Re: [leaf-user] Shorewall Rules and TightVNC
Darcy Parker [EMAIL PROTECTED] schrieb: Good day all, I am using Leaf Bering (latest ver) and currently have my shorewall rules to allow a TightVNC connection only from a fixed IP address at work. # DNAT to allow TightVNC from Work Only # DNATnet:xxx.xxx.xxx.xxx192.168.1.100:5800tcphttp DNATnet:xxx.xxx.xxx.xxx192.168.1.100:5800tcp5800 DNATnet:xxx.xxx.xxx.xxx192.168.1.100:5900tcphttp DNATnet.xxx.xxx.xxx.xxx192.168.1.100:5900tcp5900 As I am going to be travelling with my laptop, I am woundering if there is a way to configure the rules to allow a TightVNC connection from a spefic MAC address as I will not know what my net IP address will be while I am away. If not from a specific MAC address, then is there another way? You can't filter on the mac-address because the source and destination mac-address becomes changed be every router(this is layer 2). Only the source and destination ip-addresses (layer 3) stay the same. Using it the way you do, is unsecure anyways! But i think you know it already! :) I would suggest using ssh and portforwarding. You can allow login with private key only, which seems to be very secure and then you can tunnel your http and vnc over the encrypted ssh session. Cu -- written with FeLaMiMail --- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] boot floppy to boot Bering cdrom
As far as I know, you can't. But you can always make an ISO-image yourself, which contains those settings. Do a search on building an ISO in the archives of this list, it has been discussed many times. -Original Message- From: wing newton [mailto:[EMAIL PROTECTED] Sent: dinsdag 10 juni 2003 23:52 To: Stefaan Van Dooren; [EMAIL PROTECTED] Subject: RE: [leaf-user] boot floppy to boot Bering cdrom Smart BootManager works but I have one of those Sony VAIO laptop which does the random shutdown. I have to issue append=apm=off no-hlt.. to make it work. Can I do with it with Smart BootManager ? It does not seem to have syslinux.cfg in the smart bootmanager floppy. I need to add apm=off no-hlt before it starts to boot the ISO from the CD. Many thanks. Newton --- Stefaan Van Dooren [EMAIL PROTECTED] wrote: Or you can just install Smart BootManager on a floppy,boot the floppy and redirect the bootprocess to your CD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erich Titl Sent: dinsdag 10 juni 2003 9:03 To: [EMAIL PROTECTED] Subject: Re: [leaf-user] boot floppy to boot Bering cdrom Hi At 17:00 09.06.2003 -0700, you wrote: Greetings, I don't have space on a single floppy for all the packages. So, I create a bootable ISO Bering CD but my pc does not support CDROM boot. Is there a floppy image available to just allow me to boot up from the floppy which then in turn to boot up the Bering ISO from the cdrom ? Basically all you have to do is to include the ide and cdrom modules in /boot/modules and /boot/etc/modules as specified in the Bering docs. You can start with a stock bering floppy, strip it down to the barest minimum and add the modules, then save initrd back to floppy, configure syslinux.conf to load the packages from the appropriate media and you are done. HTH Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html __ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com --- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] problems with idt77105.o
Hi everyone! As I was told in this mailing list, I have downloaded the module idt77105.o to install with other module nicstar.o to get my atm nic ForeRunnerLE 25Mbps work under bering. I went to http://leaf.sf.net/devel/jnilo/bering/latest/modules/2.4.20/modules.dep to check the module dependences and I did not find a dependence with idt77105.o but when I try to install this module before I install nicstar.o I get this error: insmod idt77105.o Using idt77105.o insmod: unresolved symbol gr_is_capable so if later I do insmod nicstar.o it tells me that idt7105.o doesnt work, of course. Any ideas about what happens here? I will be more than glad if you can tell me something that can help me out. Thanks ___ Yahoo! Sorteos - http://loteria.yahoo.es Juega a la Lotería Primitiva sin salir de casa --- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] boot floppy to boot Bering cdrom
