Re: [leaf-user] trying to get ipsec VPN working
Jim Walters wrote: Hi All, I have been a happy LRP and LEAF user for a number of years now. Thanks for all the great work! I started messing with LRP for fun and began production use at some offices with LRP 2.9.4. The offices have been updated over the years, moving up through Dachstein and Eiger and using Bering most recently. Fantastic stuff that just works! My best uptime so far has been about 380 days! Nice! Anyway, I've been recently asked to provide some VPN functionality at a couple of offices that are running Bering. I've done a bit of research and spent a bit of time trying to get a working setup on the bench. I can't seem to get past a couple of hitches and it is time to ask the community for a bit of help. I'm certain that it it is my inexperience with IPSec that is causing the problems, so hopefully it will be a quick bit of advice that will put me back on track. At this point, I have eleminated all of the errors that displayed on the console during the startup phase. When I try to start the VPN connection from the command line with ipsec auto --up vpn_jim (vpn_jim is the name of my vpn tunnel, I think), I get whack: Pluto is not running (no var/run/pluto.ctl) as the response. I get that message for most anything that I type that starts with ipsec. When I look in /var/log/daemon.log, I can see a line that says ipsec__plutorun: !pluto failure: exited with error status 1. When I look in /var/log/auth.log, I can see a line that says pluto[31029]: FATAL ERROR: unable to malloc 0 bytes for cert. The few previous lines mentioned loading the cacert file and the crl file. There is nothing in the process list about pluto, so I think it's dead. Anybody got any suggestions? Stupid question #1: Did you start IPSec at startup (or manually)? Try running: svi ipsec start Stupid question #2: If you did try starting pluto and it crashed, have you tried using a simpler auth method? I suggest getting things going with pre-shared-secrets, then migrating to RSA keys or certs once things are working...there's enough complexity in IPSec by itself, adding cert issues on top of it can be daunting for a first go-round. Stupid question #3: It looks like you're using plain RSA keys. I don't know if the Cert-patched version of ipsec that comes with Bering-uClibc supports this, or if it only likes full-blown certificates. I use RSA keys (w/o using certs) on Bering (normal, not uClibc), and it happily interoperates with my Dachstein routers still in production (which don't understand certs anyway). NOTE: It is *REALLY* easy to malform your ipsec secrets file (it's got an odd syntax, and ipsec very picky), which can cause no end of 'what-now..it should work' type problems. Be careful when editing, read through the manpages (find online), and try to follow some examples verbatim for your first tunnel(s). A misplaced (or missing) space or tab can do you in... -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering 1.2 backup destination problem
Tibbs, Richard wrote: Dear list: I am following the Bering user guide through the process to create a bering CD -- I have a successful Bering 1680k floppy working on the machine. To get the .lrp's onto a 1440 floppy, I am using the backup destination facility, i.e., Take out Bering boot floppy, insert a 1440kb floppy. lrcfg b) backup a package Then for each package etc, shorwall, etc. I change the destination to fd0, msdos by typing d 3 (for etc) and selecting the appropriate options, then b 3 This works for the first package backed up -- but upon backing up a second package i.e. d 5 (select fd0) Then b 5 results in the message cant mount backup device. I have tried to umount the floppy, but it is not mounted (getting out of lrcfg, then going back into lrcfg). Forever, any further backups to fd0 fail with the above message until reboot from the Bering (fd0u1680) floppy. Any idea what to do? I can reboot between each package, but it is a bit tedious. I suspect you're having consistency problems going between 1680K and 1440K disks. Note that /dev/fd0 *should* be 1440K, but I believe the default bering floppy backup target is actually /dev/fd0u1680, which is a 1680K formatted disk. I suggest adding a 1440K backup target by running the following at the command line: echo /dev/fd0u1440 /var/lib/lrpkg/pkgpath.disks Then you can change the backup target for all packages (d e) to the 1440K disk (probably choice #3). You can also try backing up everything at once (b e), but I prefer to do backups one at a time. Note: You can also just copy the LRP's from one disk to another: # mount bering 1680 disk mount -t msdos /dev/fd0u1680 /mnt # copy files to /tmp cp /mnt/*.lrp /tmp # unmount disk umount /mnt # mount 1440K disk mount -t msdos /dev/fd0u1440 /mnt # copy files from /tmp cp /tmp/*.lrp /mnt # unmount disk umount /mnt HTH... -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering Serial port problem on IBM Aptiva
Dr. Richard W. Tibbs wrote: Yes, I know you will say what are you doing running Bering 1.2 on an Aptiva? The Aptiva 2176/C66 is a Pentium 1 66Mhz with 16Mb ram... It is one the many otherwise useless machines I have at home. Bering 1.2 floppy is working fine otherwise, but I wanted to connect one of my PC hosts in through the Aptiva's serial port. When Bering boots I see the message TTYS01 is a 16550A The line I use in etc/inittab is T1:23:respawn:/sbin/getty/ -L ttyS01 19200 vt100 But, a few minutes after boot I get the message on the firewall console INIT: id T1 spawning too fast: disabled for 5 minutes. Hyperterminal never says it is connected, but there is no reponse. I have googled for IBM Aptiva 2176 C66 serial port and found some radio shack web page with the specs Tried also using ttyS0 and ttyS1 since the aptiva supposedly has two serial ports (one might have been the modem) But no luck with any of the ttyS01, S0 or S1 designations. Instead of: T1:23:respawn:/sbin/getty/ -L ttyS01 19200 vt100 Try w/o the trailing slash and with the proper parameter order: T1:23:respawn:/sbin/getty -L 19200 ttyS0 vt100 For additional debugging, you can try running the init entry directly from the command line. If you're having 'respawning' problems, there's almost certainly something wrong with your command syntax, which is causing an immediate abort. When run directly from the command prompt, you'll typically get a helpful error message that's lost when running from init. Note that Bering uses getty from tinylogin, rather than the gnu getty, so there might be some differences in how it operates. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Bering + Shorewall + ProxyARP + Advanced Routing
Anyone out there played much with advanced routing with Bering + Shorewall? I'm looking at adding an additional internet connection (consumer-class cable-modem service) to get enough bandwidth to create a full mirror of Debian (and keep it in sync) so I can sell CD/DVD images. Anyway, I've already got a pretty complex setup (proxy-arping a /26 IP range across 3 NIC's, with two additional internal private-IP networks). On top of this currently working setup, I'm wanting to route traffic from a single system out the cable-modem, with everything else continuing to go out the SDSL. If anyone has implemented anything remotely similar to this, I'd appreciate any pointers. Since I doubt this is a common setup :), I'll throw out a few key questions someone might be able to help with: - How does the masquerading code determine the source IP of the masqueraded packets? - How do the advanced routing rules interact with the firewall rules (ie: order in which iptables rules are processed vs. advanced routing rules and routing table selection). I think the (somewhat) easy way to do this is to add another NIC to my firewall and route everything from that interface out the cable-modem, and the (really) easy way to do this is to just build another firewall, but I'd really like to have the new mirror system on my internal lan if possible. Thanks in advance for any help or pointers. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering 1.2 doesn't renew dhcp leases to internal hosts.
Dr. Richard W. Tibbs wrote: Hello list: I have recently converted from dachstein to Bering 1.2. All of my previous setup works -- I an access the net, the net can access my internal Mail server, etc. But something seems to prevent dhcp from renewing leases. When I first brought up the bering machine with the interfaces file below, one of my hosts got a lease right away, then never again. I say no dhcpd.conf or other file or other obvious way to tell bering to serve dhcp to eth1. Any ideas what is wrong? Two suggestions: 1) It looks like bering comes with my dhcpd package, but it's not loaded by default. Make sure the dhcpd package is loaded (listed in the LRP= part of the kernel command line in syslinux.cfg). 2) If your /var partition fills up, dhcpd will die when it tries to update the leases file. Make sure you have enough free space on your ramdisk, and that dhcpd is still running (assuming it got loaded in the first place). You can verify dhcpd is listening for connections by running netstat -an. You should see a line like the following: udp0 0 0.0.0.0:67 0.0.0.0:* which indicates dhcpd is listening for clients on UDP port 67. You can also run ps ax, and look for dhcpd in the process list. Once you've verified dhcpd is running, configuration is just like Dachstein if you need to change the interfaces dhcpd listens to. The main configuration file is /etc/dhcpd.conf, and you can specify particular interfaces to listen to in /etc/init.d/dhcpd (via the ifs variable) just like in Dachstein. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] No syslinux.cfg on Bering CD?
Tibbs, Richard wrote: Dear list, Now setting up a Bering CD using Charles Steinkuehler's image at http://lrp2.steinkuehler.net/files/diskimages/Bering-CD/ This may not be the usual path, but I am trying to streamline things by avoiding a floppy disk in the loop. I would like to edit syslinux config from the CD to load the appropriate lrps. Also I would like to create my own modules.lrp, which I understand is just a gzipped tarball. So, two questions 1) Is there an equivalent of syslinux.cfg for the CD image? I opened this CD image in WinImage but no syslinux.cfg The syslinux.cfg file is 'hidden' in the boot-disk image on the CD-ROM, but a duplicate (bootdisk.bin) can be found in the root of the CD (just mount it with the -o loop option, or on 'doze, extract it and open with winimage). If you *REALLY* want to modify the syslinux.cfg file on the CD boot image, copy all the CD files somewhere on a handy linux system, mount the bootdisk.bin file and edit as required, then use the mkisofs command (see the readme file on the CD for details) to make a new CD image. Note that a lot of work has gone into making editing syslinux.cfg unnecessary, as you can now modify everything from the root ramdisk size to the packages loaded via settings in LEAF.CFG on a configuration disk (defaults to /dev/fd0). 2) Is there a good utility for creating a .lrp, apart from simply tarring and gziping? Any recommended parameter settings for the tar utility? The lrp backup scripts are probably the best utility for handling package creation if you don't want to use tar and gzip at the command line. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] BadThing: Doc links broken (404)atleaf.sourceforge.net
Mike Noyes wrote: snip http://leaf.sourceforge.net/devel/thc/ Our lrp.c0wz.org mirror was archived and taken off-line. This was done in preparation for our new website structure. You can download the archived website here: http://prdownloads.sourceforge.net/leaf/website_lrp-c0wz-com.tar.gz?download Or you could use my mirrors of the c0wz site: http://c0wz.steinkuehler.net/ (Slow SDSL) http://c0wz2.steinkuehler.net/ (Fast CoLo) Other developer websites that were also archived are available here: http://sourceforge.net/project/showfiles.php?group_id=13751package_id=11519release_id=124474 My developer site is still available at: http://lrp.steinkuehler.net/(slow) http://lrp2.steinkuehler.net/ (fast) Mike: Any interest in me keeping the rest of the developer tree online as a website (so folks don't have to download a huge tarball for a single file or two)? I could do this pretty easily, and it shouldn't take any more webspace than it was taking before (when it was part of the SF web site I was mirroring anyway). -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] LEAF article
Peter Mueller wrote: 1. What sort of throughput, for instance, could LEAF-Bering theoretically provide on a Pentium 100 system with edo ram and with 10/100 nics, cables, and switch, assuming that all other systems connected have unlimited speed? With good NICs (eepro100 etc.) and not too many iptables rules you will max around 20mbit/sec. A good rule of thumb is 5 cycles per megabit. This limit actually applies to all Linux servers, not just leaf. I run a LEAF system (Dachstein) that routinely routes 90+ MBits/s (5 and 30 minute averages) over a 100MBit full duplex link. The system is a bit more powerful than what I normally use for LEAF, mainly because that's what was onhand when the router was getting built: 360 MHz P-II 64M Ram (2) Generic tulip 10/100 cards 100 MBit upstream link from Cogent -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Dachstein as border_router? (public ip addresses etc)
Craig Johnson wrote: The only documentation I can point you to for the border_router option is the shell-script source that builds the firewall rules. So when you use the border_router option, what is the setting for IPFILTER_SWITCH in network.conf? I beleive it should be set to router. Look at the three script files that setup networking for full details: /etc/network.conf /etc/ipfilter.conf /etc/init.d/network Hmm...I suspect the ISP will consider anything coming down the wire to you as bandwidth that counts towards any quota, but you'd know better than I. Peer networking is uncounted bandwidth for our ISP. Common with many ADSL ISPs in Australia. Hmm...if you're in Australia, maybe you can get Matthew Grant to comment on how the Border Router stuff works. I believe he's next door over in New Zeland. :) There are several ways to do what you want, all of which will generally 'break' conventional firewall setups (ie: no out-of-the box solution for you...custom tweaking required). The two main options are: 1) Route internal private-IP traffic from Server1 to the firewall, and use the firewall as your IPSec gateway. 2) NAT or masquerade IPSec traffic from Server1 on the firewall. Is there any particular reason you don't want to use the more conventional DMZ setup?: Internet | firewall - public IP DMZ subnet - Servers | private IP internal net The firewall can then serve as a VPN gateway for your internal network, your servers are on a protected DMZ, and all your firewall rules are in one place (rather than split between the firewall and Server1), for easy maintanince. I probably should mention that the server1 connected to internal networks is a MS ISA server (hopefully not too much of a dirty word on this list!), with two network cards. #1 is a potential security risk, if your public IP network is running public servers (internal traffic is on the public IP network in the clear). Given my internal network is separated from the public IP network by the ISA Server box (which is on both networks), is that still a problem? The problem is if you simply route VPN traffic from your internal network to the firewall via Server1, the VPN traffic will be 'in the clear' when it passes through your public IP perimiter network with the other servers. Should any of these servers ever get compromised, it would be fairly easy to sniff this traffic, and with a bit of craftiness, pass directly through your Server1 ISA box and access most anything on the internal network (this is not due to the fact that it's a MS box, but due to the fact that Server1 is simply routing between two trusted networks (the internal net and the VPN), and a malicious box on your perimiter network can look like valid VPN traffic w/o much difficulty). You'll have to decide how much of a security risk this is in your situation. I still think you should just ditch the MS ISA box (or at least don't use it to connect the internal network), and run with a more traditional DMZ setup with your internal network hooked directly to the firewall. This easily allows your firewall to function as a VPN gateway (and as a possible bonus, *ALL* internet traffic from your internal net will be coming directly from the firewall, so might be FREE given your ISP's bandwidth metering policy). Of course there could be valid reasons you can't do this that you haven't shared with us...I'm just going on the info you've provided in your emails. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Dachstein as border_router? (public ip addresses etc)
Craig Johnson wrote: Wondering if I can get some help? I have a static public IP from ISP for an ADSL account (call it addrISP). We also have our own public IP range. I want to setup an LEAF box (eg dachstein), which holds the addrISP on one NIC, and one of our public IP addresses on another NIC. Then it will route all traffic through to other servers on the public IP addresses. Also there is an internal network beheind one of the other public IP addresses, with a VPN server attached. So, two questions: * what is the best way/distro to setup a LEAF box as this kind of border router? (I noticed references to border_router options on the dachstain network.conf documentation page, but haven't been able to find any substantial documentation about setting one up.) You can use Dachstein (2.2 kernel ipchains) or Bering (2.4 kernel and iptables) to do this. Bering with iptables gets you a stateful firewall, while Dachstein/ipchains is just a packet filtering firewall. If you use Dachstein, you can use either the border_router options (not a lot of documentation as that's something inherited from Matthew Grant's Materhorn image that I never messed with much), or a routed DMZ. If you use Bering, the Shorewall configruation is really flexible and can easily do what you want. * how do I also set up the LEAF box so that it can receive VPN server requests on it's IP address (addrISP), but forward those requests to be served by another firewall server connected to the internal lan? Why do you need to do this? The server connected to the internal lan also has a public IP, doesn't it (addrPUBB in the diagram below)? Why make life harder by natting only IPSec traffic from Server1, but not other traffic (tricky to setup and debug properly)? Diagramatically, I guess I want something like: [Internet] | eth0 (addrISP) | LEAF Box | eth1 (addrPUBA) | - | | | (addrPUBB) (addrPUBC) (addrPUBD) Server 1 (VPN etc) Server 2 Server 3 (addrPRIVA) | internal network Should work fine... -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Dachstein as border_router? (public ip addresses etc)
