.
Very visual for the end-user, but very ascii for the gateway.

Anyhow...hope this helps, somehow. Got something
of a demo running if you'd like to kick the tires around.
Got another meeting this week with a major vendor to talk
about it some more. :)

cheers,
Scott


On Sun, 16 Sep 2001, Etienne Charlier wrote:

> Hi,
>
> Since last year ( when I discovered LRP), I think that there was at least
> 3 or 4 threads about a web interface to a LEAF derivative.
>
> I would like to start a brainstorming on the feasability/usefullness of
> a Web interface for the LEAF project.
>
> what people think about
>
> - usefullness
> - would it be secure enough
> - technologies to use ( scripting languages ,..)
> - is there some exsiting project that could be reused ( I've heard about
> Webmin)
> - other secrets wishes that you have about LRP/LEAF
>
> happy brainstorming
> Etienne Charlier
>
>
> - Original Message -
> From: "Eric Wolzak" <[EMAIL PROTECTED]>
> To: "Etienne Charlier" <[EMAIL PROTECTED]>;
> <[EMAIL PROTECTED]>
> Sent: Sunday, September 16, 2001 10:37 PM
> Subject: Re: [Leaf-user] thttpd CGI Forms for administrating Firewall
> through browser
>
>
> > Hi Etienne,  Sandro and the rest of the list
> > >
> > > I'd be happy to contribute to a web interface for LEAF
> > > > If there are more people interested, we could join our efforts :=)
> > > Here are some ideas
> > >
> > > First of all, the combinaison LRP/Kernel 2.4/Shorewall is not yet very
> > > common in
> > > the LRP world and I can understand the lack of feedback Eric got about
> his
> > > web interface.
> > I think you ve got a point there.
> > >
> > > I think that allowing editing existing files through the web interface
> is a
> > > lot of work
> > > with a very small ROI, an applet java allowing ssh access could do the
> job
> > >
> > This is what i normally use myself, but I thought that there is some
> > interest to do it with a webinterface. ( a "concurrent product"
> > fli4l.de" uses a windows programm as a frontend)
> > > IMHO, What we need is a higher level interface ( Like seawall, you have
> a
> > > few
> > > simple configuration files and a lot of work done with the data in those
> > > files)
> > That was exactly what I liked about shorewall
> >
> > > I think we could design the web interface as an editor modifying a big
> f

Re: [Leaf-devel] Interesting potential LEAF application

[Scott C. Best]

A further problem that this solution fails to address
is that the Access-Point itself is allowing a rogue user to
associate *at all*. Sure, the firewall may prevent the user
from connecting to the Internet, but it doesn't prevent them
for sitting by passively and sniffing for MAC/IP address
pairs that are valid. Combine that with Airsnort or WEPCrack
(both on Soureforge) and that WLAN could be in trouble.

Most of the know-it-mosts I've seen on the isp-wireless
list insist that authentication in the access-point itself 
(usually RADIUS) cannot be worked around. That combined with
all LAN members using a VPN client with a SecureID card is
about the only thing agreed as secure.

cheers,
Scott

On Sun, 2 Sep 2001, Ray Olszewski wrote:

> At 03:30 AM 9/2/01 -0400, George Metz wrote:
> >Hey guys,
> >
> >For those of you that saw and skipped, or don't read Slashdot, check out
> >the following:
> >
> >http://www.nas.nasa.gov/Groups/Networks/Projects/Wireless/index.html
> >
> >It's actually a pretty ingenious solution to the wired encryption setup. I
> >don't see any mention of actual VPN/Encryption for traffic from the
> >wireless device to the firewall, though, so I wonder if you could still
> >sniff data. It mostly seems geared towards preventing unauthorized usage
> >of netaccess, rather than denying information access.
> >
> >Any thoughts?
> 
> I've seen several variants on this idea over the paast 6 months (even worked
> on a related prototype project, for a client that ended up not seeing any
> moneymaking opportunity with it ... at least I think that's why the project
> never went ahead). This White Paper covers most of the basics. 
> 
> You can improve security a bit by checking the arp table regularly (every
> minute or so) to make sure the (claimed) arp address of the system using an
> IP address has not changed. This forces an attacket to use link-level
> spoofing, not IP-level spoofing.
> 
> You can further improve security by using some sort of active tool in the
> client ... say something able to authenticate itself using client
> Certificates. This makes spoofing very tough, perhaps impossible (if the
> Cert uses a safe key length).
> 
> Even a system with these added features isn't foolproof, but it does limit
> breakins to a higher class of fool.
> 
> Bottom line -- as far as I've been able to figure out, wireless cannot be
> completely secure without using high-quality link-level encryption. Without
> it, the vulnerabilities are akin to those that you get if you leave a LAN
> port on a hub unprotected (that is, in a location where a stranger can plug
> in a workstation). 



___
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Have you guys seen this?

[Scott C. Best]

Luis:

Yikes. I wonder what sort of "proprietary functionality"
VA will be adding to SF that'd they'll start charging for?

-Scott

On Fri, 24 Aug 2001, Luis.F.Correia wrote:

> http://www.theregister.co.uk/content/4/21253.html
> 
> Luis Correia
> 
> 
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
> 


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Updated packages

[Scott C. Best]

David:

Heya. Quick question: what did arpwatch come in at?
I understood it depended on libpcap, which was like 90kB. Or,
is that lib already in Oxygen?

thanks,
Scott

On Mon, 6 Aug 2001, David Douthitt wrote:

> Some new or updated packages are now available at
> http://leaf.sourceforge.net/pub/oxygen/packages/ :
> 
> rain.lrp  -- a packet injector tool
> cold.lrp  -- a packet analyzer
> nmap.lrp  -- a port scanning security tool
> arpwatch.lrp  -- a program to watch for changes in ARP addresses
> scanssh.lrp   -- look for versions of SSH running on other servers
> tcpflow.lrp   -- watch TCP network "flows"
> 
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
> 


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Lost disk space problem resolved

[Scott C. Best]

Andrew:

Heya. I've got some time in the next 2 weeks, and
I thought I'd finally tackle the iptables/netfilter add-on
to echoWall. Your post motivates me to ask: where's the
latest/greatest 2.4.x LEAF disk image I should use as a
qualification platform?

Thanks!

-Scott

On Fri, 27 Jul 2001, Andrew Hoying wrote:

> Hello,
> 
> For those of you who are interested, I believe I found out why I was losing
> disk space on my /var/log partition. It turns out that there was a bug in
> the grsecurity patch that I use on my kernels that caused this. I'm building
> a new 2.4.7 kernel with the newest grsecurity patch which corrects this
> issue.
> 
> Andrew Hoying
> 
> 
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
> 


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Wireless PPP -> was NoCat.net

[Scott C. Best]

David:

Hee. It's a fair question: the 2.4GHz band isn't
unlicensed because the FCC was feeling generous. It's
unlicensed cuz it's filled with microwave (as in food
and as in non-terrestrial) garbage.

People talk about having a "Bluetooth enabled
ear-piece for the cell-phone", seem to skip the fact
that some skeptics *may* not want to put a little oven 
in their ear. Cell-phones, at 2.3GHz, don't absorb into
water nearly as well as a 2.4GHz transmitter does.

-Scott

On Thu, 26 Jul 2001, David Douthitt wrote:

> Mike Sensney wrote:
> 
> > The 2.4 GHz radios use 50 ohm cable. You can use the RG 58 cable that tends
> > to be readily available. You will loose about 3Db, or half your power, for
> > every 16 feet of cable. A lot of the RG 58 cable on the market has poor UV
> > protection so that can be a problem in direct sun. If you need a better
> > cable the LMR series seems to be popular with the wISP crowd.
> 
> As a ham operator myself, I've a question for you wireless wizards. 
> I've heard that newer cell phones operate somewhere in 2GHz, and now you
> mention this.
> 
> Seems to me I remember that standing next to a 1+ GHz antenna is likely
> to have SERIOUS consequences... like burning a hole in your head ;-)
> 
> Or was that 12GHz?
> 
> You all can probably tell I don't do any work in the GHz bands :-)
> 
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
> 


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

[Leaf-devel] NoCat Net

[Scott C. Best]

Mike:

Heya. You may want to look into this project, if
you haven't already. They've built a floppy-based firewall 
called WRP to support their 802.11 hotspot community
network:

http://nocat.net/download/wrp.img

I'm willing to be we could talk to them about
building on the LEAF platform instead. Lets them focus on
the whole system rather than on the firewall.

cheers,
Scott

> From: "Charles Steinkuehler" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Date: Wed, 25 Jul 2001 09:06:08 -0500
> Subject: [Leaf-user] Wireless link
> Reply-To: [EMAIL PROTECTED]
> 
> Someone sent me this link, related to wireless networking.  Thought it might
> interest a few folks on the list...
> 
> http://nocat.net/
> 
> Charles Steinkuehler
> http://lrp.steinkuehler.net
> http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Going to glibc-2.1 (or glibc 2.2)

[Scott C. Best]

David:

Just wanted to add uLibC as an option too for
ES3/Dachstein. :)

IMHO, picking one seems, in a way, like more work 
than "simply" re-compiling the packages.