Hi At 09:13 11.06.2003 +0200, you wrote: As far as I know, you can't. But you can always make an ISO-image yourself, which contains those settings. Do a search on building an ISO in the archives of this list, it has been discussed many times. -Original Message- From: wing newton [mailto:[EMAIL PROTECTED] Sent: dinsdag 10 juni 2003 23:52 To: Stefaan Van Dooren; [EMAIL PROTECTED] Subject: RE: [leaf-user] boot floppy to boot Bering cdrom Smart BootManager works but I have one of those Sony VAIO laptop which does the random shutdown. I have to issue append=apm=off no-hlt.. to make it work. Can I do with it with Smart BootManager ? It does not seem to have syslinux.cfg in the smart bootmanager floppy. I need to add apm=off no-hlt before it starts to boot the ISO from the CD. Why is this so, could you not put it in the isolinux.cfg file when building the CD? cheers Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Proper VLAN Configuration after reboot
I had some problems figuring out how to get VLANs configured thru a reboot. After reading thru the archive I saw a few different options - one of which was a modified vlan config file in /etc/network/if-pre-up.d. Just so everyone knows, you don't need to change anything, you just have to specify the VLAN-RAW-DEVICE in /etc/network/interfaces. For example, # May not need this auto eth1 iface eth1 inet static address 0.0.0.0 masklen 0 broadcast 0.0.0.0 auto eth1.25 iface eth1.25 inet static vlan-raw-device eth1 address 10.10.10.1 masklen 24 broadcast 10.10.10.255 Works Great! Could somebody please add this to the FAQ or add a note in the vlan file, because it really isn't immediately obvious.. --- This SF.NET email is sponsored by: eBay Great deals on office technology -- on eBay now! Click here: http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Documentation link on LEAF site not working
On Tue, 2003-06-10 at 20:26, Peter Nosko wrote: pn] From http://leaf.sourceforge.net, I clicked Web Links under the main menu, then Linux Documentation, then the The Linux Network Administrator's Guide, Second Edition link. It isn't working. Peter, That's because The Linux Documentation Project moved from linuxdoc.org to tldp.org. Our website is scheduled for a major overhaul. In the meantime the new url to NAG 2 is: http://tldp.org/LDP/nag2/ -- Mike Noyes mhnoyes at users.sourceforge.net http://sourceforge.net/users/mhnoyes/ SF.net Projects: ffl, leaf, phpwebsite, phpwebsite-comm, sitedocs --- This SF.NET email is sponsored by: eBay Great deals on office technology -- on eBay now! Click here: http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] problems with idt77105.o
Jose Luis Abuelo Sebio wrote: to check the module dependences and I did not find a dependence with idt77105.o 8-) That does not mean there is none.. but when I try to install this module before I install nicstar.o I get this error: insmod idt77105.o Using idt77105.o insmod: unresolved symbol gr_is_capable so if later I do insmod nicstar.o it tells me that idt7105.o doesnt work, of course. Two things ; Are you sure that nicstar.o is the correct module for your card ? gr_is_capable is from GRE?? Do you need ip_gre.o first ? /steve --- This SF.NET email is sponsored by: eBay Great deals on office technology -- on eBay now! Click here: http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] problems with idt77105.o
Le Mercredi 11 Juin 2003 13:30, Jose Luis Abuelo Sebio a écrit : Hi everyone! As I was told in this mailing list, I have downloaded the module idt77105.o to install with other module nicstar.o to get my atm nic ForeRunnerLE 25Mbps work under bering. I went to http://leaf.sf.net/devel/jnilo/bering/latest/modules/2.4.20/modules.dep to check the module dependences and I did not find a dependence with idt77105.o but when I try to install this module before I install nicstar.o I get this error: insmod idt77105.o Using idt77105.o insmod: unresolved symbol gr_is_capable It looks like an incompatibility problem with the grsecurity patch. The only way to check would be to recompile the kernel with grsecurity disabled. Jacques --- This SF.NET email is sponsored by: eBay Great deals on office technology -- on eBay now! Click here: http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Shorewall Rules and TightVNC