Craig Johnson wrote: Thanks for the quick reply! Some more stuff below... * what is the best way/distro to setup a LEAF box as this kind of border router? (I noticed references to border_router options on the dachstain network.conf documentation page, but haven't been able to find any substantial documentation about setting one up.) You can use Dachstein (2.2 kernel ipchains) or Bering (2.4 kernel and iptables) to do this. Bering with iptables gets you a stateful firewall, while Dachstein/ipchains is just a packet filtering firewall. If you use Dachstein, you can use either the border_router options (not a lot of documentation as that's something inherited from Matthew Grant's Materhorn image that I never messed with much), or a routed DMZ. I have tried dachstein, and it works, but I think that was just setting it up as a straight router, basicly just forwarding everything through. Maybe it needs to be more secure than that, I dunno. Is there any documentation you can point me to about the 'border_router' option? The only documentation I can point you to for the border_router option is the shell-script source that builds the firewall rules. If you use Bering, the Shorewall configruation is really flexible and can easily do what you want. I will have to have look into that some more. * how do I also set up the LEAF box so that it can receive VPN server requests on it's IP address (addrISP), but forward those requests to be served by another firewall server connected to the internal lan? Why do you need to do this? The server connected to the internal lan also has a public IP, doesn't it (addrPUBB in the diagram below)? Why make life harder by natting only IPSec traffic from Server1, but not other traffic (tricky to setup and debug properly)? Basicly because if they VPN through the router, and the client is with the same ISP, it is 'free' bandwidth, and doesn't come off monthly quotas, or get charged as access. However, if they VPN to our public network, I'm pretty sure the ISP will think it is an external address and count traffic toward quotas (they probably shouldn't, but that is way it is...). Does that make sense? Hmm...I suspect the ISP will consider anything coming down the wire to you as bandwidth that counts towards any quota, but you'd know better than I. There are several ways to do what you want, all of which will generally 'break' conventional firewall setups (ie: no out-of-the box solution for you...custom tweaking required). The two main options are: 1) Route internal private-IP traffic from Server1 to the firewall, and use the firewall as your IPSec gateway. 2) NAT or masquerade IPSec traffic from Server1 on the firewall. Is there any particular reason you don't want to use the more conventional DMZ setup?: Internet | firewall - public IP DMZ subnet - Servers | private IP internal net The firewall can then serve as a VPN gateway for your internal network, your servers are on a protected DMZ, and all your firewall rules are in one place (rather than split between the firewall and Server1), for easy maintanince. #1 is a potential security risk, if your public IP network is running public servers (internal traffic is on the public IP network in the clear). #2 is pretty straight-forward if you completely masquerade server1, but requires a more complex setup than a DMZ style setup (one machine masqueraded, everything else simply routed). If Server1 needs to run public services as well as IPSec, you'll have an even more complex setup, as you'll need to masquerade/NAT IPSec traffic from server1, but pass (route) other traffic. This is possible with linux, but it's not done often, so you'll likely have a harder time setting it up (and likely with maintainence next year, when you've forgotten how everything worked). -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] SNMPd using Dachstien netsnmpd.lrp
Joey Officer wrote: Dave, Thanks for this tip, I see the biggest difference between the command you supplied and the command I was using is the version of the SNMP implementation. I was under the impression that the version was v2 so I apologize for assuming, and not trying earlier. Fortunately, using your step, I do begin to see data, however there are a couple of things that concern me. I'll post the data that I see: [EMAIL PROTECTED] harryk]$ snmpwalk -v 1 -c public -m /usr/share/snmp/mibs/UCD-SNMP-MIB.txt firewall 1.1.0 = Linux firewall 2.4.20 #1 Sun May 11 18:53:34 CEST 2003 i586 snip limited snmp info From the firewall itself, try: snmpwalk localhost public This same command (with localhost replaced with the actual IP or DNS name of your firewall, ie: snmpwalk 192.168.1.1 public) should work on any other system running net-snmpd, and typically returns *PAGES* of information. I get basically the same thing when I remove the -m option. At anyrate, I see that I am atleast able to pull information (some) however what I have noticed is that I do not see any statistical information. From what I have read through the snmpd.conf and through the maillinglist, I should be able to use it without any major modification to the snmpd.conf file. So I guess my next question is, do I need to modify the snmpd.conf file in order to retrieve eth 0/1/2 data, cpu usage, mem usage, etc... or should it work in its default form? I think some modifications to the configuration are required...at least I always modify the config when bringing a new router online (it's been long enough since I've done this, however, I don't remember exactly what if anything needs to be changed for basic functionality). Here's my current Bering snmpd configuration (with snmp community changed to public), which works fine for reading interface stats, processor load, etc. (warning: Lines will probably wrap, but you should be able to figure out the proper format given the example config file): ### # # snmpd.conf: # An example configuration file for configuring the ucd-snmp snmpd agent. # ### # # This file is intended to only be as a starting point. Many more # configuration directives exist than are mentioned in this file. For # full details, see the snmpd.conf(5) manual page. # # All lines beginning with a '#' are comments and are intended for you # to read. All other lines are configuration commands for the agent. ### # Access Control ### # As shipped, the snmpd demon will only respond to queries on the # system mib group until this file is replaced or modified for # security purposes. Examples are shown below about how to increase the # level of access. # By far, the most common question I get about the agent is why won't # it work?, when really it should be how do I configure the agent to # allow me to access it? # # By default, the agent responds to the public community for read # only access, if run out of the box without any configuration file in # place. The following examples show you other ways of configuring # the agent so that you can change the community names, and give # yourself write access to the mib tree as well. # # For more information, read the FAQ as well as the snmpd.conf(5) # manual page. # First, map the community name public into a security name # sec.name source community com2sec notConfigUser default public # Second, map the security name into a group name: # groupName securityModel securityName group notConfigGroup v1 notConfigUser group notConfigGroup v2c notConfigUser # Third, create a view for us to let the group have rights to: # name incl/excl subtree mask(optional) viewsystemview included system # Finally, grant the group read-only access to the systemview view. # group context sec.model sec.level prefix read write notif access notConfigGroup any noauthexact systemview none none everything past here is commented -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] SNMPd using Dachstien netsnmpd.lrp
NOTE: Restored leaf-user list cc: wing newton wrote: Charles, Which version of Bering that you are using for this ? Bering 1.2 ? Bering 1.2, with slightly customized init scripts to run off of CD-ROM (see the leaf-devel list archives if you're really interested in exactly what I changed...it doesn't affect package setup/configuration). Where is your snmp package for this ? I'm running with the 'split' netsnmp packages from my Dachstein-CD release: http://lrp.steinkuehler.net/files/diskimages/dachstein-CD/CD-Contents/netsnmpd.lrp http://lrp.steinkuehler.net/files/diskimages/dachstein-CD/CD-Contents/netsnmpu.lrp Is there a snmp(mib) xml gateway available ? ??? I have no idea...I typically don't mess with the MIBs or use much in the way of XML. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] SNMPd using Dachstien netsnmpd.lrp
Joey Officer wrote: Charles, After using the test command, on the firewall itself, I receive the following error: firewall: -root- # snmpwalk localhost public snmpwalk: error in loading shared libraries libsnmp-0.4.2.1.so: cannot open shared object file: No such file or directory lrpkg -l gives the following: snip netsnmpd4.2.3 SNMP agent which binds to a port, awaits netsnmpu4.2.1-1-CS http://net-snmp.sourceforge.net It looks like you're using my netsnmpu, but not my netsnmpd. Try using matching netsnmpd and netsnmpu packages and you'll probably have better results. From my working system: # lrpkg -l | grep snmp netsnmpd4.2.1-1-CS http://net-snmp.sourceforge.net netsnmpu4.2.1-1-CS http://net-snmp.sourceforge.net -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] SNMPd using Dachstien netsnmpd.lrp
Joey Officer wrote: I followed the threads from an archive, which ultimately died without giving a conclusion email (perhaps I missed it) however I am looking to get the SNMPd package working. The thread that I found before referenced someone using the netsnmpd.lrp file from the Dachstien CD, which I've grabbed, as well as the libm and libdb lrp files. I've modified the snmpd.conf file to confirm the proper community name, however when I try an snmpwalk from another workstation on within the LAN, I get the following: [EMAIL PROTECTED] mrtg]$ snmpwalk -m UCD-SNMP-MIB.txt -M /usr/share/snmp/mibs firewall public Timeout: No Response from firewall [EMAIL PROTECTED] mrtg]$ and additionally, when I try to walk anything, I get this: [EMAIL PROTECTED] mrtg]$ snmpwalk firewall public Timeout: No Response from firewall [EMAIL PROTECTED] mrtg]$ So I'm missing something here. Is there a step somewhere that I've missed? And after I get this working properly, I'd like to work with someone to build some sort of documentation to get SNMPd working on Bering. Did you configure your firewall rules to allow SNMP traffic? Is the snmpd service actually started (check with netstat -na, and verify something's listening on UDP port 161). The configuration of snmp on any LEAF variant is pretty much identical to setting it up on any other linux system (with the possible exception of remembering to modify your firewall rules), so it's not yet been the subject of a LEAF-specific step-by-step howto...just refer to the original documentation: http://net-snmp.sourceforge.net/#Documentation Also, make sure you're using the newer net-snmp packages from Andrew Hoying (availble on DachsteinCD split into server and client packages, or from Andrew's directory on the leaf-project site as one package) rather than the snmp.lrp package (based on cmu-snmp 3.6b7) which has some known vunerabilities. Of course, you shouldn't be allowing snmp access from untrusted IP space anyway, but it's always good to have defense in depth. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] IPsec between FreeS/WAN 1.91 (Dachstein) and Linksys router/Windows 2000 computer
Timothy J. Massey wrote: Hello! I'm using a Dachstein firewall with FreeS/WAN 1.91. I would like to set up an IPsec VPN with either a Linksys BEFVP41 router, or a Windows 2000 computer behind it. I have been unable to do either. The router won't negotiate a tunnel with the LEAF firewall, and I can't seem to make the IPsec passthrough work, either. The Windows 2000 computer does work if plug it into the Internet directly, but not from behind the router. Any ideas on what I could try? Even a success story would be enough: it would be nice to know that it's possible. To be clear, the problem is entirely on the Linksys end (ie: the windows box that works when not behind the router is behind the linksys router, not the Dachstein box)? Assuming an affirmative answer to the above, you'll need to setup the Linksys box in a VPN pass-through mode (I'm not sure if it supports this), or provide some details about how you're trying to get it to connect to the Dachstein box. After a quick review of the Linksys manual for your box, it looks like it should work fine as an IPSec gateway with Dachstein's IPSec, as long as you get the configuration correct. Make sure you're selecting 3DES, SHA, IKE (with perfect-forward-security), and have a properly setup pre-shared key. You also need to verify the basic tunnel configuration is correct (ie: subnet-subnet, host-host, or subnet-host) and the IP's/networks match on both ends. There's probably useful information in the logs on both ends (web-accessible on the Linksys, and in /var/log/auth.log on the Dachstein box...also accessible via the web if you're running weblet). We could probably help a lot more with some additional debugging info from the logs and details of your ipsec.conf from Dachstein and the configuration settings on the Linksys. Also, is there a newer version of FreeS/WAN for Dachstein? I have some routing issues that is making the migration to Bering difficult at the moment... Not That I'm aware of... -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] IPSEC help needed....
Kevin wrote: I am using Dachstein 1.02 and need IPSEC enabled to get the work VPN software to work correctly. I do not see a module IPSEC that is loaded, should I have one to make this work correctly? Here are the modules loaded: Linux version 2.2.19-3-LEAF ([EMAIL PROTECTED]) (gcc version 2.7.2.3) #1 Sat Dec 1 12:15:05 CST 2001 Installed Modules: ip_masq_vdolive 1180 0 (unused) ip_masq_user3708 0 (unused) ip_masq_raudio 2980 0 (unused) ip_masq_quake 1220 0 (unused) ip_masq_portfw 2416 0 (unused) ip_masq_mfw 3196 0 (unused) ip_masq_irc 1924 0 ip_masq_ftp 3576 0 ip_masq_cuseeme 964 0 (unused) ip_masq_autofw 2476 0 (unused) ne 6292 2 83906236 0 [ne] bsd_comp3708 0 (unused) ppp_deflate40672 0 (unused) ppp20828 2 [bsd_comp ppp_deflate] slhc4436 0 [ppp] Here are the packages: snip This is the block that needs to pass through: Apr 19 07:10:48 amberton kernel: Packet log: input DENY ppp0 PROTO=50 207.11.4.7:65535 68.19.16.103:65535 L=168 S=0x00 I=8699 F=0x T=243 (#70) I am not sure if I need a rule set or a package loaded, any help would be beneficial. Actually, I think you need a rule set and a module loaded. I'm going to work under the assumption that you need to masquerade an IPSec connection (ie: you're running an ipsec client on an internal system, rather than trying to run ipsec on the firewall itself). To do this, you first need to make sure you're using the proper kernel. Masqerading ipsec and running ipsec on the firewall are mutually exclusive, and require different kernels. The 'plain' kernels avaialble from my site support ipsec masquerading, while kernels with -IPSec in the name support running ipsec directly on the firewall. Which kernel flavor you want depends on your system, but you probably want either the 'small' or 'normal' kernel: http://lrp2.steinkuehler.net/files/kernels/Dachstein-small/ http://lrp2.steinkuehler.net/files/kernels/Dachstein-normal/ The floppy version ships with the small kernel w/o ipsec by default. Once you have an approprate kernel (or have verified you're running the linux-2.2.19-3-LEAF-small.zImage.upx kernel by filesize), you need to copy the ip_masq_ipsec.o masquerading 'helper' module to your modules directory and add it to /etc/modules. The last thing you need to do is allow the actual IPSec traffic through your firewall. This typically involves UDP port 500, and *PROTOCOL* 50 or 51, depending on whether you're running ESP or AH. To do this, add the following in /etc/network.conf EXTERN_UDP_PORTS=0/0_500 EXTERN_PORTS=50_0/0 51_0/0 -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] dachstein vt100 emulation
Arnold Wiegert wrote: Hi all I'm still running Dachstein, but would like to use a serial line to access the 'box' from a Windows machine. Since I haven't found a good free VT100 emulation program, I've used and older modem program which does a pretty good job, except for the page up and down keys. They work well enough in the editor at the console but not in the editor when run on a serial link. What am I missing? If you're only having problems in the e3 editor provided with Dachstein, you might consider using a different editor. While e3 is tiny, IIRC it's written in assembly so it wouldn't necessarily work properly with terminal settings (which tend to be a linked C library thing). If you're having problems outside of the editor as well, make sure your TERM variable is set correctly. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] IPSEC help needed....