-Scott

On Fri, 20 Jul 2001, David Douthitt wrote:

> This is interesting...
> 
> I've not heard whether Eigerstein is going to go to a new glibc (2.1 or
> 2.2).  glibc 2.0 is obsolete, and 2.1 is already deprecated and
> obsolete.
> 
> As a packager, I'm not interested in trying to shoehorn a glibc-2.2
> binary into a glibc 2.0 system, especially when the program wasn't
> designed to compile under glibc 2.0.
> 
> These days, my compiles (for packages) go like this:
> 
> 1. Compile against glibc 2.0
> 2. If errors encountered, compile against glibc 2.1
> 
> There's just not enough time in the day to haggle over every little
> error...
> 
> Here are my questions (direct and to the point :-)
> 
> 1. Is Eigerstein (or Dachstein) going to upgrade to a new version of
> glibc?
> 2. Is LRP likely to upgrade to a new version of glibc?
> 3. What is your opinion: is compiling against glibc 2.0 worth the
> trouble?  Or should everyone migrate their packages to glibc 2.1 or 2.2?
> 
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
> 


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Licensing (specifically, djb)

[Scott C. Best]

David:  

Ug. DJB is a bright guy, and I'm a big fan of qmail,
but...he's apparently at war with RedHat (and other major
distro's) who I guess have slighted him by not incorporating
his stuff into their releases under his terms.
From what I could pull out of his FAQ page for
"distributors", I do not believe that tcpserver and tcprules 
can be re-packaged into a .LRP and re-released. Quoting:

  "All installations must work the same way; any variation is a 
  bug. If there's something about a system (compiler, libraries, 
  kernel, hardware, whatever) that changes the behavior of my 
  package, then that platform is not supported, and you are not 
  permitted to distribute binaries for it."

Again, he writes good stuff. But he seems to be looking
for a fight, and I'm not willing to sign LEAF up for one.

-Scott


On Tue, 17 Jul 2001, David Douthitt wrote:

> With the addition of tcpserver and tcprules to the ever growing list of
> packages, I went and looked at their licensing (always of interest).  I
> was dismayed to find out it was under the same licensing as the other
> djb tools (I didn't realize that these were one of them).
> 
> According to his page http://cr.yp.to/distributors.html the licenses to
> distribute daemontools and ucspi-tcp expires on December 31, 2001 - so
> after that date we can no longer distribute the packages or programs
> from them.
> 
> He also quotes Red Hat's Bernard Rosenkraenzer as saying (on April 16,
> 2001): "qmail and djbdns are not open source, so we aren't going to ship
> them unless the license changes."
> 
> I'm not comfortable with his license, and I don't expect that any of
> these tools are contained in Debian either, what I consider to be the
> purest of "OpenSource" Linux distributions on the planet.
> 
> Thoughts from you all?  Jacques?  Andrew?
> 
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
> 



___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] bridge filter patch

[Scott C. Best]

David:
Ah, perfect: bridge.sourceforge.net. Thanks! Just
so I read you right: Oxygen has the bridge utils installed
or not?

-Scott


-Scott

> "Scott C. Best" wrote:
> > 
> > Heyaz. Anyone ever build a LEAF/LRP kernel with this
> > patch:
> > 
> > http://ac2i.tzo.com/bridge_filter/
> > 
> > Am noodling on a "zero insertion cost" filter based
> > on LEAF:
> > 
> > old:LAN <=> LAN's Gateway
> > 
> > new:LAN <=> New Filter Box <=> LAN's Gateway
> > 
> > I think if setup specifically to bridge, I won't
> > have to proxy-arp. And AFIAK bridging removes ipchains'
> > ability to filter the packets. Hence the question about the
> > patch.
> 
> Couple of times :-)
> 
> The patch you referred to is obsolete; there is a new set of bridge
> utilities and a new bridge-firewall patch.  The new utilities are also
> being converted to work with 2.4; as I understand it the utilities are
> done but the iptables/bridge-firewall patch is experimental.
> 
> The bridgex utilities as done by Materhorn's Matthew Grant are obsolete;
> now the utilities are being mantained by Lennert Buytenhek
> ([EMAIL PROTECTED]).
> 
> The info is at bridge.sourceforge.net; the current Oxygen development
> image is set up as a bridge with a bridging 2.2 kernel with firewall
> patches.  I haven't excersized the bridge or the bridge firewall, but
> the kernel works just fine (2.2.19).
> 
> However, the bridge utils would not compile for glibc 2.0.7.  No doubt
> Matt's old bridgex would, but I haven't used that; the current bridge
> utils I've packaged up and put into a *.lrp on the current Oxygen devel.
> image.
> 
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
> 


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

[Leaf-devel] bridge filter patch

[Scott C. Best]

Heyaz. Anyone ever build a LEAF/LRP kernel with this
patch:

http://ac2i.tzo.com/bridge_filter/

Am noodling on a "zero insertion cost" filter based
on LEAF:

old:LAN <=> LAN's Gateway

new:LAN <=> New Filter Box <=> LAN's Gateway

I think if setup specifically to bridge, I won't
have to proxy-arp. And AFIAK bridging removes ipchains'
ability to filter the packets. Hence the question about the
patch.
Thanks!

-Scott


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] vncviewer

[Scott C. Best]

David:
Very cool. I got VNC all over the place; hard to
live without it now. Always used it behind my LEAF box,
though, never on it.
Good going, though. :)

-Scott


On Mon, 25 Jun 2001, David Douthitt wrote:

> I recently got the vncviewer application put up into a package; I
> can't remember if it works in glibc 2.0 or 2.1 - I thought it worked
> in glibc 2.0, but I can't really remember.
> 
> It does work in the 2.1 environment, and does well.  It uses SVGAlib
> (included), and only needs the mouse in as much as the window manager
> needs a mouse.
> 
> Since I've been trying out different window managers ("tiny" and
> "small" aren't just for floppy-disk systems :-) I've found that both
> pwm and ice have nice keyboard controls - pwm in fact was designed to
> have GOOD keyboard control.
> 
> So with vncviewer on one end and pwm on the other, what more do you
> need?  :-)
> 
> Would anyone like to try it out?
> 
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
> 


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Site Updates

[Scott C. Best]

Mike:
Nice update to that page. Me, though, I'd go one step further
and put a "Mailing List" header right there on the main page above the
Affiliates section. In that new "Mailing List" section I'd invite the
visitor to "Get your network or firewall config questions answered
here on the newbie-friendly LEAF-user email list", where LEAF-user
is a link to http://lists.sourceforge.net/lists/listinfo/leaf-user.

Thanks for all your work on this!

-Scott


>Everyone,
>I've done my best with our new "Mailing Lists" page. I need some feedback
>to improve it further. Suggestions and comments are welcome.
>
>http://leaf.sourceforge.net/content.php?menu=14&page_id=20
>
>Charles and Mike,
>I apologize for not seeing the wisdom in your suggestion earlier. I hope
>this new page is what you had in mind. Thanks for convincing me of the need
>for this page.
>
>--
>Mike Noyes <[EMAIL PROTECTED]>
>http://leaf.sourceforge.net/



___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] LRP & firewalls

[Scott C. Best]

Jacques:

Good idea. Let me offer some candid ones about echowall:

Pro:
---
1. Installs and deinstalls into ES without conflicting with
   ES's builtin scripts.
2. Has built-in support for 30 services which need specific
   port-forward and IPfwd settings.
3. Supports the above services for LAN machines's which 
   have DHCP-assigned addresses. Ie, specifying a server is
   based on MAC-ID.
4. Automatically re-inits on DHCP lease renewal or PPPoE renewal.
5. Works out of the box with RFC-1918 external IP addresses.
6. Deny's without logging most of the background-radiation
   log fillers (like NetBIOS broadcasts, IGMP's, etc.)

Cons:

1. No DMZ support.
2. Requires gatping subnet-scanning utility (~10kB).
3. No easy hooks for customization like builtin scripts.
4. No dancing mice.

Hope that helps...

-Scott

On Wed, 20 Jun 2001, Jacques Nilo wrote:

> It looks like the list of available firewalls for LRP is growing. My
> understanding (correct me if I am wrong) is that we have, on the top of
> the "standard" LRP script, 3 main firewall LRP packages available
> echowall 1.2
> rcf 5.2
> seattle 4.1
> I think it would be really useful if we could come up with a list of
> pros and cons for each package, some kind of benchmarking.
> What do  you think ?
> Jacques
> 
> 
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
> 


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

[Leaf-devel] Re: [Leaf-user] echowall 1.1 released

[Scott C. Best]

Chris:

DOH. :)
Can't believe I forgot IRC. Sigh. Okay, forget
1.1, version 1.2 is now up in all the same places. :) It
adds IRC support, and I've gone and alphabetized the list
of services so it's easier to navigate (and support). see
the README for the full list of 30 services.

Also, it is an ipchains-based script. I plan on
adding iptables/netfilter support, but I hadn't planned on 
going backwards to the 2.0 kernels. Perhaps you could be 
convinced to upgrade? Echowall was built for the Eigerstein
releases, installing itself over the default rulesets with 
that distro with zero conflicts. It de-installs itself
nicely too (see "echowall install" and "echowall deinstall").
It also works with both DHCP and PPPoE IP address
renewals from your ISP, automagically re-init'ing itself.
For two-NIC, non-DMZ, LRP/LEAF usage, it's not half bad.