Darcy Parker wrote: Good day all, I am using Leaf Bering (latest ver) and currently have my shorewall rules to allow a TightVNC connection only from a fixed IP address at work. # DNAT to allow TightVNC from Work Only # DNATnet:xxx.xxx.xxx.xxx192.168.1.100:5800tcphttp DNATnet:xxx.xxx.xxx.xxx192.168.1.100:5800tcp5800 DNATnet:xxx.xxx.xxx.xxx192.168.1.100:5900tcphttp DNATnet.xxx.xxx.xxx.xxx192.168.1.100:5900tcp5900 As I am going to be travelling with my laptop, I am woundering if there is a way to configure the rules to allow a TightVNC connection from a spefic MAC address as I will not know what my net IP address will be while I am away. If not from a specific MAC address, then is there another way? Best Regards, Darcy Darcy, I would also suggest the same option Lars proposed, use ssh and portforwarding with ssh acting as the tunnel. Some of the advantages are disabling passwords and using RSAauthentication which can be configured in your sshd_config file, averting the password cracking problem. A properly configured sshd_config file is a powerful complement for your security setup. Another advantage is that you will only be using the ssh port for the connection, instead of opening the standard vnc 5800,5900 ports..and you can use the compression option as well. There's a pretty good tutorial at the realvnc site on how to go about it: http://www.uk.research.att.com/vnc/sshvnc.html Regards, -- Patrick Benson Stockholm, Sweden --- This SF.NET email is sponsored by: eBay Great deals on office technology -- on eBay now! Click here: http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] problems with idt77105.o
I was thinking about this, and.. maybe the problem is because I am using bering rc3 (wihtout grsecurity ) and I would need to use rc4. If so, where can I find the image files of Bering rc4 patched with grsecurity Thanks --- Jacques Nilo [EMAIL PROTECTED] escribió: Le Mercredi 11 Juin 2003 13:30, Jose Luis Abuelo Sebio a écrit : Hi everyone! As I was told in this mailing list, I have downloaded the module idt77105.o to install with other module nicstar.o to get my atm nic ForeRunnerLE 25Mbps work under bering. I went to http://leaf.sf.net/devel/jnilo/bering/latest/modules/2.4.20/modules.dep to check the module dependences and I did not find a dependence with idt77105.o but when I try to install this module before I install nicstar.o I get this error: insmod idt77105.o Using idt77105.o insmod: unresolved symbol gr_is_capable It looks like an incompatibility problem with the grsecurity patch. The only way to check would be to recompile the kernel with grsecurity disabled. Jacques --- This SF.NET email is sponsored by: eBay Great deals on office technology -- on eBay now! Click here: http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ___ Yahoo! Sorteos - http://loteria.yahoo.es Juega a la Lotería Primitiva sin salir de casa --- This SF.NET email is sponsored by: eBay Great deals on office technology -- on eBay now! Click here: http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] bridge and htb
Hi It seems like I'm trying to do the impossible. I have Bering [1.1] running the Bridge module. I've also managed to get htb-qos module working - minimal testing, but I can QOS and share BW courtesy a slightly touched up Wonder Shaper. eth0 is the interface I'm QOSing - outbound interface. It seems that when I really start pushing traffic thru it [the bridge], toward eth1, that eth1 will die. ( 1Mbit/s TCP) If I bring the eth1 interface down and back up and Stop and restart Shorewall (runs the Wonder Shaper script) that it will go again for a short time. I've also tried just using the bridge alone and get a stalled interface after some time this way too - I don't think it has anything to do with htb. IP addr shows the interfaces promisq, and up - even when it dies. Any ideas on how to troubleshoot this? Thanks, Mike Schurman --- This SF.NET email is sponsored by: eBay Great deals on office technology -- on eBay now! Click here: http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] bridge and htb
On Wed, 11 Jun 2003 20:33:34 -0500, Mike Schurman [EMAIL PROTECTED] wrote: If I bring the eth1 interface down and back up and Stop and restart Shorewall (runs the Wonder Shaper script) Shorewall is completely incompatible with bridging... -Tom -- Tom Eastep\ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.NET email is sponsored by: eBay Great deals on office technology -- on eBay now! Click here: http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Errors--Route through eth0?