Kevin wrote: Thanks Charles - yes I just need to allow the passthrough of the IPSEC protocol for everything to work. I will update the firewall like below and bring the laptop home tomorrow to try it out. The IT guys do not understand my router and all they have troubleshooting guides for are the commercial routers for consumers I will try the rules first, then the kernel and module. As Matt stated, I will also search the HOWTO's and ask the IT guys what type of connection this is if I need more help. You'll need the rules and the module. You won't need to mess with the kernel if you're running Dachstein from floppy. If you're running off of CD, the default kernel is configured to run IPSec on the firewall so it won't work w/o changing the kernel (kind of hard on the CD-ROM, but you could install to a HDD or similar). Post to the list if you need further help. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] LEAF Theory of Operation
jeremy rubia wrote: Hi Larry, actually im talking to the Bering version, in the LEAF homepage documentation there is a link there that says something like this lrp.c0wz.com - this is a mirror of one of the best sources of LRP information on the net. but it was dead link already i believed that it would point me to the right docs i need. i have also googled on this topic but to no avail. The c0wz site is quite dated at this point, but I've still got a mirror running: http://c0wz2.steinkuehler.net/ by the way what i need to know is how LEAF bering starts from booting up and how does it managed to use RAM instead of the physical storage media and what happens when i backup lrp packages. I have actually used Bering LEAF but dont have firm understanding on how it works behind the scene. and thats what i want to know. Basically, at startup a ramdisk is created and populated with the contents of all the *.lrp packages (which are simply tar.gz files) configured to load via the LRP= kernel command line (or one of the more recent enhancements, like the lrpkg.cfg file). When you backup a package, the backup scripts simply make a tar.gz file of all files that belong in a particular package. Some details of package creation can be found on the LEAF site in the SF Document Manager: http://sourceforge.net/docman/?group_id=13751 See particularly How do I create packages? and LRP packaging details and limitations (in section 13). Your real source for information, however, is the source code. Both the packaging and the initial system generation are done by simple shell scripts, so just open an editor and follow along until you understand as much as you want. The initial system configuration is done by /linuxrc, and the backup scripts are in /usr/sbin, along with the rest of the lrcfg menu scripts. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Probably OT: Cisco VPN Passthrough Bering 1.2
James Neave wrote: snip Now, this is why it is probably OT. It work fine on Win2K SP1 boxes It does NOT work on Win2K SP4 and WinXP SP1 So currently is seems to be a Windows problem, not a LEAF problem. snip 16 11:24:34.954 04/15/04 Sev=Warning/3IKE/0xE356 The received HASH payload cannot be verified 17 11:24:34.954 04/15/04 Sev=Warning/2IKE/0xE37D Hash verification failed... may be configured with invalid group password. This looks to be why it died. I'm not familiar with the Cisco products, so can't provide much detailed help, but have you verified all boxes are using appropriate credientials (or group password, whatever that is in Cisco parlance)? -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering 1.2 Throughput Test Results
Roger E McClurg wrote: Charles, I did the test with the converted Bering-Contivity yesterday. I ran the VPN as AES then changed to 3DES and ran it again. AES was 6% slower. Any ideas why this would be the case? I'd have to look at the code...I'm somewhat familiar with the 'stock' FreeS/WAN stuff, but haven't checked out the algorithm patch that adds the additional encryption options to SuperFreeS/WAN. The only thing that comes immediately to mind is optimization. 3DES performs so pitifully that most architecturs have hand-optimized assembler stubs for the 'guts' of the encryption routine. If the AES routines are generic C code, it would likely explain the performance difference. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Re: Thanks
Roger E McClurg wrote: Charles, I never got around to thanking you for your help over the years, and for your contribution to LEAF. I cut my teeth on Dachstein and Eigerstein. I used them on a quite a few different platforms, and I learned a lot along the way. I appreciate everything you have done, and thought it was high time I said so. I appreciate the feedback, and am glad you found Dachstein and Eigerstein useful! -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering 1.2 Throughput Test Results
Troy Aden wrote: snip I have a question of my own for the list. :) Can you have multiple rightsubnet= or leftsubnet= in your ipsec config for a single connection? I want to connect two networks that have multiple subnets. Thus far I have gotten away with just putting entries like 172.16.0.0/16 connecting to 192.168.0.0/16. That solution is no longer practical however and I am wondering if I can change it to multiple leftsubnet/rightsubnet entries to reflect the actual networks that I am linking. Can anyone tell me the syntax I would use to do this? :) Thanks in advance! Sure you can...sort of. What you're missing is the fact that each additional [left|right]subnet entry requires a new connection specification. If you don't have a lot of connections, managing them by hand (or maybe with some simple scripts) is possible. If you decide you want to do this, I suggest using descriptive names for you connections to avoid any ambiguity based on IP addresses, ie: [left|[EMAIL PROTECTED] If you find your configuration getting too complex, the next best option is probably to push the complexity from your IPSec configuration into the routing domain. Remember you can only pass traffic that matches a connections endpoint specifications through an IPSec tunnel, so you can't simply use an IPSec connection like a virtual 'wire' and route traffic down it. The way around this is to setup point-point IPSec connections between your gateway boxes (rather than the subnet-subnet links it sounds like you're using). Once you have these links in place, you run GRE tunnels over the IPSec tunnels (so all traffic matches the source/destination IP's listed in the connection description), then run the routing protocol of your choice (or even static routing) across the GRE tunnels. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering 1.2 Throughput Test Results
Roger E McClurg wrote: snip The next test was to FTP from the PC connected to the OpenBrick E to the PC connected to a 500 Mhz P III running Bering 1.2. The transfer rate was only 12.67 Mb/sec. The 3DES IPSEC encryption was certainly taking it's toll. Next we replaced both Bering machines with Nortel Contivity 1500 VPN devices. The Contivity is a popular VPN concentrator for small branch offices. It was designed specifically for the purpose of a VPN concentrator. Imagine our surprise when the Contivity transfer rate was only 4.45 Mb/sec. The Bering boxes were running weblet, shorewall, dnscache, dhcpd, ssh, sshd, sftp, snmp, and snmpd in addition to IPSEC, and yet they were almost three times faster than commercial VPN concentrators. If you want to have a bit more fun, switch your IPSec links to the new AES (ipsec_aes.o) encryption algorithm. Designed to be more friendly to modern CPU's with wide registers and SIMD (Single Instruction Multiple Data) instruction sets (3DES is optimized for hardware, and doesn't translate nicely into a byte/word oriented general-purpose CPU algorithm), you should see a substantial increase in your transfer rates. 3DES is usually not much of a bottleneck (even with the 'slow' Nortel devices), as usually the upstream WAN link is substantially slower than the potential CPU throughput when compressing, but if you've got fast pipes, you'll notice a drastic difference by choosing an alternate encryption scheme. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] OT: UPX v1.11
Vic Berdin wrote: Hi, I've been searching for a downloadable source of the said upx version. An attemp to log to cvs using: cvs -d:pserver:[EMAIL PROTECTED]:/cvsroot/upx login fails. Any help/link/e-mail attachment with complete (tgz/bz2) buildable source is very much appreciated. I'm also inclined to accept a pre-built binary of upx v1.11 out of desperation. I need it for Kernel compression (obviously). Note the latest beta version of UPX (Version 1.90): linux binary download http://upx.sourceforge.net/download/unstable/upx-1.90-linux.tar.gz once again claims to support compressing linux kernels, although I have yet to try it. It might work instead of version 1.11. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Increasing ip_conntrack_max and hashsize
My new Bering firewall stopped passing new traffic recently (lots of ip_conntrack: table full, dropping packet. messages), sending me on a quest which resulted in uncovering the following bits of wisdom: - The default sizes for ip_conntrack_max and hashsize (the number of seperate connections that can be tracked, and the size of the hash table that keeps track of them, repsectively) defaults to a percentage of your total memory size. This percentage is geared towards a 'general use' workstation with lots more memory (and fewer connections to track) than a typical special-purpose firewall box. - The hash table works much better when it's size is a prime number. Details can be found in the following document: http://www.wallfire.org/misc/netfilter_conntrack_perf.txt Note that you can increase ip_conntrack_max at runtime, but the hash table size can only be adjusted when loading the ip_conntrack module (or at compile time, if compiled into the kernel). A handy table of prime numbers good for hash table sizes can be found at PlanetMath: http://planetmath.org/encyclopedia/GoodHashTablePrimes.html -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] 2nd instance of dnscache, for serving my DMZ
freeman wrote: My setup is home-user, DSL, Bering 1.2 release. eth0=internet, eth1=private, eth2=DMZ. I just recently got a mail-server box placed on my long-empty DMZ interface. However this DMZ-located box wouldn't resolve. I mucked with dnscache, attempting to have it serve both eth1 and eth2 queries but dnscache won't accept more than 1 IP address in the /etc/dnscache/env/IP file. Placing 0.0.0.0 there permitted boxes on either interface to resolve but it seemed like dnscache wasn't performing because pings from the router to the internet would take a few seconds to resolve, every time. I have checked the relevant FAQ (http://leaf.sourceforge.net/devel/jnilo/dnscache.html) and sought within the mail archives but no clear solution was forthcoming. What I did find within the mail archives was an 18-month old discussion with Michael D. Schleif (sub=dnscache vs. dmz ???) where it was pointed out that 1) dnscache can't serve two masters (aka two interfaces) and 2) this is not particularly desired anyway, because of the crossover of the private lan and the DMZ traffic (i.e. security risk). Thus I concluded that the way to solve my issue (desiring dnscache to be effective on my private LAN as well as the DMZ) was to have a second instance of dnscache running, and set it up to serve only the DMZ. So I went about creating a copy of the dnscache.lrp package, called dnscach2.lrp. I changed almost all references to dnscache to be dnscach2 for the files within this new dnscach2.lrp. To reduce the size of this dnscach2.lrp package I removed the executable from the dnscach2 package and had the config files within dnscach2 refer to the original dnscache executable. And it works! So my questions are: - is this the proper way to get dnscache functionality on a second interface? (I ask because I saw little about how to solve this issue, and I would have thought that this problem would have been experienced by lots of people and caused them the same difficulty that I had) I'd just configure DNSCache to resolve queries from both networks. I don't think this is covered by the simplistic help included with the DNSCache LRP file, but a quick google search for 'dnscache man page' will turn up some useful info: http://www.die.net/doc/linux/man/man8/dnscache.8.html quote dnscache listens for incoming UDP packets and TCP connections addressed to port 53 of $IP. Typically $IP is 127.0.0.1, but it can also be an externally accessible IP address. dnscache accepts a packet or connection from IP address 1.2.3.4 if it sees a file named ip/1.2.3.4 or ip/1.2.3 or ip/1.2 or ip/1. /quote So...the IP setting you're trying to play with is the *LISTEN* address of DNSCache (it only needs to listen on 1 IP). To configure DNSCache to serve both networks, simply add appropriate files (zero length is OK) for both networks in the ip/ directory of dnscace's configuration directory. Of course, you'll also have to setup your firewall rules to allow both networks to make DNS queries to the IP DNSCache is listening on. Then simply use the IP in /etc/dnscache/env/IP for the DNS server on all machines, and you should be set. - If this is a proper solution I'm surprised to not see a pre-existing dnscach2.lrp available. Would someone be interested, if I sent them my dnscach2.lrp file (nice and tiny at 2603 bytes) , to place it on the leaf site available for others to use? If so, and some adjustments should be made to the dnscache documentation, what can I do to assist with this? I don't have CVS experience or anything but I can modify the HTML files that comprise the dnscache documentation if someone else would upload them. I don't know if I'd call it a proper solution...I'd call running two DNSCache servers more of a hack, and you'll have to be careful they don't step on each other's configuration (ie: use seperate configuration directories). There are probably some valid reasons to do this, but your setup isn't one of them (IMHO). - as a general curiosity (that I could search on myself, but I don't know that it's germane to my situation) why would someone want dnscache as well as tinydns (as was mentioned in the sub=dnscache vs. dmz ??? thread)? DNSCache is a caching-only DNS server (ie: performs recursive DNS queries to resolve names by asking other DNS servers questions, and remembering the results for faster lookups next time). TinyDNS is an authoritative DNS server, used to host your own domain (ie: to answer questions from everyone else on the internet about names under your control, such as: www.yourdomain.net). -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
Re: [leaf-user] serial support with Dachstein
Arnold Wiegert wrote: After happily using Dachstein for some time now and ready to upgrade to the latest because it has some features I need, I downloaded the latest small Dachstein image from Charles Steinkuehler's page and configured it to run my network. First off, I wanted a serial connection. So I reviewed the latest Serial Howto, but did not get past the first test of the serial port before making any changes, i.e. the line echo Hello world /dev/ttyS0 give me the following error message cannot create /dev/ttyS0: error 19 Downloading the serial.o module from the same site, for the same kernel and adding it to the modules list and the /lib/modules directory and backing up the works gives the same result. I've confirmed that the module exists after reboot and is loaded; fixing inittab and securetty makes no difference. All it adds are more error messages about respawning T0 too fast. I've verified my hardware as well by booting to DOS. Googling did not help much either, other than to find a similar post, but without an answer and some references to the Serial Howto, which I was using already. What am I missing in this? I'm not sure. If serial.o is listed when you run 'lsmod', you should have serial port support. Some comments indicate that serial support is built into the normal kernel, but how do I convert the .zImage.upx file to a disk image or how do I replace just the kernel, if that is an option? Just copy the zImage.upx file to the file 'linux' on your floppy disk (or other boot media). You may have to replace any kernel modules you're using, as well. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ISP and DNS issues
John Wittenberg wrote: Thank you all for your valuable time. Well, I managed to get things working despite my ISP. I changed dnscache to forward my ISPs DNS instead of using the root servers, per http://leaf.sourceforge.net/devel/jnilo/dnscache3.html#AEN113. Now I'm able to resolve my mail server, mail.bllvwa.cablespeed.com correctly. When I had tried to ping the mail server from XP and failed, this was the error message : Ping request could not find host mail.bllvwa.cablespeed.com. Please check the name and try again. At the moment I'll probably leave well enough alone, but what real problems am I going to have by not using the root name servers and sticking with the ISP name servers? As this exercise shows, one benefit could be that no matter how bad my ISP messes up the name records, I'll always be able to find it. There shouldn't be any serious problems with running this way, as long as your ISP's DNS servers are reliable. If they are not, you may find yourself with a link to the internet, but no useful way to find anything when their DNS servers are down (I had this happen to me a lot with my first DSL line from Southwestern Bell). If you want to continue using the root nameservers, you can go back to your initial dnscache configuration, but add an entry directing queries for bllvwa.cablespeed.com directly to your ISP's name servers, rather than letting resolve normally. To do this, put an entry(ies) for your ISP's name space(s) in the servers/ directory. quote from dnscache man page dnscache reads a list of dotted-decimal root server IP addresses, one address per line, from servers/@. It also scans the servers directory for server IP addresses for other domains. If there are addresses listed in servers/moon.af.mil, for example, then dnscache will send queries for anything.moon.af.mil to those addresses, and will not cache records for anything.moon.af.mil from outside servers such as the root servers. Versions 1.03 and above: If $FORWARDONLY is set, dnscache treats servers/@ as a list of IP addresses for other caches, not root servers. It forwards queries to those caches. It does not contact the root servers, or any other DNS servers, directly. /quote You should have a servers/bllvwa.cablespeed.com file with the IP(s) of your ISP's DNS servers if you wish to go back to using the root name servers and still have your ISP's names resolve. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering 1.2; Diagnosis for ntpsimpl logfile deletion problem
Eric Spakman wrote:
David,
In Bering-uClibc it's fixed in the following way:
# only keep a week's depth of these
oldlogs=`find /var/log/ntpstats -type f -mtime +7`
[ $oldlogs != ] rm $oldlogs
As you can see Bering-uClibc uses a newer version of busybox.
Another way I like to do this is with ls and sed:
SAVELOGS=7
oldlogs=`ls -1t log.file.pattern | sed 1-${SAVELOGS}d`
[ $oldlogs != ] rm $oldlogs
--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Difficulty assigning multiple IP addresses
Craig Caughlin wrote: Hi everyone! O.K. Per Charles Tom's suggestions (thank you, gentlemen), I decided to try and assign my additional IP addresses in the /etc/network/interfaces. I tried to assign them in, at first, 2 different ways...neither one of which worked. I tried: snip /etc/network/interfaces examples But neither way worked. The good new is that Tom's suggestion of ip addr add 66.60.172.202/24 brd 66.60.172.255 \dev eth0 label eth0:0, etc works great. I can immediately ping all addresses, and ip addr lists them all. Yippee! But, I don't know what to back up (which .lrp package) to save my changes??? Also, what file(s) were modified by using this method(out of curiosity)? To save your changes, backup etc.lrp. The file modified is /etc/network/interfaces which you edited. No other files are dynamically modified when you make changes to this file. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Difficulty assigning multiple IP addresses
Craig Caughlin wrote: Hi folks, I'm trying (with no success) to assign multiple IP addresses to eth0 on my Bering-uClibc 2.1-rc1 box. At Tom's suggestion, I have read (studied really) his instructions at: http://www.shorewall.net/shorewall_setup_guide.htm. I have been assigned by our network admin the following addresses: 66.60.172.201-204, Gateway 205. In /etc/shorewall/masq I have made the following entry: #INTERFACE SUBNET ADDRESS eth0:0 eth166.60.172.201-66.60.172.204 When I save the file, restart shorewall, and issue the ip addr command I'm expecting to see the additional addresses but here's what I get: 1: lo: LOOPBACK,UP mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: dummy0: BROADCAST,NOARP mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 3: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:a0:cc:d3:c2:14 brd ff:ff:ff:ff:ff:ff inet 66.60.172.201/24 brd 66.60.172.255 scope global eth0 inet 66.60.172.204/24 brd 66.60.172.255 scope global secondary eth0:0 4: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:a0:cc:52:07:52 brd ff:ff:ff:ff:ff:ff inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1 5: eth2: BROADCAST,MULTICAST mtu 1500 qdisc noop qlen 1000 link/ether 00:a0:cc:d3:cf:40 brd ff:ff:ff:ff:ff:ff When I try to ping the addresses, I can ping only 66.60.172.201 but nothing else. In the /etc/network/interfaces file, I have eth0 statically set to 66.60.172.201, and I use the dhcpd for assigning local addresses. I'm stumped...any suggestions??? P.S. One thing I did gave me, what *I* think, was a really unusual result: I had initially set eth0's static address as 66.60.172.204, and when I tried to ping 66.60.172.201...here's what I got: G:\WINNT\system32ping 66.60.172.201 Pinging 66.60.172.201 with 32 bytes of data: Reply from 66.60.172.204: Destination host unreachable. Reply from 66.60.172.204: Destination host unreachable. Reply from 66.60.172.204: Destination host unreachable. Reply from 66.60.172.204: Destination host unreachable. Ping statistics for 66.60.172.201: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Is that really odd...or is it me??? :-) I see there's no packet loss...but I also can't reach the box. H. Are you using the /etc/shorewall/masq file to try and *ASSIGN* the extra IP addresses? With your setup, I'd simply assign all IP's in your /etc/network/interfaces file (add entries for eth0:0, eth0:1, etc., along with the entry for eth0). With the masq entry you list above, you'll be round-robining through source IP's for outbound traffic, which I doubt is what you really want. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Difficulty assigning multiple IP addresses
Tom Eastep wrote: Tom Eastep wrote: Charles Steinkuehler wrote: Are you using the /etc/shorewall/masq file to try and *ASSIGN* the extra IP addresses? With your setup, I'd simply assign all IP's in your /etc/network/interfaces file (add entries for eth0:0, eth0:1, etc., along with the entry for eth0). With the masq entry you list above, you'll be round-robining through source IP's for outbound traffic, which I doubt is what you really want. Good catch -- I haven't a clue what Shorewall would do with that masq file entry and ADD_SNAT_ALIASES=Yes. Hmmm -- I'm smarter than I thought :-) ... Adding IP Addresses... IP Address 206.124.146.178 added to interface eth0 with label eth0:0 IP Address 206.124.146.180 added to interface eth0 with label eth0:1 IP Address 206.124.146.179 added to interface eth0 with label eth0:2 IP Address 176.16.1.1 added to interface eth3 with label eth3:0 IP Address 176.16.1.2 added to interface eth3 with label eth3:1 IP Address 176.16.1.3 added to interface eth3 with label eth3:2 IP Address 176.16.1.4 added to interface eth3 with label eth3:3 IP Address 176.16.1.5 added to interface eth3 with label eth3:4 IP Address 176.16.1.6 added to interface eth3 with label eth3:5 IP Address 176.16.1.7 added to interface eth3 with label eth3:6 Processing /etc/shorewall/start ... Shorewall Restarted gateway:/etc/test# So it assigns the addresses to sequential aliases. ...but do any of your alias IP's overlap the main IP for the interface? I think the setup Craig was commenting likely has overlapping IP's (kind of hard to tell, though, since there's not exactly complete debugging info). Regardless, if I'm reading the docs correctly, having multiple IP's after a masq entry will round-robin through all the IP's listed, which seems like a pretty wierd way to setup an external link. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Difficulty assigning multiple IP addresses
Craig Caughlin wrote: Hey...thank you Charles Tom for the expeditious response! Let me see if I can address you both... O.K., so I gather that I need to do 2 things: 1.) Take Charles suggestion and add entries for eth0:0, eth0:1, etc., along with the entry for eth0, and 2.) Tom's suggestion ADD_SNAT_ALIASES=Yes in shorewall.conf. Is that right? Charles, how do I add entries as you suggest (I don't know how to do that :-( )? Here's what I have: auto eth0 iface eth0 inet static address 66.60.172.201 netmask 255.255.255.0 braodcast 66.60.172.255 gateway 66.60.172.205 Do I then add this for the next address... auto eth0:0 iface eth0 inet static address 66.60.172.202 netmask 255.255.255.0 braodcast 66.60.172.255 gateway 66.60.172.205 auto eth0:1 iface eth0 inet static address 66.60.172.203 netmask 255.255.255.0 braodcast 66.60.172.255 gateway 66.60.172.205 Etc, etc... Is this right? Yes, although you don't need to duplicate the gateway entry on any but the main eth0 entry. You can also do it the way Tom mentioned (adding an 'up' clause to your eth0 definition...there's almost always more than one way to do something in linux!). Also, just out of curiosity, what do you mean when you said, With the masq entry you list above, you'll be round-robining through source IP's for outbound traffic, which I doubt is what you really want.? What's wrong with that??? It means the source IP of the traffic you send to the internet (or anything else on the 'upstream' side of your firewall) will dynamically rotate between the various IP's you have assigned. You will have to be *VERY* careful that your firewall rules take this into account, and you may have problems with some applications that open multiple connections, or anything that expects your IP to be constant. Tom: If I ADD_SNAT_ALIASES=Yes in shorewall.conf, do I need to change ADD_IP_ALIASES to No or should I leave it to it's default Yes? Once I have made the correct modifications, ip addr should show all of the addresses, and I should be able to ping them all, shouldn't I??? You should be able to ping all assigned IP's, assuming the firewall rules allow it (you can allow/prevent just about anything with iptables). -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Dachstein routing to squid
LaRoy McCann wrote: I have spent all weekend looking and trying to figure out how to make this work. Now it is time to ask for help. I have Dachstein CD running as a proxy-arp firewall for a system. Is it possible to have the firewall redirect all port 80 requests from the DMZ (eth2) and send them to port 3128 on another box (Squid-cache) in the DMZ. And then accept the requests from the Squid box to the internet (eth0). I know this is probably easier using Bearing, but I have not taken the time to try that. I have always used Dachsetin. I have looked thru network.conf and can not find any rules for redirect or forwarding within the same interface, just from one interface to the other. I have even tried to add an ipmaskadm rule manually and it did not work. Do I need to place the squid box on the internal interface? If someone is doing this now, could you please post the info or a link to some info showing the correct settings. If this is anything like port-forwarding, it's a *LOT* easier if the router is between the two boxes (client and proxy), rather than having both be on the same net. With port-forwarding, the problem is the outbound packets need to get mangled (for destination IP), and then mangled again on return (for source IP), but with both boxes on the same network, the reply packets go directly from server-client, they don't match what the client's expecting (for source IP), and they get dropped. You can use tcpdump to see if this is what's happening to you. If so, I recommend another NIC (they're cheap!) configured with a private IP range. Just stick your proxy in the new network, setup the Dachstein rules so the new IP range is masqueraded to the internet, and you should be all set to craft some custom redirect rules. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Sending mail from a script
Roger E McClurg wrote: I know that mail messages are normally terminated with a control-d. Can someone please tell me how to end a mail message when it is sent from a script file in Bering? I know it is a simple trick, but for the life of me I cant remember it. control-d is the keyboard equivelent for end-of-file. You can simply pipe something to (or otherwise redirect the input of) the mail command, which will correctly identify the end of file, ie: echo hello world | mail -s test [EMAIL PROTECTED] -or- mail -s test [EMAIL PROTECTED] /my/test/message -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Bering terminfo missing?