Hope it works well for you!

cheers,
Scott

> 
> Thinking about trying your echowall and was wondering if it is possible
> to forward a "generic" services, or, rather ones that you dont include in
> your setup.  I have an IRC server sitting behind my LRP box that I forward
> traffic to on port 6667 (using ipfwadm).  Is it possible to do this under
> echowall?
> 
> Thanks for your attention!
> Chris Kulish
> 
> > Heyaz. Just posted version 1.1 of echowall.lrp
> > in all the usual places. Some bug fixes to the now-tested
> > PPTP and IPSec pieces, as well as added support for
> > Battlenet and Firewall-1 VPN'ing.
> >
> > Hope it proves useful!
> >
> > cheers,
> > Scott
> >
> > http://leaf.sourceforge.net/devel/sbest/echowall
> > ftp://ftp.echogent.com/EchoWall




___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

[Leaf-devel] echowall 1.1 released

[Scott C. Best]

Heyaz. Just posted version 1.1 of echowall.lrp 
in all the usual places. Some bug fixes to the now-tested
PPTP and IPSec pieces, as well as added support for
Battlenet and Firewall-1 VPN'ing.

Hope it proves useful!

cheers,
Scott

http://leaf.sourceforge.net/devel/sbest/echowall
ftp://ftp.echogent.com/EchoWall



___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] New Project

[Scott C. Best]

David:
This, now, is a great idea. Go fer it.
Suggestion:

> A new user comes along (with or without UNIX/network tech), boots with
> two disks (yes two), and then goes through this initial setup step by
> step, with a boot disk to be configured in hand.  Once this is all
> done, then the disk is backed up to another, the configuration saved,
> and the user reboots with this ONE disk for a router.

If packages chosen for setup could be apt-like gotten,
from a LEAF apt server, that'd be very slick. My favorite thing
about Debian, no CDROM needed. :)

-Scott



___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Suggestion for improvement

[Scott C. Best]

Mike:
Looks much better, thanks!
Quick thing: there's a new half-inch margin on
the right hand side that's squishing the page leftwards.
Or is my browser just totally hosed? (NS 4.6 on Solaris).

-Scott


On Thu, 14 Jun 2001, Mike Noyes wrote:

> Charles Steinkuehler, 2001-06-14 09:51 -0500
> >I don't know that we need to change the menu items, just make it easier
> >for a new user to find our distributions.  Maybe add another
> >'tagline'...something like
> >
> >What is it?
> >
> >Project Goals:
> >
> >Distributions:
> >   Choosing a distribution <- Link to a page describing each disto in summary
> >   EigerStein <- Direct link to Releases/EigerStein
> >   Oxygen <- Direct link to Releases/Oxygen
> >   PPPoE and PPPd <- Direct link to Releases/PPPoE and PPPd
> >
> >Affiliates
> >
> >This would make it easy for new visitors to actually find the 'goodies'
> 
> Everyone,
> Are our home page and releases page easier to navigate now?
> 
> Note: I still need to work on our releases page, but I think our home page 
> is alright.
> 
> --
> Mike Noyes <[EMAIL PROTECTED]>
> http://leaf.sourceforge.net/
> 
> 
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
> 


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Suggestion for improvement

[Scott C. Best]

Mike:
I'm hardly the best judge of what's best for new
users. But I'm very opinionated, if that helps! ;)

My suggestion would be to add a "Get a LEAF
Disk image Right Here, Right Now" right under the Affiliates
section of the main page. Have that link take the user to
the current Releases page where Eigerstein and Oxygen are
active links to their sites (which I see Eigerstein is
already!).
On that release page, indicate under Eigerstein 
that it's "the best version for new users" (and that the
latest version is ES2B), and under Oxygen indicate "the 
best version for LEAF developers". Lastly, on that Oxygen
page, have a link that leads to the tar.gz's. Maybe even
a "Image last updated on: Date" thing so people know how
current things are.

Just my two-coppers. Thanks!

-Scott

On Thu, 14 Jun 2001, Mike Noyes wrote:

> Scott C. Best, 2001-06-13 23:25 -0700
> > Heyaz. So, I went to the LEAF site today trying to
> >imagine myself as a new LRP user who's going there for the
> >first time.
> > And it strikes me...where's the distro? IMO, front¢er
> >links to both ES2B and Oxygen be a would be a great help. Sure,
> >there's a little "releases" in the upper left, which leads to
> >a page that has no clickable links on it -- gotta click again in
> >the left banner, though, to actually get to the page.
> > Doing it that way, with the left-banner, makes me feel
> >like I had to mine for something, and may have no gotten the
> >good stuff. So, I guess I'm suggesting a "here's the good stuff"
> >link, right there on the homepage. Thoughts?
> 
> Scott,
> I could remove the "Releases" menu item. Then make "EigerStein" and 
> "Oxygen" root menu choices. My preference is to add links to the releases 
> page. Let me know which way you think is easier for the new user.
> 
> --
> Mike Noyes <[EMAIL PROTECTED]>
> http://leaf.sourceforge.net/
> 
> 
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
> 


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

RE: [Leaf-devel] Suggestion for improvement

[Scott C. Best]

Steven:

Good point, I shouldn't be so dark. :)
Lets release Son of Eigerstein officially this week.
It's in great shape, arguably better than any other LRP
distro you could download...

-Scott


On Wed, 13 Jun 2001, Steven Peck wrote:

> Geez Scott,
> 
> Do you have to concentrate on the negatives?  :)  j/k
> 
> That was actually why I was hesitant about advertising until we got some
> focus on what directions LEAF is going in.  I hope it continues to travel in
> a varity of directions, but some helpfully prominent sign posts to direct
> fols appropriately will do wonders.
> 
> Now, I'm going to be a little selfish and will not be doing much work in the
> next 2-4 weeks.  After that I should be moved and if a long shot pays off, I
> MAY even have static IP DSL!  Yippee!  Otherwise, I have to wait for an
> indeterminate amout of time for cable.  Once I get settled, I'll start being
> more active again, even if it is through a, sigh, dial-up line.  :)
> 
> --
> Steven Peck   [EMAIL PROTECTED] 
> Sacramento, CA  http://leaf.blkmtn.org
> 
> 
> 
> > -Original Message-
> > From: Scott C. Best [mailto:[EMAIL PROTECTED]]
> > Sent: Wednesday, June 13, 2001 11:26 PM
> > To: [EMAIL PROTECTED]
> > Subject: [Leaf-devel] Suggestion for improvement
> > 
> > 
> > 
> > Heyaz. So, I went to the LEAF site today trying to 
> > imagine myself as a new LRP user who's going there for the 
> > first time.
> > And it strikes me...where's the distro? IMO, front¢er 
> > links to both ES2B and Oxygen be a would be a great help. Sure, 
> > there's a little "releases" in the upper left, which leads to 
> > a page that has no clickable links on it -- gotta click again in
> > the left banner, though, to actually get to the page.
> > Doing it that way, with the left-banner, makes me feel
> > like I had to mine for something, and may have no gotten the
> > good stuff. So, I guess I'm suggesting a "here's the good stuff"
> > link, right there on the homepage. Thoughts?
> > 
> > -Scott
> > 
> > 
> > 
> > 
> > ___
> > Leaf-devel mailing list
> > [EMAIL PROTECTED]
> > http://lists.sourceforge.net/lists/listinfo/leaf-devel
> > 
> 
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
> 


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

[Leaf-devel] Suggestion for improvement

[Scott C. Best]

Heyaz. So, I went to the LEAF site today trying to 
imagine myself as a new LRP user who's going there for the 
first time.
And it strikes me...where's the distro? IMO, front¢er 
links to both ES2B and Oxygen be a would be a great help. Sure, 
there's a little "releases" in the upper left, which leads to 
a page that has no clickable links on it -- gotta click again in
the left banner, though, to actually get to the page.
Doing it that way, with the left-banner, makes me feel
like I had to mine for something, and may have no gotten the
good stuff. So, I guess I'm suggesting a "here's the good stuff"
link, right there on the homepage. Thoughts?

-Scott




___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

[Leaf-devel] Covad DOS's Verizon

[Scott C. Best]

Saw this on Slashdot, thought I'd share. Colorful. :)

http://newscenter.verizon.com/proactive/newsroom/release.vtml?id=56108

-Scott




___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] lrp.c0wz.com down?

[Scott C. Best]

Mike:
Yeah, Rick fell off the Earth about a month ago. Hope
he's okay...

-Scott

On Wed, 13 Jun 2001, Mike Noyes wrote:

> Everyone,
> It looks like lrp.c0wz.com is down. The root c0wz.com site is still responding.
> 
> Has anyone heard from Rick lately? I've been unable to reach him recently.
> 
> --
> Mike Noyes <[EMAIL PROTECTED]>
> http://leaf.sourceforge.net/
> 
> 
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
> 


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] New Development Platform?

[Scott C. Best]

I think Charles' POV is a good one. If we know most of
the core requirements of LEAF (eg, floppy-based, BusyBox, uLibC, 
.deb and .rpm support, easy cross-compiling, etc) it shouldn't 
be too hard to roll our own distro, and specify our own development
platform as *seperate* things. I don't even think it be a bad 
idea. :)

-Scott





___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Monta-Vista Hard-Hat Linux

[Scott C. Best]

Charles:

Just thinking out loud:

> NOTE:  I'm still very open to suggestions on what to use as the base of the
> next generation of LRP like functionality.  I'm mainly looking at starting
> with an existing distribution because 'out of the box' you get a working
> cross-compile environment (no more dedicated Debian Slink boxes just to
> compile an application or two), and much of the software will be
> pre-packaged.

I was recently contacted by the makers of BlueCat Linux (and its
RTOS sister LynxOS) at www.lynuxworks.com, who are actively looking for
partners for their distro. I cannot comment on the strengths of their
product, but if you'd like a name&email of the partners manager, that I
can provide.

-Scott


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

RE: OT Re: [Leaf-devel] linuxrouter.org draft?