Richard: I'll be glad to share what I learn as I go, and I planned on sending lessons-learned back to the list / primary producers of LEAF. You pointed me in the right track, but it turned out the 3c589_cs CANNOT be called from within the /etc/modules. Instead, the 3c589 driver needs moved to the /lib/modules/pcmcia, then the pcmcia package backed up. Upon load, the OS automatically loads these modules, in module-dependent order. That got eth0 working, at least from the firewall's view. I'm still checking the eth0 service to make sure I understand what's available / works there. Best wishes, -Original Message- From: Richard Doyle [SMTP:[EMAIL PROTECTED] Sent: Monday, 09 June, 2003 21:03 To: '[EMAIL PROTECTED]' Subject:Re: [leaf-user] Errors--Route through eth0? On Mon, 2003-06-09 at 19:19, Greg Playle wrote: My thanks to Tom Eastep and Ray Olszewski, who pointed out some information that would help. I'm working on LEAF Bering 1.2, using a PPP serial modem (as ppp0) and a PCMCIA NIC as eth0 for the internal network. The host is a Toshiba Satellite Pro 460CDX laptop (recycled). The NIC is an older 3Com EtherLink III 3C589D based card (recycled). At boot, the firewall gives an error message of: Masquerade: Error: Unable to determine the routes through eth0 snip # /etc/modules: kernel modules to load at boot time. # ISA ethernet cards # PCI ethernet cards # should the 3c589_cs.o be declared here? - Yes. You can insert the module on a running system with insmod 3c589_cs I'm very interested in your progress on this project, as I'm about to try something rather similar in the next few weeks. Good luck! --- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html�� --- This SF.NET email is sponsored by: eBay Great deals on office technology -- on eBay now! Click here: http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Shorewall Rules and TightVNC
Message: 1 Date: Wed, 11 Jun 2003 23:26:16 +0200 From: Patrick Benson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [leaf-user] Shorewall Rules and TightVNC Darcy Parker wrote: Good day all, I am using Leaf Bering (latest ver) and currently have my shorewall rules to allow a TightVNC connection only from a fixed IP address at work. # DNAT to allow TightVNC from Work Only # DNATnet:xxx.xxx.xxx.xxx192.168.1.100:5800tcphttp DNATnet:xxx.xxx.xxx.xxx192.168.1.100:5800tcp5800 DNATnet:xxx.xxx.xxx.xxx192.168.1.100:5900tcphttp DNATnet.xxx.xxx.xxx.xxx192.168.1.100:5900tcp5900 As I am going to be travelling with my laptop, I am woundering if there is a way to configure the rules to allow a TightVNC connection from a spefic MAC address as I will not know what my net IP address will be while I am away. If not from a specific MAC address, then is there another way? Best Regards, Darcy Darcy, I would also suggest the same option Lars proposed, use ssh and portforwarding with ssh acting as the tunnel. Some of the advantages are disabling passwords and using RSAauthentication which can be configured in your sshd_config file, averting the password cracking problem. A properly configured sshd_config file is a powerful complement for your security setup. Another advantage is that you will only be using the ssh port for the connection, instead of opening the standard vnc 5800,5900 ports..and you can use the compression option as well. There's a pretty good tutorial at the realvnc site on how to go about it: http://www.uk.research.att.com/vnc/sshvnc.html Regards, -- Patrick Benson Stockholm, Sweden Patrick and Lars, Thanks for the suggestions and the links. I only have two days to get this up and running so I hope I don't run into trouble. Darcy --- This SF.NET email is sponsored by: eBay Great deals on office technology -- on eBay now! Click here: http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Pump renewing lease too quickly and filling the log
Folks, I am a newbie, be gentle with me. My Configuration is :- DLink DSL-300+ ADSL modem Bering 1.2 My situation is as follows:- The modem manages a pppoa connection with my ISP. Bering uses pump to communicate with the modem. In general terms, this setup is working and I have full access to the internet from the machines on the internal network and from the LRP box. The problem is two-fold in that my daemon.log file is growing at an alarming rate with messages from the pump daemon. The first reason that this is causing a problem is that each lease renewal is causing 25 to 30 lines to be written in the log. The second reason that this is causing a problem is that for some reason pump renewal is firing every 45 seconds or so. What I would like to achieve is set a more realistic lease renewal period than 45 seconds and secondly reduce the number of lines that pump writes to the log when it does renew. I have tried entering the command pump -I eth0 -l 10 at the command line which I thought should set the lease time to 10 hours. It appears to have no effect. My pump.conf and pump.shorewall files have not been changed from the standard files distributed with Bering 1.2 This has led me to conclude that the dlink adsl modem is controlling the lease time and I would need to reconfigure it to fix the first part of my problem. Is that a reasonable conclusion? Any suggestions? David Jardine --- This SF.NET email is sponsored by: eBay Great deals on office technology -- on eBay now! Click here: http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