I'm not seeing the /etc/terminfo entries in Bering, nor could I find a package they moved to. Am I missing something, or do I need to copy these from Dachstein (or Debian)? -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering terminfo missing?
Eric Spakman wrote: I'm not seeing the /etc/terminfo entries in Bering, nor could I find a package they moved to. Am I missing something, or do I need to copy these from Dachstein (or Debian)? Hi Charles, Why do you need the terminfo entries? It's part of the ncurses package and I think it's only used for programs using the ncurses libraries. But I can be wrong I'm migrating from Dachstein to Bering (finally), and running vim is just about impossible w/o proper terminal settings (it's apparently compiled with terminfo support). I'm using the vim pacakge from my Dachstein CD (I'm working on a similar BeringCD I'll use to update my existing production routers). I am also loading bash and the ncurses libraries (I haven't run any ncurses programs yet, but they're probably broken too). For now I guess I'll just copy the terminfo files from Dachstein, although it seems like they should either be part of the default etc.lrp (as they were for ages) or re-packaged to a seperate terminfo.lrp if they're no longer wanted in the default release. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Am I out of luck?
Allan Hise wrote: I've been using an old box for almost 4 years as a LRP box, upgraded over time to it's current Bering uLibc 2.0. I need to go slightly OT for a few paragraphs before I venter back on topic. I am in need of setting up a DMZ, so I plopped in another CS8900 card I have laying around next to the two that are working perfectly. It seems like this old Gateway box doesn't have enough interrupts available, because I just can't get eth2 to come up. Strange, since there are plenty of ISA slots... First, am I interpreting /proc/interrupts correctly: more /proc/interrupts CPU0 0: 338352 XT-PIC timer 1:246 XT-PIC keyboard 2: 0 XT-PIC cascade 8: 0 XT-PIC rtc 10: 87207 XT-PIC eth0 11: 90819 XT-PIC eth1 NMI: 0 ERR: 0 eth2, which I set to interrupt 12 in the card's config utility, is nowhere to be seen. If I switch it to int 5, I am able to see eth2 (int 5) but eth1 (int 11) drops off the list. That's why I think there aren't enough interrupts. So, assuming that is correct, is there any way to set up a DMZ using only 2 interfaces? If not, I guess I need to scrape up some new hardware. Unless I can figure out a way for it to give up that keyboard interrupt that I don't need... Thank you for listening to my ramblings, hopefully someone out there will have a good suggestion. It looks like you've got pleanty of IRQ's available, but what are you using for I/O addresses? I'd suspect some other conflict with overlapping I/O's, rather than not enough interrupts. Note that the CS8900 looks like it requires 16 contiguous I/O addresses, so you need to make sure you don't put another card (or have other I/O resources, like parallel or serial ports) within 16 addresses of the base address of each card. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ISP and DNS issues
John Wittenberg wrote: snip The real question becomes, why when using the mail server name when connected direct from XP it works, where as having the LEAF box connected using the mail server name does not work. Is there some difference when using the ISP DNS versus going through the LEAF box with the ISP DNSs identified. Thanks for any and all help in advance and sorry about the convoluted message. In addition to Ray's excellent comments, I want to point out it's also possible your ISP has moved their internal mail server(s) to private IP space. If so, the Dachstein firewall rules are what is preventing you from seeing the mail server, not any DNS issue. A lot of ISP's are doing this with their 'internal' resources due to a shortage of IPV4 addresses (espeically outside the US). Since you didn't mention the IP your mail server resoves to, it's impossible to rule this out. -- Charles Steinkuehler [EMAIL PROTECTED] --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] routing issue with Dachstein
Earl Wilson wrote: snip Thanks for the network diagram...I figured that's how you had things setup, but it's nice to verify. I thought I had turned the firewall off on the rh box during a previous re-install, but with your suggestions, I got the following: [EMAIL PROTECTED] etc]# ipchains -nvL ipchains: Incompatible with this kernel [EMAIL PROTECTED] etc]# iptables -nvL Chain INPUT (policy ACCEPT 53612 packets, 4819K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 51850 packets, 4379K bytes) pkts bytes target prot opt in out source destination This *IS* a disabled firewall. No rules, and a default policy of ACCEPT will let everything through. As far as the routing table on the rh box, it seems that the LEAF is listed as the default GW: [EMAIL PROTECTED] etc]# ip route show 192.168.1.0/24 dev eth1 scope link 192.168.0.0/24 dev eth0 scope link 127.0.0.0/8 dev lo scope link default via 192.168.1.254 dev eth1 [EMAIL PROTECTED] etc]# route Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 192.168.1.0 * 255.255.255.0 U 0 00 eth1 192.168.0.0 * 255.255.255.0 U 0 00 eth0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default firewall 0.0.0.0 UG0 0 0 eth1 This all looks OK. Your LEAF Firewall is the default route for the RedHat box, and there are proper entries for both networks directly connected to the RH box. Going through your original message again, I notice: REDHAT TO I-NET ATTEMPT: [EMAIL PROTECTED] etc]# ping www.msn.com ping: unknown host www.msn.com [EMAIL PROTECTED] etc]# ping 207.68.173.244 -(WWW.MSN.COM) PING 207.68.173.244 (207.68.173.244) 56(84) bytes of data. --- 207.68.173.244 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 1999ms I now think your problem is trying to ping www.msn.com, which doesn't reply to pings for me either (and my internet connection is working!). You should try google, instead: [EMAIL PROTECTED] network-scripts]# ping www.msn.com PING www.msn.com (207.68.171.244) from 10.34.1.21 : 56(84) bytes of data. --- www.msn.com ping statistics --- 5 packets transmitted, 0 received, 100% loss, time 4017ms [EMAIL PROTECTED] network-scripts]# ping www.google.com PING www.google.akadns.net (216.239.39.147) from 10.34.1.21 : 56(84) bytes of data. 64 bytes from 216.239.39.147: icmp_seq=1 ttl=247 time=96.1 ms 64 bytes from 216.239.39.147: icmp_seq=2 ttl=247 time=99.5 ms 64 bytes from 216.239.39.147: icmp_seq=3 ttl=247 time=184 ms 64 bytes from 216.239.39.147: icmp_seq=4 ttl=247 time=242 ms --- www.google.akadns.net ping statistics --- 4 packets transmitted, 4 received, 0% loss, time 3029ms rtt min/avg/max/mdev = 96.186/155.764/242.570/61.424 ms At this point, I suspect you *DO* have access to the internet from your RH box, but with DNS broken, it doesn't actually seem like it's working, and for testing you managed to pick an IP that doesn't reply to pings. Try pinging some other IP addresses from the RH box (and verify they respond by trying to ping from your working windows boxen as well). If you can ping anything out on the internet, the RH box and firewall are setup correctly for network connectivity, so you'll just need to fix domain resolution, probably by adding your ISP's name servers to /etc/resolv.conf. -- Charles Steinkuehler [EMAIL PROTECTED] --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] routing issue with Dachstein - Sucess!! (kinda)
Earl Wilson wrote: I assume that due to the fact that the rh box is now using the ipmasq abilities of the Dachstein box, that the rh box still has firewall protection (please correct me if I'm wrong on this statement). Yes, the RedHat box is behind your Dachstein firewall, and so is protected from the internet, just like your windows box running ICS. -- Charles Steinkuehler [EMAIL PROTECTED] --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] routing issue with Dachstein
=255.255.255.0 GATEWAY=192.168.1.254 Verify these settings. If they're not correct, fix them and restart networking (service network restart). Hopefully, that will fix your problem. If not, please provide details of how networking is setup on your RH box (the same ip route show and ip addr show used for Dachstein, assuming you've installed the iproute package (I don't recall if it's installed by default in RH, but I install it on all my systems). Otherwise use: ifconfig and route. -- Charles Steinkuehler [EMAIL PROTECTED] --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Amateur Radio Modules?
[EMAIL PROTECTED] wrote: As an amateur radio operator I was wondering if anyone had compiled any amateur radio modules for any of the LEAF versions and if they had been successfully used. Any replies welcome direct and not necessarily on the list as this is somewhat off the subject of this list. I believe most of the available amateur radio modules are compiled for my Dachstein kernels, as it didn't increase the base kernel size to include them (as modules). To my knowledge, no one has used them in a production (or even a test) environment. If you do get something going (with Dachstein or something else), please let us all know. -- Charles Steinkuehler [EMAIL PROTECTED] --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Got serial working except for boot messages
Jeff Pierce wrote: I copied serial.o to /lib/modules and added it to the modules to start configuration. Then changed inittab and securetty file backed up and I can now log into dach via serial. But now I hung up on boot messages. Here is what that part of my syslinux.cfg line looks like. dnscache,weblet console=tty0 console=ttyS0,19200n8 You won't get boot messages from the kernel unless you use one of the kernels with serial compiled in. The kernel can't output to ttyS0 until the serial.o module gets loaded, well into the boot-up process. Switch to the 'normal' Dachstein kernel if you really need boot-time messages from the kernel over the serial port. -- Charles Steinkuehler [EMAIL PROTECTED] --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Got serial working except for boot messages
Jeff Pierce wrote: Could you try to answer one more ipchains related question. How do you force the rule cache to clear when you make a change? I renmove a port forward rule and reenter it to forward to another machine. However it seeems to take several minutes for the rule to take effect. And, if any packets for that port arrive, they are forwared to the old forward target and the resets the cache counter. SO if packets keep coming in, the new rule never takes effect unless I reboot the router. Can the rule cache be cleared on command? Hmm...I've not encountered this problem, but I don't do a lot of 'live' switching of port-forwards. I can think of a few things to try, including: - Try deleting the port-forward entry before adding a new one using the ipmasqadm command with the -d option. - Verify you only have one port-forward entry listed (net ipfilter list portfw or ipmasqadm portfw -ln) - Try setting your masquerade timeouts to a shorter value (ipchains -M -S) -- Charles Steinkuehler [EMAIL PROTECTED] --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Getting serial to work under Dachstein
Jeff Pierce wrote: A web search truned up that DachStein might not have serial bult in. However, I go to leaf.sf.net and get to the Dach kernels. I see mention of small kernels, norml kernels and RAID kernels. But, nothing about serial. So, what do I need to do to get it to work? Either use the normal or RAID kernel with serial support built-in, or if you're using the small kernel (the default kernel for floppy versions of dachstein), you need to load the serial.o module: http://lrp.steinkuehler.net/files/kernels/Dachstein-small/modules/misc/serial.o -- Charles Steinkuehler [EMAIL PROTECTED] --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] machine access by hostname in the DMZ?
Erich Titl wrote: Charles At 13:16 02.02.2004 -0600, Charles Steinkuehler wrote: .. I do this sort of thing using the 'views' feature of Bind9. Systems get different IP's for the same hostname depending on who's asking (based on IP address of the querying system). It's pretty easy to setup if you're running bind already. I guess you need a fixed IP to accomplish this? Your name server should be on a fixed IP, although it can be in private IP space if it's not a public nameserver. If you're running a nameserver for publicly accessible domains, it should be on a fixed public IP. -- Charles Steinkuehler [EMAIL PROTECTED] --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] machine access by hostname in the DMZ?