[Scott C. Best]

I just wanted to split a quick hair. No affront to
Pi, I just needed a handy quote to speak from:

> My point: This is an LRP issue. Deal with it in LRP and try not to
> generalize it into something larger. Abstaining from politics is politics
> as well.
> 
> Pi

To be sure, McVeigh is not a "political" issue. It is
an *ideological* issue. Dave-C's advocation of terrorism and
violent extremism does not merit a comparison to even the most
libertarian political agenda. It is not "politically correct"
to condemn the actions of McVeigh, or the actions of the bombers
in Lebanon, Jerusalem, Kenya, Tanzania, etc. Condemnation of
terrorism is the flip-side of a near-universal love of life
and respect for it. In the religion of my family, this mindset
was known as simply "ethical". Which, as has been pointed out,
has nothing to do with an operating system.
Sorry for the soapbox'ing.

-Scott



___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

RE: OT Re: [Leaf-devel] linuxrouter.org

[Scott C. Best]

Mike:
IMO, you're absolutely right in not wanting to help 
Dave-C with attracting a larger audience. I think your "alternate
possibility" list below, while a strong tactic, would affect
the undesired response.

However, your other suggestions seem dead-on. The
LEAF team *is* the support team (and arguably the developer
staff) for LRP. The reason that the LRP mailing list is
currently successful and useful is because of us, not because 
of Dave-C (who, granted, got it all started). Resultingly,
our support is now helping Dave-C to spread his message of
violent anarchism. Which, clearly, sucks. 

So IMO, it's a good time to pull the plug, and
relocate the support team and development staff to leaf-user.
The critical relocations will be for the distro developers:
Charles, David, Ewald, etc. The package developers like me
will follow, obviously.

Thoughts? Perhaps a vote to sever in such a way? I
can see how some would see that it's cutting off our nose
to spite our face.

-Scott

On Mon, 11 Jun 2001, Mike Noyes wrote:

> Bao C. Ha, 2001-06-11 16:01 -0700
> 
> >I have an evil idea.  Should I let the slashdot.org crowd
> >knows about this?
> 
> Bao,
> I don't think Dave C's views deserve a larger audience then they are 
> already receiving. We may want to consider:
> 
> 1) stop answering questions on the linux-router list (boycott/protest)
> a) refer people to the leaf-user list for EigerStein & Oxygen support
> 2) tell people to submit support requests on our site
> a) Support Request Tracker
> b) leaf-user list
> 3) change all support request links to our site
> a) leaf.sourceforge.net
> b) lrp.c0wz.com
> c) lrp.steinkuehler.net
> 
> At least 70% of the people that answer questions on the linux-router list 
> are already members of our project.
> 
> This would be a major change, so everyone would have to agree to it.
> 
> 
> A couple of alternate possibilities.
>   * We can post an article on our site disclaiming any association with
> Dave C's anarchist views.
>   * Contact the LRP sponsors and let them know about Dave C's use of the
> linuxrouter.org web site to promote an anarchist political agenda.
> 
> --
> Mike Noyes <[EMAIL PROTECTED]>
> http://leaf.sourceforge.net/



___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: OT Re: [Leaf-devel] linuxrouter.org

[Scott C. Best]

Oh jeesh. What a f!cking moron.

-Scott

On Mon, 11 Jun 2001, Mike Sensney wrote:

> At 09:39 AM 06/11/2001 -0700, Kenneth Hadley wrote:
> 
> >I hope that someone hacked his web server otherwise Ive lost what little
> >respect for Dave Cinege I had left after his fiasco with acepting help.
> 
> I echo your opinion. 
> Would Dave C feel the same if his own family had been "collateral damage"?
> 


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

[Leaf-devel] ES3 suggestion

[Scott C. Best]

Charles:

Heya. Since you suggested some enhancements to ES3
before it's released, I wanted to suggest some of my own.
Little things, in specific regard to the firewall setup
scripts. My intent is to eliminate some of the FAQ support
questions that come up on the list.

1.  First, when it refreshes, I'm not sure that
it flushes the rules *and* the portfw's/autofw's.
I could be wrong here, but I think it only flushes
the ipchains rules and doesn't touch what was
previously setup with ipmasqadm.

2.  Given the increased popularity of ISPs giving out
RFC-1918 private addresses with DHCP and then static
NAT'ing them, I think part of the firewall setup which
blocks the RFC-1918 address specifically should be 
dropped.

3.  Many of the trojan's I've read about use blind-attacks
where a response from the target isn't needed. So the
attacker can spoof the return IP address, and they
often choose from the reserve-address range (and use
the "eleet" port of 31337). Anyhow. as per CIAC alert
K-032, I think the following reserved address traffic
should be blocked explicitly:

$IPCHAINS -A input -i $IF_EXT -b -s 0.0.0.0/8 -j DENY
$IPCHAINS -A input -i $IF_EXT -b -s 169.254.0.0/16 -j DENY
$IPCHAINS -A input -i $IF_EXT -b -s 192.0.2.0/24 -j DENY
$IPCHAINS -A input -i $IF_EXT -b -s 224.0.0.0/4 -j DENY
$IPCHAINS -A input -i $IF_EXT -b -s 240.0.0.0/5 -j DENY
$IPCHAINS -A input -i $IF_EXT -b -s 248.0.0.0/5 -j DENY

4.  Lastly, at the end of the setup script, some "noise
blocker" rules should be stuck in. This helps eliminate
log file buildup (and the risk of resulting tooth 
decay...). Since they're at the very end, they not 
interfering with normal op's that would have been setup 
earlier.

$IPCHAINS -A input -i $IF_EXT -d 255.255.255.255 -j DENY
$IPCHAINS -A input -i $IF_EXT -d 0.0.0.0/0 137 -p tcp -j DENY
$IPCHAINS -A input -i $IF_EXT -d 0.0.0.0/0 137 -p udp -j DENY
$IPCHAINS -A input -i $IF_EXT -d 0.0.0.0/0 138 -p tcp -j DENY
$IPCHAINS -A input -i $IF_EXT -d 0.0.0.0/0 138 -p udp -j DENY
$IPCHAINS -A input -i $IF_EXT -d 0.0.0.0/0 67 -p udp -j DENY
$IPCHAINS -A input -i $IF_EXT -d 0.0.0.0/0 68 -p udp -j DENY


That's it. Please let me know what you think. Of 
course, I'd be willing to do the dirty work of editing the 
scripts and tar'ing them up for the inclusion in the new 
release. Just wanted to be sure the above has enough perceived
value.

cheers,
Scott


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Pb with dhclient & Eigerstein BETA2_test_20010527

[Scott C. Best]

Charles:

Heya, welcome back. :)
IMO, since this ES3 release will be a whole-floppy release,
it makes sense to me to release it with dhclient and dnscache
pre-setup to groove together nicely. Just my two coppers.

-Scott


On Thu, 31 May 2001, Charles Steinkuehler wrote:

> > Symptom:
> > When I boot the new package I get after:
> >
> > DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 8
> > receive_packet failed on eth0: Network is down
> >
> > Then if I issue after login in
> > /etc/init.d/dhclient  restart
> > it works ok
> >
> > I replaced the dhclient package with the one on Charle's site version
> > 2.0pl5 (not the one on Eigerstein Beta2 which is I think an earlier
> > version). I was able to login without any problem. Therefore the problem
> > is with the dhclient.lrp in the Beta2_test package.
> 
> Yes, we need to verify the dhclient package is 2.0pl5.  An older version is
> on the existing EigerStein disks.
> 
> > Another problem is the dhclient-script file which must be hacked when
> > dhclient is running with dnscache. See FAQ section at
> > http://leaf.sourceforge.net/devel/jnilo/dnscache.html
> 
> Hmm...kind of a sticky problem.  Since I now know more about how dhclinet
> works, what about the following:
> 
> 1) Return the dhclient scripts to their original form (ie knowing nothing
> about dnscache)
> 
> 2) Add a prepend statement to dhclient.conf:
>   prepend domain-name-servers 127.0.0.1;
> 
> This *should* use the local dnscache to resolve names, falling back to the
> DNS server(s) provided by the ISP if local resolution fails, and keeps
> everything standard but the dhclient configuration file, which is where such
> things are supposed to be set.
> 
> Charles Steinkuehler
> http://lrp.steinkuehler.net
> http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
> 
> 
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
> 


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] New FAQ at LEAF Page

[Scott C. Best]

David:

Heya. I like it, though I'd suggest some touch
ups to the first paragraph (turning it into two):


This question is often asked by firewall users
that find dozens, if not hundreds, of TCP packets being
logged which were destined to their firewall's DNS port 
(TCP port number 53). These packets originate from many
different IP address, where each sends anywhere from 5 
to 8 packets, all within the space few seconds.
When caught with tcpdump, these packets will have 
the SYN and ACK flags set, as if responding to a legitimate 
TCP initiation packet. Since the firewall did not actually 
attempt to initiate a connection, it will instinctively 
reply with a TCP packet with the RST flag set (along with
logging the packet in the firewall logs). The presumption 
is that it is this scan's intent to generate these RST 
packets, and to use them in an ad-hoc load-balancing 
scheme.
 These scans seem correlated with visiting certain
web pages, ones using some peculiar load-balancing...etc,
etc...