arif wrote: Hi Leaf'ers I think Erich's answer was probably the best, but it also seemed like overkill to some degree - so let me be a bit more precise in what I'm trying to accomplish in hopes that there's an easier way to do this. The problem: I've got a server running in my DMZ that's running smtp, imap, and very light web hosting services. From out in the world, I can hit the page by hostname. From the LAN, I can address the dmz machine by IP address, and have in the past added an entry into my client machines (OS X, Linux, Windows) /etc/hosts file to be able to address the DMZ server by hostname as well. The LAN is small, only consisting of 3-4 machines at any given time, so maintaining the /etc/hosts files isn't really an issue for LAN-only machines. I run into problems with my OS X laptop. When it's home, I have to either change my /etc/hosts file, or use IP addresses. When away from home, hostname works just fine. So the question is whether there's any (easier) way to have the OS X laptop hit the DMZ machine by hostname when it's on the LAN. Now that I think of it, I'm not entirely sure that the solution is best reached through modifying anything on the LEAF side of things since I think I could probably whip up an Applescript that would copy the right /etc/hosts file into place based on IP address/location. But, in the event that there's a nice, relatively easy way to do this from the LEAF side of things, I figured I'd ask. I do this sort of thing using the 'views' feature of Bind9. Systems get different IP's for the same hostname depending on who's asking (based on IP address of the querying system). It's pretty easy to setup if you're running bind already. -- Charles Steinkuehler [EMAIL PROTECTED] --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Port fw won't work in Dachstein-Ipsec image
Please keep replies on-list (use reply-all). Tibbs, Richard wrote: Charles, first, I had not even set up an ipsec connection -- I was testing the port forwarding first, and it did not want to work So below is the output, but without any ipsec connections made. The net ipfilter list command also complained: Could not open /proc/net/ip_masq/portfw Could not open /proc/net/ip_portfw Check if you have enabled portforwarding. So that may be the issue. Heretofore, I have only had to use network.conf to get port forwarding going. Is there another step or another config file? The above errors indicate you haven't loaded the port-forwarding kernel modules, which will prevent pretty much any port-forwarding from working. Edit /etc/modules appropriately, and I suspect you'll have a lot more luck. You'll want one or more of the following uncommented (for basic port-forwarding, ip_masq_portfw should be enough): ip_masq_autofw ip_masq_mfw ip_masq_portfw You can verify which modules are loded with the 'lsmod' command. -- Charles Steinkuehler [EMAIL PROTECTED] Thanks in advance, Rick Here is the output you asked for: ip addr gave me: 1: lo: LOOPBACK,UP mtu 3924 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope global lo 2: ipsec0: NOARP,UP mtu 16260 qdisc pfifo_fast qlen 10 link/ether 00:02:e3:13:02:78 brd ff:ff:ff:ff:ff:ff inet 216.12.22.89/26 brd 216.12.22.127 scope global ipsec0 3: ipsec1: NOARP mtu 0 qdisc noop qlen 10 link/ipip 4: ipsec2: NOARP mtu 0 qdisc noop qlen 10 link/ipip 5: ipsec3: NOARP mtu 0 qdisc noop qlen 10 link/ipip 6: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:02:e3:13:02:78 brd ff:ff:ff:ff:ff:ff inet 216.12.22.89/26 brd 216.12.22.127 scope global eth0 7: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:02:e3:12:7d:94 brd ff:ff:ff:ff:ff:ff inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1 Chain input (policy DENY: 0 packets, 0 bytes): pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 5 - * 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 13 - * 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 14 - * 0 0 DENY all l- 0xFF 0x00 eth0 0.0.0.0 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 255.255.255.255 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 127.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 224.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 10.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 172.16.0.0/12 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.168.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 0.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 128.0.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 191.255.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.0.0.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 223.255.255.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 240.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.168.1.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 216.12.22.89 0.0.0.0/0 n/a 0 0 REJECT all l- 0xFF 0x00 eth0 0.0.0.0/0 127.0.0.0/8 n/a 0 0 REJECT all l- 0xFF 0x00 eth0 0.0.0.0/0 192.168.1.0/24 n/a 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * - 137 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * - 135 0 0 REJECT udp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * - 137 0 0 REJECT udp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * - 135 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * - 138:139 0 0 REJECT udp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * - 138 0 0 REJECT udp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 137:138 - * 0 0 REJECT udp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 135 - * 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 137:139 - * 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 135 - * 0 0 ACCEPT tcp -- 0xFF 0x00 eth0 0.0.0.0/0 216.12.22.89 * - 53 0 0 ACCEPT tcp -- 0xFF 0x00 eth0 0.0.0.0/0 216.12.22.89 * - 80 3 144 ACCEPT tcp -- 0xFF 0x00 eth0 0.0.0.0/0 216.12.22.89 * - 25 0 0 ACCEPT tcp -- 0xFF 0x00 eth0 0.0.0.0/0 216.12.22.89 * - 143 0 0 REJECT tcp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * - 113 135 118K ACCEPT tcp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * - 1024:65535 0 0 REJECT udp l- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * - 161:162 0 0 ACCEPT udp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * - 68 72 4977 ACCEPT udp -- 0xFF 0x00 eth0 0.0.0.0/0 216.12.22.89 * - 53 0 0 ACCEPT udp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * - 500 0 0 DENY udp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * - 67 5 1508 ACCEPT udp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * - 1024:65535 0 0 ACCEPT icmp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * - * 0 0 ACCEPT ospf -- 0xFF 0x00
Re: [leaf-user] Port fw won't work in Dachstein-Ipsec image
Dr. Richard W. Tibbs wrote: Dear list: Want to host a VPN through my Dachstein firewall, as well as port-forward web, IMAP and SMTP to an interal server. I made a boot floppy of Lynn Avants' Dachstein IPsec image, and configured the port forwarding in network.conf. But, although web access from internal machines works fine, the outside world cannot get to my mail, IMAP and www servers. Is there an additional step or command required for this with Dach-ipsec? My older (non-ipsec) dach boot disk port-fw just fine (back running on it now -- but no VPN). A diff of the two network.conf files is below. Could the IP_SPOOF stuff be a problem? I have not modified those lines from the default network.conf that came with the respective images. IP_SPOOF shouldn't be causing your problems. IPSec can do some funny things with routing, depending on how you've got it setup, which is about the only thing I can think of that might be causing your problems. Please provide the output of the following commands, *WITH* any IPSec connections up and running: net ipfilter list ip addr ip route -- Charles Steinkuehler [EMAIL PROTECTED] --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] set MAC address manually on eepro100 card
Geoff Nordli wrote: Thanks for the quick reply Charles. I am using Bering-uClibc 2.0.1. I looked in the modules file and didn't see any comments regarding the ip link command. Can you point me to some docs that outine the command to put into the modules file. I guess this never got offically released (was part of the Dachstein 1.03 release that didn't quite make it, and I guess wasn't added to Bering either). The mod to /etc/init.d/modutils should work fine for you, however, and can be found in the list archives: http://www.mail-archive.com/[EMAIL PROTECTED]/msg07441.html While patch is unavailable on LRP, you shouldn't have much trouble manually applying the diffs (just add one line to /etc/init.d/modutils, and two comment lines to /etc/modules). -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] set MAC address manually on eepro100 card
Geoff Nordli wrote: Hello Everyone. I need to set the MAC address manually with a DHCP connection. I know you can do it with a static IP in the /etc/network/interfaces file but the hwaddress option doesn't appear to work with dhcp. I know it isn't a recommended practice, but I am replacing a server at a remote location where the DSL provider tracks MAC addresses. I would rather do something in software than directly modify the eeprom on the card. Does anyone know the trick? IIRC, it's: ip link set device address MAC addr There should be hooks to do this in the latest Dachstein (and I believe in Bering by proxy), so you can simply add the proper commands to your /etc/modules file (should be documentation in the comments at the top of the file). -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Boot Bering from floppy, most Pkgs on CD
Gene Smith wrote: I am attempting to run Bering from a non-bootable CD which requires booting from floppy. I am presently running fine for over a year from two floppies but would like to have more packages than will fit on my two floppies. Is there explicit documentation on how to do this? (I found how to boot Bering from just CD and for Dach. how to boot from floppy and rest on CD.) I think all I have to do is still go ahead and make a bootable CD (but can't boot it) The CD doesn't have to be bootable...it just has to have the packages you want on it. and tweak my 1st floppy to just get packages from CD instead of 2nd floppy, ...using the PKGPATH setting in the kernel command line. You should setup the PKGPATH= and BOOT= settings as they would be for a bootable CD, and everything should work. plus add the cd drivers to initrd on my 1st floppy. I think this will work. Yes, it should work. Pointers or suggestions most welcomed! The Dachstein boot disk used for DachsteinCD is probably the closest example to follow, as I believe most Bering users make bootable CDs with a different bootloader (rather than a bootable CD). The main difference between the Dachstein CD boot disk and one you'll make for Bering will be the disk size (1440K vs 1680K), and packages (I'd start with a full floppy version of Bering, while the Dachstein boot disk only has a minimal set of files for the bootloader, the kernel, and the initial ramdisk). You can always convert to a 1440K disk and fewer files once you get the system reading packages off the CD. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Boot Bering from floppy, most Pkgs on CD
Gene Smith wrote: I do have a couple of questions still: 1. Should BOOT= point to my floppy since that is what I am actually booting from? (It also seems to work when pointing to the cdrom.) I saw somewhere in the documentation that BOOT= should point to a writable device for package backup and does not really specify the boot device. The BOOT= should point to where you store your configured packages (ie: a writable media). The name is somewhat misleading (if you're booting off CD), and is a hold-over from when LRP only used a single boot media. 2. The Dachstein boot from cd README (and one of Charles' previous posts) talk about search order, i.e., package[:searchorder]. When it says load multiple packages does this imply multiple instance of the package name will reside in memory, or does it mean that later packages of a particular name in the search path will overwrite earlier loaded packages with the same name? The default is to load each package with the same name from where-ever it is found. Rather than installing 2 (or more) copies of the same package, the files installed first are overwritten by files from the package(s) installed later. Typically when using more than one boot media, the 'bulk' of a package (including the large binaries and default configuration files) are loaded from a large repository (like a CD-ROM), while the configuration files (created by doing a 'partial' backup in lrcfg) are stored on the writable media. The optional searchorder specification can be used in rare situations when the default searchorder and loading multiple copies of the same package is not desired. I haven't personally needed to use the searchorder option, but it might be handy in some instances, especially with odd combinations of sources (ie: not CDROM/floppy) for loading packages. Anyhow, my two floppy disk system now uses one floppy and a cd, and it now restarts with no operator intervention if power cycled (no 2nd floppy and hitting enter). Next step, add some more packages to the cd. Good news! Holler if you have any more questions... -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Change an IP address on the fly
Malcolm Miles wrote: Probably more a Linux question than a Bering one; after you change an Ethernet device's IP address in network.conf, what command will configure the device with the new address without having to reboot the box? On systems using network.conf (Dachstein, Eiger, etc), you want to use the 'net' command (same as 'svi network'): # net Usage: net start|stop|reload net ifup|ifdown|ifreset eth0|eth1|eth2|eth3|eth4|eth5|all net ipfilter load|flush|reload net ipfilter list [input|output|forward|autofw|mfw|portfw] net ipfilter list masq|masquerade You can start and stop individual interfaces, reload the firewall rules, or restart all networking. The following will configure your interface with the new IP: net ifreset interface ...although you might be better off with reloading everything, to make sure your firewall rules match your new settings: net reload -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] e1000 module (version 4.3.15) for Dachstein?
Miguel De Avila wrote: Does anyone have the compiled e1000 module (version 4.3.15) for the Intel Pro/1000 MT Dual Port nic? I believe that the 4.3.15 version of the driver is the most recent one for 2.2 kernels. I'm using Dachstein v1.0.2, which has version 3.0.16. Unfortunately when I try and load the module I get insmod: init_module: e1000: Device or resourrce busy. I'm running on a Dell PowerEdge 650. I'm hoping that a new version of the driver will do the trick. You'll probably have to build this yourself, unless someone else on-list has done so already and can send you the binary. The required patches and a script to turn a 'virgin' kernel.org sorce tarball into a source tree for the Dachstein kernel is available (see the Readme file): http://leaf-project.org/devel/cstein/files/kernels/Dachstein-source.tar.gz Note that the intel makefile assumes you're compiling on the same system you're building the driver for (highly unlikely in this case), so you'll have to short-circuit the automatic 'find the kernel source directory' code in the makefile to compile against the Dachstein kernel. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] 2 VPN Clients through Bering
Lynn Avants wrote: On Wednesday 17 December 2003 08:33 am, John J. Orsini wrote: Leaf Users, This is a general question about the capability of Bering. I am trying to connect 2 VPN clients from inside my network to their respective VPN concentrators. I have successfully set up the Cisco VPN client to communicate to my wife's company. One of the clients is a Cisco and the other is for Checkpoint. My question is, does Bering support VPN pass thru like a Linksys or Dlink router? Is there a way to set up Bering so that it works dynamically, instead of setting up all of the portforwarding and firewall rules by hand. Please let me know. At this time, the Linux firewalling programs have no way of dynamically port-forwarding more than one pass-through service (such as Ipsec) on a single port (ie... 500). I know many of the DLinks are running Cisco IOS, but I can't explain how they accomplish this feat even on IOS. Simple answer no. You can have multiple VPN clients behind a linux firewall if they're using the recent NAT traversal configuration. IIRC, instead of using protocols 50/51 for the IPSec data, *ALL* data is sent via UDP, allowing VPN connections to traverse standard NAT/masquerading firewalls. AFAIK, this would be something you would setup in your VPN software, and should 'just work' with most default firewall configurations. Note that FreeS/WAN requires a patch to support this functionality, if you're planning on using linux as one (or both) of the endpoints. Of course, it's still possible to setup one system for pretty much any VPN flavor using port/protocol forwarding, and there may be some advanced conntrack modules in 2.4 that do fancy things with IPSec packets, but I'm stuck in 2.2 kernel land (for IPSec, anyway) so am not familiar with what new features might be in 2.4. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Moving from Dachstein to Bering
Eddie Wilson wrote: Hi Charles, I do have the /29 being routed as you expected. I have had them assigned to the same interface as the p-t-p /30 address for the last 2 years and running fine. If there is a better (correct) way of doing this I would be greatfull for any advice. Ipsec included with Bering rc3 is 1.97. I changed _startklips back to use ifconfig as I already had ifconfig loaded to support wanpipe. It seems to configure the proper address now. I will test tonight. Let us all know if it works using the ifconfig command. If so, this should be considered a bug that should be fixed. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Moving from Dachstein to Bering
Charles Steinkuehler wrote:
Eddie Wilson wrote:
Hi Charles,
I do have the /29 being routed as you expected. I have had them assigned to
the same interface as the p-t-p /30 address for the last 2 years and
running fine.
If there is a better (correct) way of doing this I would be greatfull for
any advice.
Ipsec included with Bering rc3 is 1.97. I changed _startklips back to use
ifconfig as I already had ifconfig loaded to support wanpipe. It seems to
configure the proper address now. I will test tonight.
Let us all know if it works using the ifconfig command. If so, this
should be considered a bug that should be fixed.
OK, I checked into the modified scripts used by the Bering IPSec, and
found the problem. The relevant portion of the original Bering
klipsinterface () procedure looks like the following:
#Bering
# eval `ifconfig $phys |
# awk '$1 == inet $2 ~ /^addr:/ $NF ~ /^Mask:/ {
# gsub(/:/, , $0)
# print addr= $3
# other = $5
# if ($4 == Bcast)
# print type=broadcast
# else if ($4 == P-t-P)
# print type=pointopoint
eval `ip addr show $phys primary |
awk '$1 == inet {
print addr= $2
other = $4
if ($3 == brd)
print type=broadcast
else if ($3 == peer)
print type=peer
else if (NF == 5) {
print type=
other =
} else
print type=unknown
print otheraddr= other
# print mask= $NF
gsub(/\//, , $0)
#/Bering
The problem is with the ip addr show $phys primary, which will return
*MORE THAN ONE* ip address if there are multiple subnets, vs. ifconfig,
which will only return a signle IP address:
[EMAIL PROTECTED] root]# ip addr show eth0 primary
4: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:02:b3:19:e8:c2 brd ff:ff:ff:ff:ff:ff
inet 216.171.153.135/26 brd 216.171.153.191 scope global eth0
inet 216.171.153.136/24 brd 216.171.153.255 scope global eth0:0
[EMAIL PROTECTED] root]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:02:B3:19:E8:C2
inet addr:216.171.153.135 Bcast:216.171.153.191
Mask:255.255.255.192
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14033505 errors:0 dropped:0 overruns:0 frame:0
TX packets:4948976 errors:0 dropped:0 overruns:0 carrier:0
collisions:10938 txqueuelen:1000
RX bytes:1904105932 (1815.8 Mb) TX bytes:596400118 (568.7 Mb)
Interrupt:5 Base address:0xef00 Memory:ffafe000-ffafe038
This causes the awk code to output mutliple sets of configuration data,
with the later (and undesired) IP address(es) overriding the desired
primary IP address.
This problem can easily be fixed by changing:
eval `ip addr show $phys primary |
to:
eval `ip addr show $phys primary | grep inet | sed -n 1p |
...which works, but is kind of slow and fires off several extra
processes. There's probably a way to do this entirely in Awk (ignoring
all but the first line that matches 'inet'), but I'm not fluent enough
with awk code to know how to do this.
Can the current maintainer of the Bering ipsec package add the above
tweak, or massage the awk code to do the same thing?
--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Moving from Dachstein to Bering
Eddie Wilson wrote: I've included an ipsec-barf to demonstrate ipsec0 being assigned to an address other than the primary for that interface. very helpful IPSec barf snipped -Original Message- From: Eddie Wilson [SMTP:[EMAIL PROTECTED] Sent: Saturday, December 13, 2003 9:48 AM To: '[EMAIL PROTECTED]' Subject:[leaf-user] Moving from Dachstein to Bering While moving from DachsteinCD to Bering rc3 I've run into ipsec0 being assigned to the last of my public address range instead of the first. Does anyone know of a way to change this back? Maybe use an older version of IPSec? only slightly kidding I suspect the newer version of IPSec included with Bering is causing your problems, with an additional possability being diferences between the 2.2 and the 2.4 kernel (especially when handling odd IP assignments like you seem to have). It looks like you've got a /30 point-point link on the external interface, then two /32 IP's from who-knows-where that are also assigned directly to the external interface. I can suggest you try using: interfaces=ipsec0=wp1fr659 instead of the current %defaultroute, but I doubt that will help. If at all possible, assigning your extra public IP addresses differently would probably help (perhaps assigning them to a DMZ interface, or a 'spare' NIC added to the system?). If you could explain a bit more about exactly how your ISP is assigning you your public IP's (and routing them to you), a more conventional IP configration might present itself, as well. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Moving from Dachstein to Bering
Eddie Wilson wrote:
Thanks Charles. I tried changing the interfaces statement and the result
was as expected. I am not sure how I would assign the extra addresses
differently. I am assigning the p-t-p address in my wanpipe configuration
and adding 2 of the extra 6 I have through Shorewall-NAT, as suggested in
the Shorewall docs.
Do you have a /29 being routed to you by your ISP (8 IP addresses w/6
usable)? If so, that makes more sense, and typically these IP's would
be assigned to a seperate interface, rather than the primary external
interface.
I think your problems could be resulting from the fact that you have
IP's on more than one subnet assigned to your external interface, which
is not very common (note that multiple IP's on the *SAME* subnet is
fairly common, and AFAIK works with IPSec).
To get this thing running, I would even be willing to hard code the address
in the script if I knew where to make the edit.
I'm not sure if the IP address for ipsec0 is assigned by the startup
scripts or by compiled code (likely pluto).
You might try greping for interfaces or %defaultroute in the ipsec
scripts...you might be able to easily find where the IP address is being
determined/assigned. If so, you may be able to either tweak the scripts
or hard-code something to get everything working.
I'm not sure if the newer IPSec included with Bering works the same as
the Dachstein version I'm running, but if it's similar, you want to look
at the klipsinterface() procedure in /usr/local/lib/ipsec/_startklips
In the IPSec I'm running (V1.91), the following portion of code is
responsible for reading the network settings which are eventually
assigned to ipsec0 (including IP address) directly from the physical
interface:
# set up a Klips interface
klipsinterface() {
# pull apart the interface spec
snip
# figure out ifconfig for interface
addr=
eval `ifconfig $phys |
awk '$1 == inet $2 ~ /^addr:/ $4 ~ /^Mask:/ {
gsub(/:/, , $0)
print addr= $3
if ($4 == Bcast)
print type=broadcast
else if ($4 == P-t-P)
print type=pointopoint
else
print type=
print otheraddr= $5
print mask= $7
}'`
You should be able to modify this (or hard-code it) to work with your
system, assuming there's something similar in your version of IPSec (I'm
not real familiar with the IPSec version shipped with Bering...sorry!).
NOTE: If you copy the code between the ` marks (ie: starting with
ifconfig and ending with }' ) and paste it into a shell window, you can
easily see what settings are getting extracted by this code, and test
any potential changes w/o having to mess with stopping/restarting IPSec.
--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Why run Squid in the DMZ?