Just some suggestions. :)

-Scott


On Fri, 25 May 2001, David Douthitt wrote:

> I submitted a new FAQ under section 9: Why am I getting SYN/ACK floods
> to my DNS port?  (or something like that).
> 
> Tell me what you think, hack it up, etc.
> 
> Perhaps the Lion worm should be mentioned?
> 
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
> 


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Something new

[Scott C. Best]

George:

Thanks anyhow, found one. It's quite a bit different,
and will require some rather substantive change in the parser.
Anyone out there nuts about working on perl parsers
updates? :)

-Scott


On Tue, 22 May 2001, George Metz wrote:

> On Mon, 21 May 2001, Scott C. Best wrote:
> 
> > George:
> >
> > Can you send along an IP-Tables log to me?
> > Thanks! I can Google for a BSD log too, make sure
> > that works.
> 
> That would require me to have one. I don't currently have 2.4 running on
> my disk image, sad to say, mostly because I'm loathe to take the box down
> for the upgrade.
> 
> I'll see what I can find; maybe I can set up some quickie ironclad rules
> on my server, then portscan it from my workstation.
> 
> --
> George Metz
> Commercial Routing Engineer
> [EMAIL PROTECTED]
> 
> "We know what deterrence was with 'mutually assured destruction' during
> the Cold War. But what is deterrence in information warfare?" -- Brigadier
> General Douglas Richardson, USAF, Commander - Space Warfare Center
> 
> 
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
> 



___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Something new

[Scott C. Best]

George:

Can you send along an IP-Tables log to me? 
Thanks! I can Google for a BSD log too, make sure
that works.

-Scott


On Mon, 21 May 2001, George Metz wrote:

> On Sat, 19 May 2001, Scott C. Best wrote:
> 
> >
> > Heya LEAF'rs. Been working on something new:
> >
> > http://www.echogent.com/cgi-bin/fwlog.pl
> >
> > It's a firewall packet log processor. So, stick
> > in something like:
> 
> 
> 
> BRAVO!
> 
> We've been needing one of these for a while, good to see that someone's
> stepped up and done it.
> 
> Will it - either currently or eventually - handle IPTables output? It's
> almost but not quite the same.
> 
> --
> George Metz
> Commercial Routing Engineer
> [EMAIL PROTECTED]
> 
> "We know what deterrence was with 'mutually assured destruction' during
> the Cold War. But what is deterrence in information warfare?" -- Brigadier
> General Douglas Richardson, USAF, Commander - Space Warfare Center
> 
> 
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
> 


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Something new

[Scott C. Best]

Mike:

Not a bad idea. Let me get it working first, though.
Still some details to nail down.

-Scott

On Sat, 19 May 2001, Mike Noyes wrote:

> Scott C. Best, 2001-05-19 14:18 -0700
> 
> > Heya LEAF'rs. Been working on something new:
> >
> > http://www.echogent.com/cgi-bin/fwlog.pl
> >
> > It's a firewall packet log processor. So, stick
> >in something like:
> 
> Scott,
> We can run cgi scripts from our SourceForge site. How large is the cgi 
> script, and does it require a lot of processing power?
> 
> --
> Mike Noyes <[EMAIL PROTECTED]>
> http://leaf.sourceforge.net/
> 
> 
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
> 


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

[Leaf-devel] Something new

[Scott C. Best]

Heya LEAF'rs. Been working on something new:

http://www.echogent.com/cgi-bin/fwlog.pl

It's a firewall packet log processor. So, stick
in something like:

Apr 25 15:18:13 lrp kernel: Packet log: input DENY eth0 PROTO=6
199.172.144.146:80 65.11.107.82:8499 L=1500 S=0x00 I=34491 F=0x4000 
T=51 (#58) 

...and it'll make an educated guess about what
you're seeing, how important it is, etc.
Apologies if they're any hiccups in the graphics
or anything. Am not an HTML jockey. As always, please let
me know if you see any problems with it before I mention
it on LRP.
Also, of course, if you have a packet log that
this processor cannot handle, please let me know. Or if
you know what a packet "means" and this tool isn't telling
it to you...let me know that too so that I can put in a 
rule to handle it appropriately.
Thanks!

-Scott




___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Vulnerabilities dot org

[Scott C. Best]

So, I ran the Nessus scan on an Eigerstein 2.2.16
running echowall. The report, as with Steven's experience,
isn't very interesting: nothing found since I left nothing
active (I commented out the WANTED_SERVICES line before
restarting the firewall and testing). Report attached at
the end of the email.

What *is* interesting though is the packet logging.
Oh my. Filled my ramdisk, preventing echowall from re-
running, as "echo test > file" won't work if the disk is
full. So...be cautious turning Nessus loose on your own
LRP box. :)
Makes me wonder though. At the start of the scan,
/var/log/syslog, messages and kern.log were 15k, 13k, and
13k respectively. After the scan...all *three* of them were
over 980k before I ran out of disk space.
Sure, a brute-force DOS attack but...what am I doing 
wrong where each packet log gets recorded in 3 places?

Also...I noticed my cable-modem connect thru the LRP 
was sluggish after the disk was filled. I checked with
www.bandwidthplace.com/speedtest and it confirmed: 671 kpbs
with a full disk, and 1293 kbps immediately after a reboot.
Perhaps the next time someone on the LRP lists mentions
that their LRP box is "acting slow" we should ask if they
recently unleased Nessus on it.

cheers,
Scott

> Everyone,
> I found a site that is performing Nessus and NMAP scans for free. 
> Please test your firewalls and share the results.

---

   Nessus Scan Report compliments of www.vulnerabilities.org

Free Nessus web scan provided by Vulnerabilities.org
Contact [EMAIL PROTECTED] or [EMAIL PROTECTED]
for a personal evaluation of the scan report, further detailed
systems analysis. Of course, we are available for contract
to correct your problems, provide recurring network
vulnerability analysis, and general hosting system administration

Please take a second and drop us a note, or if you would
like to share your report with us, email to above!




Number of hosts which were alive during the test : 1
Number of security holes found : 0
Number of security warnings found : 0
Number of security notes found : 1

List of the tested hosts :

 *  65.11.107.92 (Security notes found)



[ Back to the top ]
65.11.107.92 :

List of open ports :

 *  general/udp (Security notes found)

[ back to the list of ports ]

Information found on port general/udp

For your information, here is the traceroute to 65.11.107.92 :
207.211.208.3
165.113.120.205
165.113.50.146
165.113.50.65
165.113.3.126
24.7.74.62
216.197.144.30
10.0.254.242
10.0.255.14
?


This file was generated by Nessus, the open-sourced security scanner.



___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

[Leaf-devel] Found my development platform.

[Scott C. Best]

Forgive the off-topic moment of levity but...Oooo.

http://www.jp.playstation.com/linux/image/main.jpg

I can see it now...a Missle Command like interface to
zap incoming packets of questionable origin...
:^)

-Scott






___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Patched kernel 2.4.3 (about to be) available.

[Scott C. Best]

George:

Sorry for the late reply...

> Time to do some good old-fashioned "market classification" here. We have
> two base-level types of people using LRP:
> 
> 1. People who want to have a firewall/router that will let them share IP
> addresses and don't want to spend the money on a commercially available
> one.
> 
> 2. People who want to tinker, and as such have a fair bit of knowledge.


I more or less agree with your generalization. I think
Eigerstein proves your point substantially. Recall LRP without
it, back when modmaker was alive? Every newcomer was pushed 
in the tinker category. From my pov, Eigerstein was the "eighty
percent" solution, and has been a great success both on its own
and for the project in general.

> The problem then becomes where we draw the line between the two.

Perhaps a way to think about it is from the point of view
of the newcomer. That is, we'd answer the question: "why would a
new user use this LEAF stuff". So, similar to what Eigerstein
did, we could break it out by high level description:

* Using a Cable-modem with a DHCP? Download MapleLEAF 1.0

* Using a DSL-modem with PPPoE? Download FigLEAF 1.3

* Using a dial-up modem? Start here with RedLEAF 1.1

* Experts only: want everything? MallornLEAF is for you.

That sort of thing. Or if MapleLEAF was tied to a 
specific kernel/glibc version, we could post pre-rolled
images like "MapleLEAF for DSL", "MapleLEAF for Developers",
etc.

> Any thoughts or ideas? I'm thinking that trimming the fat off of this
> stuff, combined with UPX, might be enough for us to go glibc 2.1.x or 
> even 2.2.x for base router images. At least then, it would be easier to
> transition from the basics to the fun stuff.

Starting with a a base router image the same on all of the
above LEAF trees would be terribly valuable. Glad this is being
thought out...

cheers,
Scott
 


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Kernel 2.4.x

[Scott C. Best]

George:

Hey, thanks for the 411.

> > Based on Tom's last post, I don't think updating
> > echowall for dual support should be that difficult. Unlike
> > other config packages, the main script takes a ruleset
> > and munges it with a .conf file, to produce a 3rd "run
> > file".
> 
> That sounds like it would be workable, but it makes the database a bit
> larger. Not that that's really an issue with Echowall per se, but... =)

Have the size of the database is long variable names. :)
As per that recent "How to write unmaintable code" I'll shorten
$IPMASQADM to just $8 and knock a few kB's off


> > Now I just have to talk my wife into letting me
> > noodle on it for another weekend. :*) Thanks in advance for
> > any data about the images.
> 
> Sure thing. I got around my wife by going out and buying her a 30-gig
> drive for her computer and The Sims House Party Expansion pack.

For my wife, it was Napster. She drag'd me to Fry's to
get a memory stick update for her Rio player. Never been dragged
to Fry's before, found it quite erotic. :^)

-Scott



___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Kernel 2.4.x

[Scott C. Best]

George:

Heya. Just wanted to confirm the 2.4.3 disk images
available at your site: the disk images do *not* have the
FTP patch, but the kernel tarball *does*. To get an LRP 
image with the patch, I should dig it out of the second 
tarball and roll it into the first. I get that right?