Craig Caughlin wrote: Hi folks, I see in Tom's documentation for Shorewall that he runs Squid transparently on a box in his DMZ rather than on his LAN, and I'm just curious why? Without trying to speak for Tom, at least one to run Squid in a DMZ (or some other network besides the main internal net) is to allow true transparent proxying. By definition, the clients of a transparent proxy do not realize they are actually using a proxy server. By putting the Squid box outside the main network, internal clients simply access web sites as before. Routing/firewall rules on the Shorewall box can then direct all port 80 traffic to the Squid box, which will transparently proxy/cache the requests. If the squid box was on the internal net, it would not be truely transparent to the clients, who could easily tell their requests were being proxied and answered by a local system. There would also be some amount of low-level confusion caused by this setup, perhaps enough to break basic web functionality (depends somewhat on exactly how everything is setup, as well as the OS's TCPIP stacks involved). -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Mail Server / DNS server behind Dachstien firewall
Tibbs, Richard wrote:
My question is this:
Are there other legal forms of the INTERN_blah_SERVER statements that accomplish port forwarding? I am thinking I need a statement like:
INTERN_DNS_SERVER internal IP of WIN2003 box to obtain appropriate port forwarding for tcp/udp port 53.
No...you need to use the INTERN_SERVERS variable, along with opening the
appropriate ports.
I have tried using the generic form of port forwarding via lrcfg of network.conf, e.g.
INTERN_SERVERS quoted list of stuff in conjunction with the above mentioned statements, but it doesn't seem to work -- even with the stock EXTERN_IP variable in place.
My basic config is
CONFIGDNS=YES
eth0_IPADDR = static ip
eth0_MASKLEN=26
EXTERN_DHCP=NO
EXTERN_TCP_PORT0 0/0 www
EXTERN_TCP_PORT0 0/0 smtp
EXTERN_TCP_PORT0 0/0 imap
This is an indexed list...you need to increment the index, like so:
EXTERN_TCP_PORT0 0/0 www
EXTERN_TCP_PORT1 0/0 smtp
EXTERN_TCP_PORT2 0/0 imap
INTERNAL_WWW_SERVER=192.168.x.y
INTERNAL_SMTP_SERVER=192.168.x.y
INTERNAL_IMAP_SERVER=192.168.x.y
and according to weblet I have port forwarding active for all three services.
In addition to the above, to port-forward DNS, you'll also need the
following:
EXTERN_UDP_PORT0 0/0 domain
EXTERN_UDP_PORT3 0/0 domain
INTERN_SERVERS=tcp_${EXTERN_IP}_domain_192.168.x.y_domain
udp_${EXTERN_IP}_domain_192.168.x.y_domain
Replacing 192.168.x.y with your actual internal IP, of course.
--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering on an IDE Hard drive
Robert Sabine von Knobloch wrote: Can anyone help?? I have being trying to get a (fully working) Bering sytem from floppy to an IDE hard drive. I have based my efforts on Charles Steinkuehler's How-to for Dachstein. All goes well (Linux boots ok) until LINUXRC tries to load the packages. Although syslinux.cfg points to /dev/hda1 for both boot and packages, LINUXRC tries to open the floppy, fails and kills init (successfully, the PC is then completely dead). with a Bering floppy in the drive it still fails after not finding the modules. While I'm not real familiar with bering, it sounds like you've got a problem finding the packages. *EXACTLY* what do you have in your syslinux.cfg file? There's likely a problem with your setting(s), but there's not enough detail above to tell. Also, do you have pkgpath.cfg or lrpkg.cfg files on your hard-disk, and if so, what are the contents? -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: AW: [leaf-user] Bering on an IDE Hard drive
Robert Sabine von Knobloch wrote: Thanks for a quick answer Charles. my syslinux.cfg is: display syslinux.dpy timeout 0 default linux initrd=initrd.lrp init=/linuxrc rw root=/dev/ram0 boot=/dev/hda1:msdos PKGPATH=/dev/hda1 LRP=root,etc,local,modules,iptables,keyboard,shorwall,ulogd,dnscache,weblet and I do not have either pkgpath.cfg or lrpkg.cfg. I realise that your 'how-to' was not written for Bering, but no risk, no fun :-) I found the floppy version so good that I wanted to expand it with fetchmail VPN etc. This is tricky on a floppy. Pure chance that I first chose Bering, maybe I'll try Dachstein if this doesn't work ;-). The Shorewall rules are easy for me to read and manipulate as they have a resemblance to the layout of Check Point which I know very well. Bering will run just fine off a hard-disk, so no need to back-pedel to Dachstein. It looks like your syslinux.cfg file should work, assuming your LRP stuff is actually on /dev/hda1. Depending on how you formatted the drive, you might need to use a different partition number, or possibly even the raw device (ie: /dev/hda, if you foramtted with a floppy-type partition table that doesn't have more than one entry, which is common with things like zip drives and occasionally flash cards). I suggest booting a 'rescue' disk (could be a bering floppy, tomsrtbt, your favorite linux disto's CD boot/recvoery disk, or whatever). Check the partition table on the drive, and verify you can mount it as /dev/hd(something). When you've got the right device and mount paramters, add them to your bering syslinux.cfg file, and everything should work OK. If you're still having problems at that point, post details to the list and we'll try to figure it out. Also, IIRC there's a section of the Bering users guide that goes over getting setup to boot from a HDD: http://leaf.sourceforge.net/doc/guide/bubooting.html -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] LRP apache http setup
Kevin Kato wrote: i uncommented to INTERN_WWW_SERVER and added the private ip numbers for the server but port 80 is closed on eigerstein box. when i nmap the eigerstein box, http is not listed at all. i'm lost...here! Please keep the leaf-user list in the reply-to. You have to make sure you allow port 80 requests through the external firewall rules, or the port-forwarding doesn't do any good (although internal clients should still be able to see the web server). You can easily do this with the EXTERN_TCP_PORTS setting: EXTERN_TCP_PORTS=0/0_80 or the EXTERN_TCP_PORTn indexed list (n starts at 1 and goes up to whatever is required). -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] LRP apache http setup
kevin wrote: a little background information: i am in the process of configuring and running a linux apache http webserver from my house and i had a few questions concerning my LRP. (eigerstein, basic configuration) the web server will host my web pages for public viewing for now, and i will install a ftp server in the future. right now my webserver is running apache, (slackware 9.0, with upgraded apache http 2.0) the server can access it self: http://127.0.0.1(i get the apache default page) http://localhost(i get the apache default page) http://localhost/test.html (i get a web test page i created) a windows client cannot access the serverat all. Sounds like you've got something messed up in your apache configuration. Run 'netstat -lnp' on the webserver, and make sure apache is listening on port 80 of the network interface, and not just the loopback interface. question, does the eigerstein hide all of the ports to the outside world? i think it does, so is it possible to configure eigerstein to allow people to access my webserver? Yes, using port-forwarding. Simply uncomment the INTERN_WWW_SERVER setting, and set the IP address to the private IP assigned to your web-server machine. People outside your network can then connect using the IP of your firewall (assuming you get apache fixed :). -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] cdrom boot problem
ALParada wrote: Hello, I'm trying to get Bering 1.2 to boot from the CD. I would also like to keep a few packages on the floppy since I'm not finished with them yet and i'm still making changes. I have gotten as far as getting the CD to boot and I have a working config just like the floopies. However when it gets to the point of loading the packages it looks briefly at the FD and then just goes from the CD. I tried adding a package:F to the isolinux file but to no avail. I tried adding an lrpcfg file to the file with the new packages and the same thing. It looks like it goes to read the FD finds nothing and goes on it's merry way. If I use the individual floppies it works and like I said the CD also works. Am I missing something? Does it not work the way I think it does? Below I have included the contents of the isolinux.cfg. And yes it is on one line. display syslinux.dpy timeout 0 default linux initrd=initrd.lrp init=/linuxrc rw root=/dev/ram0 boot=/dev/cdrom:iso9660 PKGPATH=/dev/cdrom:iso9660,/dev/fd0:msdos LRP=root,etc:R,local,modules,iptables,libz,sshd,shorwall:R,snort:R,dnsca che,tinyprox:R,sftp,ulogd,weblet:R,squid_2:R If Bering is using the modified package loading scripts I created for Dachstein (which I believe is the case), your problem is with the boot= and PKGPATH= settings, above. You have the CD-ROM in both, but it should only be in one. Try the following: boot=/dev/fd0:msdos PKGPATH=/dev/cdrom:iso9660 The naming of the boot= setting is somewhat misleading, due to historical reasons, and really indicates the location of your write-able media for storing configuration changes. With the fixed boot= and PKGPATH= settings, if you have a package on both the CD-ROM and on the floppy, using package:R should load the package off the floppy and stop, ignoring whatever's on the CD-ROM. From my Dachstein-CD README: http://www.leaf-project.org/devel/cstein/files/diskimages/dachstein-CD/README.txt package[:searchorder][,package[:searchorder]] package is an LRP package file (without the .lrp extension) searchorder controls the pakckage load behavior, and is one of: f forward search, load multiple packages *DEFAULT* F forward search, load first package found and stop r reverse search, load multiple packages R reverse search, load first package found and stop A forward search starts with the PKGPATH entries (read right to left) and looks at the boot= device last A reverse search starts with the boot= device, and goes through the PKGPATH entries (read left to right) Note package:R looks at the boot= device first. By making boot= point to your CD, and adding your floppy drive to the PKGPATH= setting, you effectively reversed what would be the normal load order (CD first, floppy last) for a CD-ROM system with configuration stored on the floppy. HTH, -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF. Net email is sponsored by: GoToMyPC GoToMyPC is the fast, easy and secure way to access your computer from any Web browser or wireless device. Click here to Try it Free! https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Success report! / Dachstein question . . .
Terry of Astoria wrote: I'm pretty sure that the firewall is merely doing its job and I've got nothing to worry about, but just how to interpret the log messages here. Heh. Yup. The firewall's doing it's job. What's the best way for me to learn this stuff? Thanks again! Ask questions and start absorbing information! Specifically regarding log messages like the following, start with the protocol port numbers, and look up the services in a reference (anything from /etc/services to the mountains of RFC's...sounds like you already found a couple places to check this online) to see what they are. If you don't know what a service is, start reading up on that to your hearts content. Nov 16 06:42:04 firewall syslogd 1.3-3#31.slink1: restart. Nov 16 06:43:35 firewall kernel: Packet log: input DENY eth0 PROTO=17 10.215.128.1:67 255.255.255.255:68 L=333 S=0x00 I=25419 F=0x T=255 (#8) Nov 16 06:43:35 firewall kernel: Packet log: input DENY eth0 PROTO=17 10.215.128.1:67 255.255.255.255:68 L=343 S=0x00 I=25421 F=0x T=255 (#8) Nov 16 06:45:56 firewall kernel: Packet log: input DENY eth0 PROTO=17 172.29.78.1:67 255.255.255.255:68 L=363 S=0x00 I=25537 F=0x T=255 (#9) Nov 16 06:45:56 firewall kernel: Packet log: input DENY eth0 PROTO=17 10.215.128.1:67 255.255.255.255:68 L=363 S=0x00 I=25539 F=0x T=255 (#8) Nov 16 06:46:43 firewall kernel: Packet log: input DENY eth0 PROTO=17 10.207.5.1:67 255.255.255.255:68 L=363 S=0x00 I=25571 F=0x T=255 (#8) These are all DHCP response packets. The DHCP servers (at least 3 different systems) are all on private IP space, sending responses to the broadcast (all 1's, or 255.255.255.255) IP address (since a dynamic client doesn't have an IP address, it talks to the dhcp server with broadcast packets. Since you're on a cable modem, you're probably seeing traffic from 'neighbors' (could be quite far away, depending on your cable system's network architecture). Windows boxes have a nasty habit of sending broadcast traffic out *ALL* interfaces, so if anyone on the same cable-modem network segment as yourself is running a 'doze box as a firewall and dhcp server, you'll see the sort of traffic you list above. The firewall rules are blocking the traffic because of the private IP source address. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF. Net email is sponsored by: GoToMyPC GoToMyPC is the fast, easy and secure way to access your computer from any Web browser or wireless device. Click here to Try it Free! https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Re: Howdy !
Please direct support questions through the leaf-user list. Brian Duke wrote: I do have a question. Is there a cdrom version of Bering? I didnt see it jumping out at me but I thought I would ask. I'm not sure if anyone maintains a CD-ROM version of Bering or not. I know there are directions for making a CD in one of the Bering manuals. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] weblet (sh-httpd) bug - How to Patch please
Darcy Parker wrote:
Good day All,
I have gone to the website and created the patch file as per the
directions below. How do I apply this patch? (Excuse me for being new to
Linux but you have to start somewhere).
By using the patch program, of course. :) Typically the command would
look something like:
cd /location/of/sh-httpd
patch /location/of/patchfile
Of course, I don't think this has been compiled for LEAF, so you'll need
to run it on a more conventional linux install. For a small patch like
the one for sh-httpd, it's usually just as easy to hand apply the
changes. The patchfile format is fairly easy to understand by simple
observation, but a few comments:
- The original files used to create the patch are noted at the top of
the patch file (by the --- and +++ lines).
- The @@ lines list the line # and number of lines in each file for the
following chunk
- The lines starting with a space in the left-hand column are not part
of the patch, but are just for providing context (so the patch can still
be applied if there are a few lines more or less in your version of the
file vs the file used to make the patch)
- The lines with a dash (-) in the left-hand column are deleted from the
input file
- The lines with a plus (+) in the left-hand column are added to the
input file
Now, on to some comments about the patch itself. There actually is a
problem with the first two chunks. By surrounding the argument to set
with quotes, it defeats the entire purpose of using set to seperate the
argument into smaller chunks. The problem with expanding * can be taken
care of by turning off globbing with set -f:
@@ -31,7 +31,7 @@
bname() {
local IFS='/'
set -f
set -- $1
eval rc=\$$#
[ $rc = ] eval rc=\$$(($# - 1))
echo $rc
@@ -262,7 +262,7 @@
# Split URI into base and query string at ?
IFS='?'
+ set -f
set -- $URI
QUERY_STRING=$2
URL=$1
IFS=$OIFS
I think above will work, but if there's a side-effect from setting -f in
the second chunk, it can be undone with set +f following the set --
$URI line.
I think the third chunk I posted previously will work as-is.
--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] LEAF on compact flash
John P. Looney wrote: Does anyone have LEAF images that can be 'dd' onto a CF card? What size ones are needed ? I'm looking to have a LEAF box running Quagga (the forked version of Zebra), and CF would be a lot nicer than a floppy. Typically, you don't 'dd' an image onto a CF card. You would normally treat the CF card as a hard-disk. Once you partition format a suitable area of the CF card, you can copy the syslinux boot-loader and the files that make up the LEAF distribution you want to use. If you're not real familiar with using CF cards, you may want to get plain 'ole DOS booting off of it first, to make sure you've properly formatted your CF card, configured your BIOS, etc. Then you can get LEAF running, and you can be pretty sure any problems you encounter need to be solved on the linux side. Normally, the main thing you'll need to tweak is the kernel command line (to tell LEAF where to find it's packages, since you're not booting off the floppy disk), and possibly load the proper drivers for your CF card (typically just the IDE drivers, if they're not compiled into the kernel). The instruction for installing your chosen LEAF varient (I suggest Bering) on a hard-disk are a good starting point, and you can post to the list if you run into any problems. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Full Duplex
ALParada wrote: Hello, Does anyone know how to hard-code full duplex on Bering? The NIC's are the netgear FA312 and they are using the natsemi.o Grab compile the natsemi-diag.c code available on the scyld site: http://www.scyld.com/diag Once you've got that build (note you can build a static binary on any linux system if you don't have a LEAF build environment handy), use the -F option to force the link mode. More information on the diag page: http://www.scyld.com/diag#pci-use I had to do this with a tulip based card to get it to run full-duplex at a colo site where the 100 MBit switches didn't support auto-negotiation, and it worked like a champ. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] weblet (sh-httpd) bug
Looks like someone found another bug in sh-httpd: http://lists.netsys.com/pipermail/full-disclosure/2003-October/012776.html The first 2 chunks of the patch supplied looks OK, although I have not personally tested them. The third (and last) chunk of the patch should probably be tweaked to the following (again, not actually tested): @@ -292,7 +292,7 @@ fi - DIR=`dname $URL` + DIR=`dname \$URL\` - FILE=`bname $URL` + FILE=`bname \$URL\` Note that this bug is not a serious security issue if you have not allowed external internet access to the weblet server (blocked by default in all LEAF varients, so you'd have to explicitly enable access). -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Fw: host.allow questions
ALParada wrote: Hello, I am having a problem connecting to weblet. If I leave the hosts.allow file at ALL: 192.168.63.0/255.255.255.0 it will work. If I change it to just a host and not a subnet it fails. The smallest subnet I have been able to use successfully is a /28. Everything smaller fails. I have changed the weblet config file with the right IP address, I have added the rules for shorewall to allow port 80 from loc, and inetd is uncommented for www. Like I said with a /24 subnet it works. SSH is working correctly from a single host and the config for www is the same. Telnet is also not working, period. Again the config is the same for SSH. Is there something I'm missing? Post back to the list if the info in previous e-mails doesn't get weblet working for you. I also read something about bandwidth meter of sorts but can't find it. Is this something that is not included in the default package? The bandwidth meter consists of a very simple script (or a tiny C program for a few more features) on the firewall side, and a largish (considering floppy size constraints) java application that runs on the client side (web browser running on an internal machine). I've not worked with bering enough to know what's packaged by default, but probably the firewall-side stuff is setup as part of weblet, but the java applet is not included to save space. If this is the case, you can either add the applet to your firewall (if you have space), or just copy it directly to your local system. Details on installing and running the bandwidth monitor (and any pieces you need but don't have) can be found on the lrpStat page: http://www.leaf-project.org/devel/hejl/ It also looks like the bering guide refers you to my weblet page for additional documentation: http://leaf.sourceforge.net/devel/cstein/Packages/weblet.htm -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Types of DMZ - Dachstein
Doug Sampson wrote: Very useful information, Charles. Although I don't quite get what proxy-arp really does and how it differs from, say, a strictly public DMZ. Perhaps a short explanation here will help set my mind straight. I am confused especially by the statement regarding separating the DMZ systems from the raw upstream connection. What is the benefit in that? In a traditional strictly public DMZ (DMZ=YES setting), the upstream link to your ISP and the DMZ have *DIFFERENT* IP address ranges. With proxy-arp, the upstream link and the DMZ network IP ranges are the *SAME*. Proxy-arp is the magic that connects systems through the firewall, but lets them think they're all on the same physical network segment. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Types of DMZ - Dachstein
Doug Sampson wrote: I'm using Dachstein CD 1.02 which works well in its present state. I would like to add a DMZ using a second ethernet card. I see in the network.conf file there are various types of DMZ- YES, PROXY, NAT, PRIVATE, and NO. I do not know what a PROXY DMZ does nor do I know the purpose of a private DMZ. Could someone explain what these are and under what conditions these may be used. The type of DMZ used mainly depends on how your IP has allocated your IP number(s)/range. DMZ=YES This is a real DMZ...your ISP gives you a point-point link for your router/firewall, and routes a block of IP's to the upstream IP of your router. If you're really in the big-leagues, you have your own class-C block and get your ISP(s) to advertise your routes to the backbones. DMZ=PROXY DMZ=NAT DMZ=PRIVATE These are all setup to move public IP's that would normally appear on your firewall/router to DMZ system(s) behind the firewall. Typically one of these settings is used for cable-modem/xDSL connections where you spend a bit extra and get small number of static IP's. DMZ=PROXY This setting uses proxy-arp to seperate your DMZ systems from the raw upstream connection. The main benifit to using proxy-arp is your DMZ systems can have REAL PUBLIC IP's. The main drawback is it's kind of complex to get the networking and firewall rules setup correctly, but that's now pretty easy since I folded support into the main Dachstein scripts for this sort of setup. DMZ=NAT This setting uses static-NAT to translate public IP's on your firewall to private-IPs used on your DMZ. The biggest drawback to this setup is the fact that your DMZ systems do *NOT* run with their real public IP, which can confuse various protocols that embedd IP information in the data portion of the packets. This is just like the masquerading used for the internal systems, except there is a fixed, 1:1 relationship between a private IP on the DMZ network and a public IP on the upstream side of the firewall. DMZ=PRIVATE This is the least powerful DMZ flavor. The firewall uses port-forwarding to send specific inbound traffic to system(s) on the DMZ. This is also the only form of DMZ that can be setup if you only have one public IP from your ISP (all other flavors above require multiple public IP's from your ISP). Since I am using Dachstein here at home and also at work, there are two scenarios that I am contemplating using the DMZes. At home, I wish to add a video-conferencing solution which requires it be placed in a DMZ. Failing that DMZ requirement, it needs to have inbound ports turned on: Port 1720 (TCP) Ports 15328-15333 (TCP UDP) and outbound ports turned on: Ports 1024-65535 (TCP UDP) Port 389 (LDAP) Port 80 (HTTP) What is the optimal solution for this scenario? The second scenario (at work) calls for a web server, a virus mail scanner, and a http proxy (squid) to be located in the DMZ. Which type of DMZ should be used for this? I would think a PRIVATE DMZ would be used but again I am not familiar with the various types of DMZes. I look forward to a positive reply. I suggest using proxy-arp DMZ's if at all possible on both ends (assuming you have multiple IP's you can allocate to DMZ systems). Note there are a few tricks to setting up a proxy-arp DMZ (mainly in how you setup routing, and an understanding of the arp protocol and arp cache timeouts), so don't be afraid to ask for help with the config file details if you decide to setup this sort of DMZ. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Re: Leaf
Bryan Greer wrote: Hi again Charles, Thank you for the rapid reply, I am sorry that mine is somewhat late as things here have been extremely busy. I agree with you comments on the leaf product and it will be difficult to configure anything to work in the manner I suggested due to the fact that applications that are not errant look much like those that are from the router's perspective. With all the malware out there right now it is difficult to protect oneself from the myriad of problems that seem to exist. Moreover, since it is difficult to train the user to open only those emails that they recognise, one may still be infected from the inside via malware attached to the inbound email. Closing ports seems to provide a great start but there must be a way to inspect some of the outbound packets and drop them even on allowable ports where a packet might be suspect. As I am someone who works with the micro$oft infected platform most of the time and am just getting into the Linux platform, I am amazed that more people are not using this OS. The swiss cheese of micro$oft really drives me 'round the bend as far as locking down a system particularly from a central point, in a word, don't do it with anything but Linux. Hence the LEAF. So, if you would be open to a question regarding the Eiger-Stein version of the LEAF, I would be most grateful for any sort of an answer. In particular, how and where does one set up a rule set for the internal side. Perhaps I should also ask, how secure is the out of the box installation of this product and what should be modified on both the public and private side. I realise this might be a large question with an answer that might go on for days, and certainly I would not impose upon your time in that manner, but whatever gems you could pass on would be appreciated. Again, thank you for your time. Out of the box, an EigerStein (or the more recent Dachstein) firewall is quite secure at protecting your internal systems from the general noise of the internet (port-scanning, self-propogating worms, and similar). There are some qualifiers, however. Since the mountain releases use a 2.2 kernel, the firewall rules cannot do stateful packet filtering (a feature added in 2.4 kernels and used by Bering/Shorewall). Also, you need to realize that the mountain firewall scritps are designed to allow all traffic from internal systems out to the internet, while preventing un-requested inbound traffic from reaching your internal systems. Note that this setup will *NOT* protect you if you download (or are e-mailed) a malicious program and run it on one of your internal systems. Nor will this firewall setup stop things like kazza or other file-sharing programs from working. There is no simple Secure/Insecure switch you can flip somewhere to secure your network. You need to catagorize the threats you wish to protect yourself against, and architect a security strategy that will address those threat vectors. A good firewall is usually a necessary part of an overall security solution, but it is usually only a part. -- Charles Steinkuehler [EMAIL PROTECTED] P.S. Please continue to route all LEAF related questions through the leaf-user mailing list, rather than e-mailing me personally. You can cc: me directly if you like. Typically, clicking reply-all instead of simply reply will do this. --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Dachstein, 2 internal nets routing
Mark Bynum wrote: All, It shouldn't be this hard. All I'm trying to do is route between my two internal networks of 192.168.1.0 and 192.168.2.0. Here is what I have: INTERN_NET=192.168.1.0/24 192.168.2.0/24 eth1_ROUTES=192.168.2.0/24_via_192.168.2.254 eth2_ROUTES=192.168.1.0/24_via_192.168.1.254 eth1 is the 192.168.1.0 network, eth2 is the other one. I can ping 192.168.1.254 from the 192.168.2.0 network and also 192.168.2.254 from the 192.168.1.0 network, but no other addresses on the opposite internal networks. Connections to the outside world, through eth0, work fine. I must be missing something, it's got me stumped. As Victor mentioned, what you're missing is firewall rules. By default, Dachstein does not forward packets between multiple internal networks. You do *NOT* need any entries for eth1_ROUTES or eth2_ROUTES, since your firewall is directly connected to both internal networks. To allow all traffic to be forwarded between your two internal networks, you should add an appropriate rule to /etc/ipchains.forward. Something like: $IPCH -I forward -j ACCEPT -s 192.168.1.0/24 -d 192.168.2.0/24 -b -- Charles Steinkuehler [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Changing default backup location
Robert Coffman - Info From Data Corporation wrote: Is there a way to change the default backup location? I can't find it online or by browsing lrcfg For which LEAF distribution/release? On most LEAF systems, the default backup (and package loading) location is set via the kernel command line with: boot=/dev/device ...typically found in syslinux.cfg on your boot floppy (the exact location of this option is dependent on the boot-loader you're using, and exactly how you're booting your system). -- Charles Steinkuehler [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Re: Leaf
Bryan Greer wrote: Charles, Just wanted to drop you a quick note regarding the Eiger - Stein version of the leaf. Seems to be fairly good at keeping the script kiddies out and a lot of unwanted idiots. My hat is off to you. I do have one question though, that is, in light of the corruption out there on the web, there seems to be a lot of system jacking going on with drive by malware. Is it possible to tweak rules for the leaf for traffic flowing from the private side. By that I mean, is it possible to set the leaf up as a Proxy with rules that allow only certain traffic to flow out as well. It would seem that the product that is already in place, while exceptional at defending us from the masses of potential hackers and wanna-be's might be just what the Doctor ordered if it was capable of defending the inner sanctum from the myriad of spy ware, malware, trojans etc. What you want is sort-of possible: Start by blocking all outbound traffic, and only passing your approved traffic (like port 80 for web-browsing). This will catch the really stupid mal-ware, and the typical desk-jocky trying to run unapproved apps. The next step is to pass all allowed traffic through a transparent proxy, to insure http traffic is really following the http protocals. This will stop slightly more advanced mal-ware, and some computer literate desk-jockies. What you really want to be doing is running an application level firewall on each workstation. Something like zone alarm (or the many other commercially available products). A product like this can check for *WHICH PROGRAM* is generating outbound traffic, and verify the program is on an approved list allowed to access the 'net (and do fancy things like keep cryptographic hashes of the program's binary on file, so if your system gets broken into and IE gets replaced, your firewall won't allow the traffic). Once the packets are out of the originating system, there's really no reliable way to seperate good traffic from bad traffic, if the bad traffic really wants to hide itself (try content inspection of https:// traffic, for instance, which you probably want to allow). Again, thank you for brining this tool to us. I'm glad you found it useful! -- Charles Steinkuehler [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Dachstein and ssh tunneling
Alex McLintock wrote: Hi folks, I have a Dachstein firewall which I set up over a year ago - it works fine. But I now want to make a couple of linux servers available to the outside world through ssh. I thought about port forwarding - but I guess that wont cut the mustard for ssh. SSH works fine when port-forwarded. The only real constraint is you can only have one SSH listening on port 22. I have ssh port-forwarded to several systems behind various firewalls, typically using ports 221-229 (easy for me to remember), but you can use whatever ports you want. I guess I have to run ssh on the firewall and do proper ssh port forwarding. Is there an idiots guide to this that I should read including both the lrp package bits and the ssh commands. Start by looking at the -R and -L options to ssh. -L listen-port:host:port Forward local port to remote address -R listen-port:host:port Forward remote port to local address -- Charles Steinkuehler [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] RE: leaf-use rDachstein lrpkg.cfg - BOOT_IMAGE=linux (nf!)
Kevin wrote: I am running a two floppy set and I have three files needed to cover both floppies: Disk 1 pkgpath.cfg /dev/fd0u1440,/dev/fd1u1440 syslinux.cfg display syslinux.dpy timeout 0 default linux append=load_ramdisk=1 initrd=root.lrp initrd_archive=minix ramdisk_size=16384 root=/dev/ram0 boot=/dev/fd0u1440,msdos PKGPATH= LRP= lrpkg.cfg etc,ramlog,local,modules,ppp,dhcpd,dnscache,ifconfig,pppoe,weblet,sshd,oiden td,libz,psentry,jbuster Pkgpath.cfg file contains your drive info and floppy size syslinux.cfg file contains the path to load your programs lrpkg.cfg file contains the programs to load to get around the 255 character limit of syslinux.cfg I have my programs split out between the two floppies, the lights bounce back and forth during loading. Message: 4 Date: Fri, 05 Sep 2003 14:42:48 -0700 From: Arnold Wiegert [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [leaf-user] Dachstein lrpkg.cfg - BOOT_IMAGE=linux (nf!) I have specified a second floppy in syslinux.cfg and it is recognized and does not seem to cause any error messages. I can mount this second floppy and edit files on it. When I try to use the lrpkg.cfg file to extend the command line length, as described in various messages on this list and other documentation, to load more packages from the second floppy. My boot floppy contains a file with a list of the modules taken from syslinux.cfg, again, as described in the above messages. But, as soon as I remove all LRP= from syslinux.cfg, I get the following message during boot-up: LINUXRC: Installing - BOOT_IMAGE=linux(nf!) - finished ... and then the system asks for a new Run Level and waits - only power cycle will let me carry on. BTW, my version is Dachstein 4.0.1 I have used the firewall for some time without any problems - so now a got a bit bolder and was trying to add some more features, but :-( . no joy at all. Any help would be most appreciated. The features you're trying to use should be in Dachstein (which Bering is based on), as I added them to allow easy support for booting from a CD-ROM and keeping config information on a seperate media (typically a floppy or HDD). I'm not sure what's going wrong. I'd first suggest trying to use the PKGPATH= setting in syslinux.cfg rather than the pkgpath.cfg file, if at all possible. This could help isolate the problem. It would also be helpful to see *ALL* of the text spit out by linuxrc (or as much as you can write down), particularly the portions where it's mounting media. -- Charles Steinkuehler [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] reduce load on a bering box
Robert Coffman - Info From Data Corporation wrote: I'm not sure I can help with this, but I'd love to know what hardware you are running this on. Actually, I'd love to hear anyone's input on the capacities of their Bering boxes, what they are doing with them, and what hardware they run on. It's not running Bering, but my most-stresed LEAF based router is a P-II 366 w/64 Meg 2 tulip-based NICs running Dachstein hooked to a Cogent 100 MB/s internet link (in front of a couple linux and one M$ server boxen). This LEAF box routes 5-10 MBits/s constantly (5 minute averages), and was pegged at 80+ MB/s durring *ALL* of siggraph (while we were streaming live video footage from the show floor through the Cogent uplink. I have had no problems related to CPU load, lack of memory, or anything else with this box. Although Dachstein is running the 2.2 kernel and ipchains, I would suspect similar or better performance from the 2.4 kernel and iptables on similar hardware (the ip stack was cleaned up a lot to tweak networking performance in the 2.4 kernels). The big question is what sort of hardware are you running (specifically CPU, motherboard chipset, and NIC chipset(s))? If you expect to see wirespeed performance on multiple 100 MBit NICs, you need a good quality motherboard chipset and server-class NICs that do a good job of bus-mastering DMA data transfers, plus a fairly zippy CPU. In other words, a bit more than your average 90 MHz Pentium-1 class system...not a full blown multi-GHz P4, but at least something along the lines of an intel BX chipset or newer, multi-100 MHz CPU (P-II class), and good NICs (I personally like the DEC derrived 21xxx chipsets (tulip driver), but Intel's are reportedly pretty good too). -- Charles Steinkuehler [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] PPPoE, MTU, IPSEC and SNAT woes
Lars Karlslund wrote: Hello everyone, Troubles again with subject ... let me explain the setup first: LEAF/Bering box on PPPoE line at remote office. ppp0 MTU is 1492 - have tried overriding in dsl-provider, but to no avail (doesn't do anything?). ClampMSS is enabled in Shorewall. Mandrake/Shorewall on regular Ethernet line at main office. They communicate using FreeSWAN IPSEC and has a VPN connection running. I have added overridemtu=1350 to make sure packet sizes aren't the problem. Both firewall have ACCEPT all all ICMP as not to give problems with PMTU discovery. DNAT is configured, so the external PPPoE interface IP forwards ssh-requests to an internal host across the VPN transparently. This is done with SNAT. Observations: Pinging from an external IP-address to the PPPoE box works with packet sizes up to 1492 (ping -s 1464 x.x.x.x), but not with packet sizes over. I can't figure out why, but I suspect that ping sets the DF flag. Ping does set the DF flag bit, so you're hitting the MTU limit of your PPPoE link. Pinging internally via VPN works fine, no matter packet sizes, due to overridemtu in FreeSWAN. Doing SCP from external address to the PPPoE firewall works fine (due to ClampMSS?). Doing SCP from external address to the PPPoE SNAT port (which is forwarded to the remote host over VPN) halts, because large packets are dropped. HLP! :) Not being able to ping with large packets from the internet I can live with. But the SNAT large packets problem I cannot live with. Hope one of you gurus can help. I don't have a clear picture of your network topology, but it seems like you're running into two different MTU problems. The limited MTU of your PPPoE link (which it sounds like you have solved), and the MTU of your IPSec link (which may or may not be going over the PPPoE connection for an additional haircut...that part isn't clear from the above). It seems like packets from the internet that don't fit down your IPSec pipe aren't properly getting ICMP messages back to the sender (ie PMTU discovery is broken for the specific case of inbound PPPoE traffic that heads back out the IPSec link). Provide a diagram of how your network is setup, and maybe I (or someone else) will have some ideas on how to get things working properly. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] OT: Congratulations
Sean E. Covel wrote: Glad I could help. I have a 4 week old. I'm not very coherent most of the time right now. I miss sleep... Congratulations!!! I hope everyone's doing well. Mine are almost three weeks now: http://www.steinkuehler.net/twins/images/2003-08-01.htm ...so I know all about missing sleep! :) -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] OT: Results of Internal Security Scan.