Based on Tom's last post, I don't think updating
echowall for dual support should be that difficult. Unlike
other config packages, the main script takes a ruleset 
and munges it with a .conf file, to produce a 3rd "run
file". It then sets that file off, and then deletes it.
Anyhow...the main script could pretty easily detect the
environment (ipchains or netfilter), and "build" the run 
file in the right manner. Not just command and flag format,
but the chain components as well -- so for ipchains, it'd
add to the input chain and the forward chain, but for
netfilter just the forward chain.
Now I just have to talk my wife into letting me
noodle on it for another weekend. :*) Thanks in advance for
any data about the images.

-Scott


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] IP-Masq'ing question

[Scott C. Best]

Jack:

That's an interesting picture...

> wireless areaInternet
>  |   |
> LRP LRP
>  |   |
>  ---LAN---


If the LAN side interface on the right LRP box thought 
that its subnet was 0.0.0.0/0, then it would use ARP to find the 
MACID of anything that sent a packet from the wireless area. I 
could then setup proxy-ARP for the LAN side interface on the left 
LRP box to respond to anything that the right side ARP'd for...

This will keep me up late. :) Thanks for the input. I
totally agree I'll be better-off simply using DHCP, sure. The
idea becomes more sellable (to the people I'm selling to) if I
could make this fly too. Thanks again.

-Scott

 
> Both LRP's masq, both LRP's treat the top interface as default network.
> Wireless LRP forwards everything into the LAN, masqing it as a single
> IP. The hard part now is Internet access from the wireless LAN, because
> you can't give the LRP two default routes pointing in two different
> directions :-) Nor can you use the massively annoying "static routes
> supernetting the whole Internet" trick because you're likely to get
> registered addresses on the wireless net from time to time. Routing into
> the LAN is easy, but routing from the wireless area to the Internet is
> going to be challenging.
> 
> I think you're better off changing people's IP addresses.
> 
> -- 
> Jack Coates
> Monkeynoodle: It's what's for dinner!
> 
> On Sat, 21 Apr 2001, Jack Coates wrote:
> 
> > I don't think it's going to work, then. "On the fly" reconfiguration
> > would mean downing the interface everytime a new machine joined the
> > wireless LAN, which would get really annoying to the users. But if you
> > treat the LAN like the Internet (0.0.0.0/0) then you can't route to it.
> >
> > Actually, that could work, I think, with proxy arp.
> >
> > wireless int -> 192.168.254.254, bridging enabled
> > def route forwards all traffic to eth1
> > masquerade as 192.168.1.1
> > eth1 -> 192.168.1.254
> >
> > another LRP is the Internet gateway. Double-NATing is goofy as hell and
> > will probably break something.
> >
> >
> 
> 
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
> 


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] IP-Masq'ing question

[Scott C. Best]

Jack:
Hurm. I know that I can't assure you of "a". In
fact, quite the opposite: I have no idea what people will
be bringing into the wireless LAN.
On the other hand, I can safely assure you of "b".
Can see your point: if I alias the internal interface to
some other subnet's gateway or DNS IP address, it'd be 
tricky to ever trying to send packets thru the router to 
the "real" one.

Regarding DHCP, I agree completely. That'd be best, 
and it's certainly going to be the default. But, I'm not 
sure I can force a user's laptop (say) to use DHCP if it 
started life in my LAN as a statically configured device.
I think I just gotta deal with it, somehow detecting "lost"
packets and adapting the interfaces, on the fly, accordingly.
Or, as you suggest, run an active LAN scanner (perhaps an
ARP watcher?) to see what just joined and make some guesses
as to how to handle it.

Risk wise, 802.11 certainly has that limitation 
with the independent-BSS mode. My understanding is in that
"software access point" mode, everything on the LAN is
essentially a peer, and so an illicit user can see and
affect legitimate users directly. In "real" access points,
there's a normal BSS mode, in which the AP mediates all of
the traffic, and so peers are safer from each other. My
understanding, though, is that none of the open-source
projects support this second mode -- not until an Orinoco
access point gets reverse engineered.

-Scott

On Fri, 20 Apr 2001, Jack Coates wrote:

> The only way I can see this working is if you:
> 
> a) know and define the subnet the fixed addresses will be in
> 
> b) don't ever need to get to that subnet on the Internet (or at least
> not at the same time as you're using a wireless device).
> 
> Better ways: DHCP. It's pretty easy to write a .bat or .sh which
> releases and renews -- with a little more work and snort you could
> probably autosense when that sort of activity was required?
> 
> I'll assume you know about the big ugly holes recently discovered in WEP
> and have heard the stories about driving around with a laptop and an
> antenna...
> 
> The risks aren't new (WEP == wired equivalent protocol and imagine a
> hub with a patch cable reaching out to the street for anyone to use),
> but they are recently publicized which means lots more script kiddies
> know about it.
> 
> -- 
> Jack Coates
> Monkeynoodle: It's what's for dinner!
> 
> On Fri, 20 Apr 2001, Scott C. Best wrote:
> 
> >
> > Heyaz. Curious for any leads, pointers, suggestions,
> > patient explanations here.
> >
> > Here's the situation: given a Linux based NAT'ing
> > firewall/router in between a modem and a 802.11 access point,
> > I'd like to support an 802.11 network device that arrives on
> > the network which is preconfigured "incorrectly". That is,
> > suppose my LAN is 192.168.x.y, but a new device is configured
> > with a static IP# (and static DNS, and even a static proxy) in
> > some *other* range (say, in 206.184.139.137/24 somewhere).
> >
> > Presuming the firewall ruleset is flexible enough,
> > how much of this would common IP-masquerading be able to
> > handle already? Certainly the DNS and and proxy stuff would
> > require some careful forwarding...but what about the NAT'ing
> > and the routing? I've been noodling on this most of the day,
> > and have fairly well convinced myself that it should be
> > fairly straightforward with the NAT'ing, but a bit trickier
> > with the ad-hoc ip-aliasing of the internal interface (so
> > it would appear as the default gateway, DNS, and proxy for
> > multiple devices differently).
> > Anyhow...thanks in advance for any thoughts on this.
> >
> > cheers,
> > Scott
> >
> >
> >
> >
> >
> > ___
> > Leaf-devel mailing list
> > [EMAIL PROTECTED]
> > http://lists.sourceforge.net/lists/listinfo/leaf-devel
> >
> 
> 
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
> 


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

[Leaf-devel] IP-Masq'ing question

[Scott C. Best]

Heyaz. Curious for any leads, pointers, suggestions,
patient explanations here.

Here's the situation: given a Linux based NAT'ing
firewall/router in between a modem and a 802.11 access point, 
I'd like to support an 802.11 network device that arrives on 
the network which is preconfigured "incorrectly". That is, 
suppose my LAN is 192.168.x.y, but a new device is configured 
with a static IP# (and static DNS, and even a static proxy) in 
some *other* range (say, in 206.184.139.137/24 somewhere).

Presuming the firewall ruleset is flexible enough,
how much of this would common IP-masquerading be able to
handle already? Certainly the DNS and and proxy stuff would
require some careful forwarding...but what about the NAT'ing
and the routing? I've been noodling on this most of the day,
and have fairly well convinced myself that it should be
fairly straightforward with the NAT'ing, but a bit trickier
with the ad-hoc ip-aliasing of the internal interface (so
it would appear as the default gateway, DNS, and proxy for
multiple devices differently). 
Anyhow...thanks in advance for any thoughts on this.

cheers,
Scott





___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Unified Embedded Platform Specification

[Scott C. Best]

Mike:
I'm not so worried about how far "down" they certify
as much as how far "up". Certainly, everything downstairs will
be LGPL (so mods cannot be taken private, but it can be combined
with closed-source apps), and so I'm hoping for something as
straightforward as: 2.2.19 kernel, uLibC, busybox 0.5, libsafe,
etc. Really, something terribly close to Oxygen...

Again though, what worries me is a special-interest
high-level app. Like a JVM (or whatever they're called now),
UPnP, SNMP, or something else ghastly, fat and insecure.

Should be interesting, in any case.

-Scott


On Wed, 18 Apr 2001, Mike Noyes wrote:

> Scott C. Best, 2001-04-18 19:58 -0700
> >Mike:
> >
> > I agree: a potentially watershed article. Quoting
> >from a juicy bit:
> >
> > Cool. This will make my echowall porting efforts
> >go that much smoother. ;)
> 
> Scott,
> I like the idea, but not who proposed it. Inder Singh's opinions concern 
> me. If I understand his definition below SCO and Solaris are Linux too. If 
> this standard will certify a proprietary OS because of API compatibility 
> I'm against it.
> 
> http://linuxdevices.com/articles/AT2016752176.html
> ~ Thus, one answer to the question "Is it Linux?" which may be the most
> ~ meaningful is that it is Linux if it can run Linux applications, i.e.
> ~ defining Linux in terms of its APIs/ABIs. This is the aspect that is
> ~ most important to developers of Linux applications as well as to most
> ~ embedded Linux developers. It is key to preventing Linux from
> ~ fragmenting the way that Unix did.
> ~
> ~ From this perspective, products like LynxOS from LynuxWorks, which has
> ~ a high degree of compliance with the Linux APIs, and will support the
> ~ ABIs in a future release, are effectively more true to Linux than some
> ~ of the open source solutions like RTLinux and Zentropix which are
> ~ derived from Linux, but break the Linux APIs to provide real-time
> ~ performance.
> 
> --
> Mike Noyes <[EMAIL PROTECTED]>
> http://leaf.sourceforge.net/
> 
> 
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
> 


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Unified Embedded Platform Specification

[Scott C. Best]

Mike:

I agree: a potentially watershed article. Quoting
from a juicy bit:

"Our objective is to encourage the adoption of a single 
unified embedded Linux 'platform' for embedded middleware 
and application software, so that software developers can 
rely upon the APIs being available in any ELC-endorsed
embedded Linux and do not have to develop separate ports 
and validation for each embedded Linux distribution," 
according to ELC Chairman and CEO of LynuxWorks, Dr. Inder
Singh. "This will help to establish Linux as a viable open, 
multi-vendor software platform alternative to other single-
vendor embedded solutions, such as Windows CE, PalmOS or 
VxWorks and further accelerate the adoption of Linux in
emerging post PC applications."

Cool. This will make my echowall porting efforts
go that much smoother. ;) 

-Scott


On Wed, 18 Apr 2001, Mike Noyes wrote:

> Everyone,
> I belive this ELC announcement is significant. Opinions?
> 
> Unified Embedded Platform Specification Established and
> Promoted by Embedded Linux Consortium Board
> http://www.embedded-linux.org/pressroom.php3#66


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Re: CRC error on shorewall.lrp NO ERROR

[Scott C. Best]

Eric:
I too still have problems grabbing .lrp's with
Netscape. I recall someone posting an explanation and a
fix to the LRP list early last year, but it didn't take. :)

-Scott

> I tried again a download with netscape (with shift, right click etc) 
> every time crc error, but after using internet explorer ( very unusual 
> for me ;) ) there was no problem at all
> So the problem was at my side  (don't understand why I have got a 
> problem with Netscape this time)


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

[Leaf-devel] just to confirm

[Scott C. Best]

Just wanted to confirm that ipmasqadm portfw
can *only* handle tcp and udp right now behind the -P
switch. Yes?
If so...then to confirm: IPSec (even using
*only* tunnel-mode ESP and not AH) and PPTP must 
terminate on a masq'ing firewall router right now.
Or, is there some other way to forward IP protocols
47, 50 and 51.

Also...has anyone built a redir.lrp or IPFwd.lrp
package yet, or have I found something else to do? :)
Thanks!

-Scott




___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Packaging

[Scott C. Best]

Jeff:
heya...

> > Jeff:
> > Sorry you don't agree.
>
> Well, I am too.  I feel like one of us is operating under some
> misconceptions about how lrpkg or tar works.  By continuing this 
> thread, I hope to grok your concern, or perhaps you will find your
> concerns were not justified.

I spent a while trying to figure why I was having
this trouble un-tar'ing .lrp archives. And I think now it
was my own dumb mistake.
My best.com shell account is a 2.2.8-STABLE FreeBSD
system. And, in a global .cshrc, the untar is aliases to  
"tar -xfP". So...my own fault for not using tar *directly*,
rather than relying on a system alias -- the -P switch, of 
course, preserves absolute paths. Which generates some
obvious errors when dncache.lrp (for examples) tries to
create a directory in /etc.

I still think David raised some great points in his
last letter, but I wanted to indicate that my primary "user 
difficulty" with untar has been mitigated. Prior to this
conversation, I was having (perhaps a common) difficulty 
looking at the contents of a package without actually 
installing it. My fault.

-Scott





___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] dhclient, rc.pf and psentry in harmony

[Scott C. Best]

Jon:
Heya. Two very keen improvements; good show. I might
lift them in an update to echowall...
Thanks!

-Scott

...
>Since dhclient-script is called when the IP address changes, it seems a
>natural place to call rc.pf.  So, in the BOUND and TIMEOUT sections,
>right after the gateway routing, I put
>a simple
>/etc/rc.pf start $new_dhcp_server_identifier $new_ip_address
>
>This way, every time the server or client dhcp address changes, it will
>get updated.  Then, in rc.pf, I set
>
>DHCP_C="$3"
>DHCP_S="$2"
>
>This lets you update the firewall while supplying the correct addresses
>manually.
>
>And of course
>IPI="$DHCP_C"
...



___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Packaging

[Scott C. Best]

Actually I like .lrp as well, though my complaint
with it is different. I find it difficult to extract files
from a .lrp without potentially overwriting important system
binaries on the development box.
What'd be *much* nicer is if package.lrp expanded
to /tmp/package, and then /tmp/package/package.list would be
queried to find out where to put everything.

-Scott

On Thu, 5 Apr 2001, David Douthitt wrote:

> I seem to be somewhat alone in that I *LIKE* the *.lrp packaging;
> there is only one change I would make: rename the files from *.lrp to
> *.tgz.  This adds the ability to know what the file format is, and
> allows Windows hosts to decipher the file automatically.
> 
> However, there is support for unpacking RPM and DEB files within
> busybox; I haven't played with them yet, but perhaps a new
> distribution might find a need for them.
> 
> I don't know about Debian packages, but RPMs are very nice for a full
> system, work fast, upgrade well, have dependency checking. and
> also a huge database, lots of CPU overhead, and aren't usable with
> generic UNIX utilities like tar, gzip, and cpio...
> 
> Debian probably has a similar problem, yet I don't like their dpkg
> hardly at all.
> 
> I've also used Unixware packages and HP-UX depots; none of them share
> the fundamental simplicity that the *.tar.gz file for LRP supports. 
> UNIX originally did EVERYTHING in files; I understand that Plan 9 (an
> AT&T post-UNIX OS development) goes even FARTHER with this idea.  Why
> not use it in our packaging?
> 
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
> 


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] LEAF Distribution

[Scott C. Best]

David:
I agree, there should be no distribution called LEAF,
specifically. But...there *should* be distributions called
(for instance) Maple and Oxygen that were developed by LEAF
contributors.
Essentially, we should distinguish the project name 
from the distribution name. So, unlike RedHat, more like
Transmeta.

-Scott


On Thu, 5 Apr 2001, David Douthitt wrote:

> To me, that is what LRP and its variants are all about: these ARE
> distributions, and part of maintaining a distribution is updating
> packages, adding features, recompiles, et al.
> 
> As for a LEAF distribution, I think I would actually shy away from an
> actual "LEAF" image; the concept is good but the literal
> implementation would be bad.  Put another way, I wouldn't have any
> problem with "Maple LRP" created by the LEAF project (as one more LEAF
> variant) but to have a "LEAF LRP" or "LEAF image" would overshadow
> projects like Eigerstein and Oxygen.  Oxygen, among being good for
> others to use, reflects my own decisions and foibles - I like it that
> way :-)
> 
> A LEAF LRP would cause people to think that Oxygen has been superceded
> by LEAF, or that LEAF is "more current" or "better" which may or may
> not be true.
> 
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
> 


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Mirrors and upcoming Oxygen CDROM

[Scott C. Best]

Goerge:

Got it from Tom on the LRP list, thanks.
One of those days when amost everything I said
out loud was dead wrong. :) But then, if this is what
it takes to get a no-hitter outta my Red Sox, I can
get used to it...

-Scott

On Thu, 5 Apr 2001, George Metz wrote:

> On Tue, 3 Apr 2001, Scott C. Best wrote:
> 
> > George:
> > Wow, cool.
> > I looked around for it for an hour and couldn't
> > find anything that said it worked liked this.
> > Got a URL?
> 
> Uh... Not presently. See Rick's message though. =)
> 
> --
> George Metz
> Commercial Routing Engineer
> [EMAIL PROTECTED]
> 
> "We know what deterrence was with 'mutually assured destruction' during
> the Cold War. But what is deterrence in information warfare?" -- Brigadier
> General Douglas Richardson, USAF, Commander - Space Warfare Center
> 
> 
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
> 


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Oxygen LRP CDROM

[Scott C. Best]

David:
Wow, a ton of progress.
Have you considered doing a network boot? That is,
just store the md5 hash on the CDROM that're associated with
the packages to load, then just put those packages on, say,
sourceforge.
Probably a million holes in the idea, but I thought
I'd float it out.

-Scott

On Wed, 4 Apr 2001, David Douthitt wrote:

> I've been working on other things; I hope to have a usable booting
> CDROM shortly.  The system should be able to boot from CDROM; however,
> what I'd REALLY like is to be able to 1) boot from CDROM (easy), then
> 2) load packages from CDROM (harder).
> 
> The ideal would be to be able to pick up a configuration file which
> contains a list of files to load.  I thought I had this set up until I
> realized that this file loads packages from whatever volume it happens
> to be loaded from.
>
> What I really need is:
> 
> * A way to "disconnect" the specification of packages to load FROM the
> actual source of those packages.

[snip]
 


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Mirrors and upcoming Oxygen CDROM

[Scott C. Best]

Rick:
Wow. So *this* is the sensation of being wrong. 

I stand corrected. Helluva patch, if it works.
Though...if my PASV FTP client asked to connect to port
23, I wonder what the patch would do?
Anyhow, apologies abound. Anyone seen it working?