Jay Langford wrote: Thanks charles, I am going to check out nessus as per seans suggestion... I think you'll be happier with the nessus results. Nmap is also good for raw port-scanning. Do you know if it is possible to change the ping results to make it look like it's a windows box? ICMP code in response 0 = Unix box If so would there be any side effects of doing this? ??? I'm confused. A ping (echo request, ICMP message type 8) should always be answered with an echo reply (ICMP message type 0). I don't think even Microsoft's TCP/IP stack has managed to screw this up. Also, all ICMP echo request/reply messages should have a message code of 0 (although some vendors co-opt the message code for specific services). Do you have a packet dump of the offending ping traffic? -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Last package won't load (Bering v 1.2 on CD)
Luis.F.Correia wrote: Make sure you type ENTER at the end, so that lrpkg.cfg has 2 lines. -Original Message- From: Robert Coffman - Info From Data Corporation [mailto:[EMAIL PROTECTED] Sent: quarta-feira, 13 de Agosto de 2003 18:21 To: [EMAIL PROTECTED] Subject: RE: [leaf-user] Last package won't load (Bering v 1.2 on CD) Do you have a period (.) at the end of your lrp line? Perhaps as a temporary workaround until we figure this out, insert a bogus package at the end (ie. bogus.lrp!) - Bob Coffman And make sure your lrpkg.cfg is using linux (not MS-DOS) end-of-lines...the CR part of the MS-DOS CRLF sequence will get added to your LRP filename and confuse the package loading scripts. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] PPPoE, MTU, IPSEC and SNAT woes
Lars Karlslund wrote: sizes up to 1492 (ping -s 1464 x.x.x.x), but not with packet sizes over. I can't figure out why, but I suspect that ping sets the DF flag. Ping does set the DF flag bit, so you're hitting the MTU limit of your PPPoE link. Okay - so why does ping do that? Is there a reason for this - it confuses diagnostics I'd think. It would be even more confusing if ping requests/replies got fragmented, if you think about it (what would happen if only part of a fragment got to the other end?). Hope one of you gurus can help. I don't have a clear picture of your network topology, but it ClientLan---FW1---PPPoE,1492---ISP---internet---ISP---ethernet,1500- --FW2---ServerLan FW1 has VPN link to FW2 with MTU 1350 you're running into two different MTU problems. The limited MTU of your PPPoE link (which it sounds like you have solved), and the Yes, I'd like to think so too. MTU of your IPSec link (which may or may not be going over the PPPoE connection for an additional haircut...that part isn't clear from the above). Uhmm, there aren't any problems on the VPN link internally. Everything works fine from/to ClientLan and ServerLan. It's when doing the SNAT things are fouled up. A client wants to do a HTTP connection to FW1's external IP. This is SNAT'ed to a server on ServerLan, so the server sees the request as coming from ClientLan (the only way the routing back to the client could be made to work). So the packet arrives at FW1, which changes the source to a ClientLan address and the destination to a ServerLan address and pumps it down the VPN tunnel. The problem is that large packets never get through to the other end, because they're too large for either the IPSEC og PPPoE link. It seems like packets from the internet that don't fit down your IPSec pipe aren't properly getting ICMP messages back to the sender (ie PMTU discovery is broken for the specific case of inbound PPPoE traffic that heads back out the IPSec link). Bingo. Provide a diagram of how your network is setup, and maybe I (or someone else) will have some ideas on how to get things working properly. I was hoping to hear from you, as you seem to have great insight on networking on this list. Thanks for responding. My first suggestion is to use the public IP of FW2 (the serverlan firewall) rather than FW1 (the privatelan firewall) for your public services. As constructed, you're running public traffic across your PPPoE link twice, as well as doubling up on tunneling protocols (IPSec wrapped inside PPPoE). If you have to keep things the way they are for some reason, it sounds like the ICMP error messages created when a large packet comes in from the internet to FW1 and gets routed down the VPN either aren't getting generated, or are going to the wrong place. A packet sniffer might be of some help with solving this problem. You can compare the traces of working and non-working pings from the internet to your SNAT'd server. If you continue to have problems, I might be able to help if you provide a full dump of your firewall rules, routing tables, and interface setup, but you'll probably need someone more familiar with Bering, IPTables, and shorewall (I'm still stuck in the 2.2 kernel era with Dachstein and IPChains). -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] OT: Results of Internal Security Scan.
Jay Langford wrote:
Hi Listers,
This is a bit off topic, but i thought I would share the funny results I got
back from an Internal Network Scan I performed earlier today... ( Note the
'on the internal network' - I was looking for internal security holes)
The scan performed an OS detection as part of its audit of the network.. and
this is what is returned for my bering box (*confused look*)
[XXX.XXX.XXX.XXX]
NETBIOS/SMB is not enabled on this computer.
Resolving XXX.XXX.XXX.XXX...
UDP scanning thread started ...
TCP scanning started ...
2 open port(s).
Gathering banners ...
80 - Trying to determine web server type
Server : Microsoft-IIS/5.0 | What the??
Operating System : Windows 2000 |
Has anyone seen similar results in scans performed? ( f.y.i: I used GFI
LANguard http://www.gfisoftware.com/lannetscan/ )
That's pretty funny. The shell webserver I extended for use with LEAF
dutifully reports it's identity in the headers:
code snippit from sh-httpd
VERSION=0.4.1
NAME=ShellHTTPD
print_header() {
echo -e HTTP/1.0 $1\r
echo -e Server: $NAME/$VERSION\r
echo -e Date: $REQ_DATE\r
echo -e Connection: close\r
}
/code
While you could easily change the server name and version to IIS, I
don't think this was done by deafult for Bering.
I suspect your network scanner is confused by non-windows systems. I
suggest you try some linux based tools for serious scanning capabilities.
--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Weblet question ?
Bradley Miller wrote: I'm trying to use the weblet with my DSL connection. The first Dachstein package I tried worked, but the PPPOE wasn't on it, so I downloaded this version: eigerstein2beta_pppoe_beta.v.0.2.img It had the weblet, but it was version 1.0. I decided to copy the latest weblet (1.2?) on and boot. The new nifty looking interface comes up, but the graph on the weblet for bandwidth doesn't show anything. I suspect it's a matter of telling a configuration file the difference between the weblet 1.0 and the newer version. Any suggestions on where to go hunting? (I smell a wombat . . . ) Make sure you're running the stats server (/usr/sbin/stat.sh via inetd), and have the weblet version that includes the client-side bandwidth montior application (lrpStat.jar). Dachstein specific files available from my site: http://www.leaf-project.org/devel/cstein/Packages/weblet.htm Info on properly installing and configuring lrpStat is available on Martin Hejl's page: http://www.leaf-project.org/devel/hejl/ -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering 1.0 IDE cdrom Device not found
Hein Bauer wrote: Dear list ! I am trying to use two IDE-CDrom drives, I recently connected to my Bering 1.0-Box loading of moduls succeeded, both drives are found while loading the moduls. Manufacturer name and other stuff is recognized correctly. How do I access the devices ? mount /dev/hd[ab] /mnt results: no driver present no device found mount /dev/hd[cd] /mnt misses: driver not found but also states:no device found In both cdroms are CD's inserted... (I actually do a mount of /dev/hda OR /dev/hdb, instead of /dev/hd[ab] (-- regular expression) reading the docs/faqs/mailarchives last night did not give a hint Some DOCs on LEAF mention a device /dev/cdrom. This link does not exist. I will eventually will create it, when I found the physical to which it can refer ;-) The devicefiles /dev/hd[abcd] does exist. I am _not_ trying to _boot_ from CD, I just need a second media to store more moduls, which doesn't fit onto one floppydisk. I also could install a second floppydriveif I had one ;-) Thanks for any hints ! Do you have the iso9660 filesystem module loaded? What about the IDE CD modules (note you need more than the low-level IDE drivers, there are also modules for talking to a CD-ROM drive using the IDE bus)? Assuming you have the modules loaded to support CD access, use: mount -t iso9660 -r /dev/hd[abcd] /mnt You can also probably use the shortcut of /dev/cdrom, if the Bering init scripts still look for and create a /dev/cdrom symlink to the first cdrom device found (this feature was added to Dachstein, which Bering is based on, so it should probably work). -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] VPN Setup
Mike Koceja wrote: Charles, Thank-you for your help in this matter. I downloaded the kernel you suggested and replaced my existing one with it. I still am unable to connect to my work lan using an ipsec vpn client. Do I need to add the address I am connecting to as a trusted site somewhere? Have you allowed IPSec traffic to pass through your firewall rules? For an IPSec VPN, you need to allow UDP port 500 traffic for keying, as well as protocol 50 (ESA) and/or 51 (AH) for the actual encrypted data. On Dachstein, you can do this with the following settings in /etc/network.conf: EXTERN_UDP_PORTS=0/0_500 EXTERN_PORTS=50_0/0 51_0/0 If you know the IP address of the other end of your VPN link, and it's static, you can replace the 0/0 in the rules above with the IP of your corperate VPN server. If you continue to have problems, please post details about your configuration (see the SR FAQ, link at the bottom of every leaf-user message). I'm simply providing the most typical answer for what could be causing your problem based on the default configuration of Dachstein, and am making the general assumption that you haven't screwed up something else in your setup. At the very least, provide a dump of your running firewall rules (net ipfilter list), the currently loaded modules (lsmod), and details about which VPN client you're trying to use along with any special configuration you might have to do to get it to work (no passwords or secret information necessary, but it's important for us to know if you're running with non-standard ports, actually using IPSec and not something else, etc., if we're going to be able to help you). -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] HD Booting Dachstein with a twist
Ed Tetz wrote: Hi Guys, I am looking at getting a Norhtec server (http://www.norhtec.com/index.html) to act as my firewall. It comes with an internal HD, but no CD-ROM. I will be using a USB floppy drive. I am still waiting for the hardware, so I can't test things yet. I already figure that I will have to recompile my kernel to support the USB floppy. Not a problem. I also wanted to keep alot of the security of having the packages on CD, so I was thinking of using an ISO image on the HD. Normally you need to add the loopback device, which I don't think will be a problem. I figure that I will boot from the floppy, and then treat the ISO image on /dev/hda1/dachimg.iso as the CD-Rom. That will hopefully give me the BOBW (Best of Both Worlds), using the hard drive (since I don't have a CD-Rom) and having the security of the CD-Rom (or most of it). This will also make the upgrade easier when Dachstein is updated, as I only have to replace the isoimage on the harddrive. Does anyone know off hand if a pkgpath option of /dev/hda1/dachimg.iso:loop or /dev/hda1/dachimg.iso:iso9660 should work in syslinux.cfg? I currently have /dev/hda:iso9660. After the system starts booting, I figure I can easily mount (via fstab) the image as /cdrom, so I am just concerned what happens during the boot process, prior to reading fstab. If you want to load packages via an iso image mounted on a loopback device, I believe you're going to have to modify the startup script (/linuxrc). The startup script currently expects to be able to directly run a mount command, passing it parameters extracted from the pkgpath parameter for fstype and device. Since there's no way to specify to use the loopback device, you'll either have to add that functionality, get someone to do it for you, or live without it. NOTE: A trick that might work for you would be to copy the iso image to a seperate partition on your HDD, and mount it from there. Something like: dd if=/dev/cdrom of=/dev/hda2 Then use something like PKGPATH=/dev/hda2:iso9660, and keep configuration data on /dev/hda1 or the usb floppy like normal. I don't think it will matter if the HDD partition is larger than your iso image. If this works (I haven't tried it), you'll have a bit more security than simply loading packages off a standard hard-disk partition, as there are no convinent tools for making an iso image on LEAF, but remember an attacker can still simply store cracked utilities on your configuation media which would overwrite the clean versions from the psudo-cd. Regardless, this could still be an interesting way to setup your system, with the big plus (to me, anyway) of keeping the upgradability of the CD version. You could even keep a few CD images around on your HDD (as various unique partitions), in case you had to revert to a previous version or something. It could make maintaining several boxes easier than doing a traditional HDD install. Note that if this techinque works with Dachstein, it should also work with Bering, should you choose to migrate. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] LEAF doing some DAC stuff
:) There's nothing like the real world to teach you how everything REALLY works (or just as importantly doesn't work). :) -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] What LEAF needs
Hugues Belanger wrote: Hi Gents, I've been a LEAF user for some time and I must say it has made me look good on several projects. having said that I'm having the similar experience with all projects that involved LEAF. Clients need router/firewall/wireless AP. I recommend configure and install LEAF. Client is happy things work great. Client needs to make changes or install news systems they call me. I'm OK with that but my complains that it's not easy to manage the environment by them self. I've looked around the net for a LEAF replacement and stumbled on m0n0wall (http://m0n0.ch/wall/) wish quite frankly is very well done and easy to configure, but not flexible enough for all my requirements. Is there an initiative to create a WebUI for LEAF ? and a Configuration/Built system that would make the configuration process easier ? I think that LEAF would gain a lot of popularity if these things where integrated ...! This is a *VERY* popular request, and has generated a lot of traffic on the Development list over the years (mine the archives for more discussion about this than you probably care to read!). The short answer is that it is very complicated to both keep the flexability of LEAF which makes very useful while at the same time simplifying the configuration process enough to allow a GUI interface. Note that this double-edged sword gives even full-blown linux distributions (where resource limitations aren't really an issue, and things like perl and python are available for scripting) fits, so it's not exactly an easy nut to crack. The good news is a lot of thought has gone into creating an architecture that will allow exactly this, and work is progressing (although perhaps somewhat slowly) on a configuration system that aims to keep the flexability of linux which makes LEAF useful while providing a consistent interface to configuration information which will allow a variety of back-end tools (from text menus to GUI configuration screens) to be implemented. Refer to the leaf-devel archives for more details, and the CVS area on SourceForge for the (still in development) code. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] VPN Setup
Mike Koceja wrote: You are correct I am trying to establish a vpn connection using a pc located behind the firewall to a remote network. I have loaded the VPN masquerade helper ip_masq_ipsec. This hasn't helped though. I did start with a floppy version of the firewall which I altered to boot from hard disk. I thought I used the kernel which supports VPN/ipsec. Is there anyway I can check on this? The easiest way is probably to check the file-size of your kernel against the various Dachstein kernels. Also, I think if you're using the wrong kernel (one setup for running ipsec on the firewall), when you run ip addr, there will be four ipsec interfaces, in addition to the local loopback interface and any ethernet (or other normal network) interfaces you have...I just don't remember if the ipsec interfaces show up prior to running any of the ipsec startup scripts, but I think they do. Anyway, since you're running off a hard-disk, you probably want one of the normal kernels: http://lrp.steinkuehler.net/files/kernels/Dachstein-normal/ NOTE: You *DO NOT* want one of the -IPSec kernels! These include support for running IPSec on the firewall. You probably want the kernel with IDE support: linux-2.2.19-3-LEAF-normal-IDE-IPSec.bzImage.upx -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] wireless LAN security
Steve Wright wrote: Charles Steinkuehler wrote: I recently tried setting up something like this between a couple of Dachstein boxes, and I've since fallen back to simply firewalling both ends of the wireless link and treating it like a hostile network. It would be possible with my current setup for someone to DoS my wireless link (always a possability with a big enough noise generator), sniff my traffic (possible once it gets on the internet anyway, although the wireless traffic is a lot easier to sniff if you're physically close to me) or to manage access to the wireless link itself (which would allow them to attempt to hack the admin passwords on my AP's, or gain internet access, but *NOT* allow them to attack any of my secured networks). Thanks Charles, Eric, I'm really surprised there isn't a simple solution.. what about a ssh tunnel ? I'm not an expert on those, but I cannot imagine I can tunnel two scopes over a ssh tunnel... You could use an ssh tunnel, but you'll run into routing problems similar (if not worse) to the issues with using an IPSec tunnel to 0/0 (the whole internet). Plus, you'll have the tcp over tcp issue, which can get ugly if you have any packet loss, and you did mention this is for a wireless link. Sidebar: TCP is a guaranteed connection protocol...the low-level IP stack keeps track of packets, so lost/garbled packets are retransmitted, and the application layer is presented with a nice, consistent, everything in order datastream. The low-level methods to do this, however, do not stack well, which is what you're doing when you run one tcp connection (say an http connection to a remote webserver) over another tcp connection (like your proposed ssh tunnel). I think probably the easiest method for doing what you want is to set up a GRE tunnel over a host-host IPSec tunnel between two routers/firewalls on either end of the link. You can pipe routing protocols (RIP, BGP, etc) across the GRE tunnel, and drop anything that doesn't come in over the IPSec interfaces (other than IPSec and IKE traffic itself, obviously). ! that sounds even more complicated.. I think some more reading / study is in order. 8-/ :) It's not really as complex as it sounds, and depending on your situation, you may be able to get by with just a conventional ipsec tunnel to the whole internet encrypting your wireless traffic. Ipsec tunnels are pretty paranoid about security (imagine that), and won't pipe traffic if *BOTH* endpoints don't match the tunnel specifications. This means that you cannot use an ipsec link between two boxes to route arbitrary additional traffic (ie use the ipsec link like a generic point-point link or route). That's where gre comes in. By building a point-point IPSec tunnel (which is typically the simplest to setup and maintain), *THEN* putting a gre tunnel over that, you can treat the IPSec link like any other network connection and route traffic down it using normal routing tools (including manual routing, or automated routing protocols like RIP BGP). A -++-E B -++-F C -++-G D -+--X---Y-+-H For example, in the above, assume X and Y are two routers, ABCDEFGH are all networks hooked to those routers, and we want to encrypt all traffic between all networks that goes over the link between X and Y with IPSec. This would require 16 seperate subnet/subnet tunnel specifications if you only use IPSec tunnels (possible, but clumsy). By creating a single host-host tunnel between X and Y, the two routers can then talk to each other, but they cannot route other network traffic down the link (since the source/destination IP's don't match the tunnel specification). The addition of GRE allows the encapsulation of arbitrary traffic into point-point traffic which *WILL* go across the host-host XY IPSec tunnel. I don't know enough about your setup to know if using an IPSec tunnel with a 0/0 endpoint will work well for you, or if you'll need something a bit more complex... -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