-Scott

On Wed, 4 Apr 2001 [EMAIL PROTECTED] wrote:

> On Tue, Apr 03, 2001 at 09:56:20PM -0700, Scott C. Best scribbled:
> > Errr...
> > I believe that ip_masq_ftp is used to make *active*
> > FTP work, on the *client* side. 
> > My understanding is that Active FTP is tricky on
> > client-side NAT'ing-firewalls and passive FTP is tricky on 
> > server-side NAT-ing firewalls. Unfortunately, this masq
> > modules only solves for one of them, not both.
> > AFAIK, you *gotta* tweak the config files of your 
> > FTP server to make it work from behind a NAT'ing firewall.
> > Its response to the PASV request must include the external
> > IP# of the firewall and a port from within the port-range 
> > that the firewall is auto-forwarding from.
> > 
> > Kick me if I'm way wrong on this...
> 
> *punch*
> 
> I know all of that; I'm talking about the patch, originally
> written by Fred Viles [IIRC], that changes the ip_masq_ftp.o
> module to correctly deal with server-side-NAT-firewall-PASV
> connections.
> 
> This allows you to avoid having to do anything special with
> your FTP server, in case you're running one that you can't
> configure like that.
> 
> > -Scott
> 
> -- 
> rick -- A mind is like a parachute... it only works when it's open.
> 
> ICQ# 1590117   [EMAIL PROTECTED]
> Help with LRP: http://lrp.c0wz.com Home page: http://www.c0wz.com
> 
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
> 


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Mirrors and upcoming Oxygen CDROM

[Scott C. Best]

George:
Wow, cool.
I looked around for it for an hour and couldn't
find anything that said it worked liked this.
Got a URL?

-Scott

On Wed, 4 Apr 2001, George Metz wrote:

> On Tue, 3 Apr 2001, Scott C. Best wrote:
> 
> > Kick me if I'm way wrong on this...
> 
> *Kick*
> 
> Sorry, couldn't pass it up. =)
> 
> > Errr...
> > I believe that ip_masq_ftp is used to make *active*
> > FTP work, on the *client* side.
> 
> The default module does, yes. However, someone of great ingenuity out
> there came up with an absolutely brilliant patch that allows a masq'd FTP
> server to do passive FTP without (much of) a hitch. It's not a widely
> distributed patch, and I'm not quite sure why it never made it into the
> base kernel source, as it sounds like it would be incredibly useful
> all-around.
> 
> --
> George Metz
> Commercial Routing Engineer
> [EMAIL PROTECTED]
> 
> "We know what deterrence was with 'mutually assured destruction' during
> the Cold War. But what is deterrence in information warfare?" -- Brigadier
> General Douglas Richardson, USAF, Commander - Space Warfare Center
> 
> 
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
> 


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Mirrors and upcoming Oxygen CDROM

[Scott C. Best]

RicK;

> > [EMAIL PROTECTED] wrote:
> > > On Tue, Apr 03, 2001 at 06:00:49PM -0500, David Douthitt scribbled:
> > > > * Kernel patches: Openwall, bridgefw, VPN+Masq...
> > > 
> > > How about the ip_masq_ftp.o server patch?
> > 
> > Huh?
> 
> You know, the patch that makes passive ftp servers work behind
> masquerading firewalls?

Errr...
I believe that ip_masq_ftp is used to make *active*
FTP work, on the *client* side. 
My understanding is that Active FTP is tricky on
client-side NAT'ing-firewalls and passive FTP is tricky on 
server-side NAT-ing firewalls. Unfortunately, this masq
modules only solves for one of them, not both.
AFAIK, you *gotta* tweak the config files of your 
FTP server to make it work from behind a NAT'ing firewall.
Its response to the PASV request must include the external
IP# of the firewall and a port from within the port-range 
that the firewall is auto-forwarding from.

Kick me if I'm way wrong on this...

-Scott


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] new firewall package

[Scott C. Best]

I posted an update for echowall, 0.7, to my ftp 
server. I added a command option "scan" to the echowall
command options, so it's easier to determine what the
MACID's are for your intended servers.
I also redid the README documentation so it's
more suited for the beginner.

Of course, any feedback appreciated.

-Scott

PS:  ftp://ftp.echogent.com/EchoWall/echowall.lrp



___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

[Leaf-devel] new firewall package

[Scott C. Best]

Phew.
Spent the day getting 'echowall.lrp' into shape.
I know I know...there's no market for such things, but
I hate half-finished endeavors. ;) Download at:

ftp://ftp.echogent.com/EchoWall/echowall.lrp

There's a README and md5 hash there in that
directory too.
Here's the "what makes echowall different" pitch:
essentially, its aim is simplicity for the most entry
level user. 
It fairly simple compared to Seawall: no DMZ
support yet, and no QoS stuff. It presumes the user
is using LRP as a masquerading firewall/router for
a single Class-C address range. So, an "eighty-percent"
solution, and a stepping-stone for my ICSA-certification
endeavor.
Also, it makes use of the MACID-based server
identification so that, for example, you could setup
a machine to be a webserver and *still* have that server
get its IP-address via DHCP. 

In general, it's the genesis of what we spoke 
about in that thread from a few months ago, the "Grand 
New Firewall Paradigm" one. So, there's a boilerplate 
rules file, a user-customizable config file, and a main
script which munges the two into an ipchains executable. 
The main script also lets you 'install' the firewall to 
setup at boot, or 'deinstall' it to sit idly.

Anyhow, I think it's pretty good. If you could,
please download it and kick the tires. Based on your
guys' preliminary feedback, I'll decide whether to unleash
it upon the main LRP list.
Feedback welcome, of course, Thanks!

-Scott



___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

RE: [Leaf-devel] Functional Admin -kudos

[Scott C. Best]

Yeah, no kidding. A thousand thanks, Mike. :) I've
got you on my list of "owing a FineBottleofSomethingNice"
should you ever be local to claim it.

-Scott

On Fri, 30 Mar 2001, Steven Peck wrote:

> I have to go with David here and I think it deserves a mention.
> 
> You are coordinating work on an Open Source project.  You have been driving
> force and crucial to installing and maintaining the website (you then found
> a better solution and made it happen :getting help counts), coordinating and
> writing documentation, doing the backend administrative work on getting a
> CVS tree going, setting up/manageing multiple mail lists, ftp permissions,
> Sourceforge updates and issues.  Gathering a consensus on a variety of
> disparate issues (color, theme, logo, style, directory structure, now CVS)
> from a set of developers, and misc contributors of varying techinical levels
> and interests.)  You have 'brought' in folks (Pim) by making them aware of
> what we are doing here.  Regular updates/notification of Sourceforge issues.
> Prompting for standards in Documentation, etc.
> 
> This is a synopsis.
> 
> I've been on paying contracts that were not as well managed/coordinated.
> This is something that you can probably add to your resume in some fashion.
> Heck, I'll give you a reference letter if you want.  :)
> 
> --
> Steven Peck   [EMAIL PROTECTED]
> http://leaf.blkmtn.org
> 
> -Original Message-
> From: David Douthitt
> To: [EMAIL PROTECTED]
> Sent: 3/30/2001 7:50 AM
> Subject: Re: [Leaf-devel] Packages in PatchManager & CVS
> 
> Mike Noyes wrote:
> > 
> > David Douthitt, 2001-03-30 09:23 -0600
> 
> > I'm a barely
> > functional admin for this project.
> 
> I disagree vehemently!  This project has better documentation than
> I've seen almost anywhere else on Sourceforge; the PHPWebSite is
> phenomonal.
> 
> 
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
> 


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] grep options

[Scott C. Best]

David:

Hey, you win. The "sed '/regexp/d' file" works
well. Thanks! Learn something new every day...

Of who made this decision to handicap grep in
LRP...it reminds me of the axiom "when the only tool 
you have is a hammer, you treat every problem like a 
nail". Heh.
Back to re-writing my scripts now...

-Scott  

On Fri, 30 Mar 2001, David Douthitt wrote:

> "Scott C. Best" wrote:
> 
> > [...] what would be the
> > equiv of, say: "grep -v -i FOO /etc/passwd" ?
> 
> sed '/[Ff][Oo][Oo]/d' /etc/passwd


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] grep options

[Scott C. Best]

Pi:
Woof!
That's terribly annoying.
So...forgive my non-sed'ness, but what would be the
equiv of, say: "grep -v -i FOO /etc/passwd" ?
Thanks again

-Scott, thinking about grep.lrp...

On Fri, 30 Mar 2001, Pim van Riezen wrote:

> On Fri, 30 Mar 2001, Scott C. Best wrote:
> 
> >
> > Am having trouble with normal grep options in
> > eigerstein 2.2.16. Anyone else seen this? Getting error
> > messages like "sed: can't read foo..." for simple
> > things like:
> > grep -v foo /etc/passwd
> >
> > Huh? sed with greap? Any thoughts on this? TIA!
> 
> grep -v didn't even work in the old LRP2.9.8 release. Always had to hack
> around it by using sed -e "s/foo//" instead of grep -v "foo".
> 
> Pi
> 
> 
> 
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
> 


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

[Leaf-devel] grep options

[Scott C. Best]

Am having trouble with normal grep options in
eigerstein 2.2.16. Anyone else seen this? Getting error
messages like "sed: can't read foo..." for simple
things like:
grep -v foo /etc/passwd

Huh? sed with greap? Any thoughts on this? TIA!

-Scott






___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Re: [Leaf-devel] Different topic....

[Scott C. Best]

David:
No kidding. That one came out of my WayBack machine...

-Scott

On Mon, 26 Mar 2001, David Douthitt wrote:

> Scott C. Best wrote (about):
> 
> > AT&T-NorthPoint To Curtail Service
> > 
> > By BRUCE MEYERSON
> > AP Business Writer
> > NEW YORK (AP) via NewsEdge Corporation  -
> 
> > Public Access Networks Corp., a New York-based Internet services
> > provider also known as Panix, [...]
> 
> Now there's a name I haven't heard in a *VERY* long time.  Would they be
> classified as one of the nations oldest ISPs?  Or would that be the
> Well? ...
> 
> ___
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
> 


___
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel