On reflection, I'd argue for 14:
2 = datalink/subnetwork (e.g. bridges)
3 = internet (e.g., supports IP)
4 = end-to-end (e.g., supports TCP)
It's not really a repeater, but bridging is supported, you can connect
via telnet and SSH, and while you CAN use it as a mail server or such,
it's not reall
I'm not sure that is the correct sysServices value. I've always used
snmpconf to calculate the sysServices value.
I believe a better value is 76
1 = physical (e.g. repeater)
2 = datalink/subnetwork (e.g. bridges)
3 = internet (e.g., supports IP)
4 = end-to-end (e.g., supports TCP)
7 = application
Yes, it's not in the SNMP configuration file, but it's easy to fix.
As root, add to /etc/snmp/snmpd.conf:
sysServices 4
which shows that up to and including the internet layer is supported.
Then run
/opt/vyatta/sbin/snmpd.init restart
These are the commands for Glendale, but it'll either be t
My OSS app is trying to discover a Vyatta NE and is being tripped-up by the
lack of a sysServices OID (.1.3.6.1.2.1.1.7.0) in the mib.
Why does vyatta lack this OID while all other commercial NEs have this
included in their system mib?
As a work-around I've tried using snmpset to set the sysServ
Wow Lots of good responses in a hurry.
Thank you.
First, I have many systems and when somebody attacks, I want to close the
network off to that IP, not just a single machine. That implies that I can
not use IPTABLES directly. Though I did give thought to adding that type of
rule to all systems.
You certainly could (unlike other router vendors :-) ); the trade-off
is where you'd like to put the application and data, and ensure you
keep a copy if you re-install the ISO! If you're managing
multiple systems, you'd probably want to go with an external application.
Of course, of you've instal
Hi Justin,
How about a script that lives on the Vyatta itself? I'm no scripting wizard
by any means, but I imagine that by sitting on the Vyatta you can parse the
logfiles, modify the config file and load it pretty easily, right?
Just a thought from the peanut gallery ;)
Take care,
All
Hi Chris,
I'm not sure if this is exactly what you're looking for but, you can use
the iptables "recent" module for this. It uses the connection tracking
mechanism to keep track of a specified set of behavior and then will
dynamically take action if certain match conditions are met. Example:
One way to do it would be with an expect script that logs in and
updates a firewall rule.
You'd need to track locally when the rule was added, so you could then
removed it,
perhaps with a simple text file and a cron job.
Best,
Justin
On Fri, Feb 22, 2008 at 1:08 PM, Christopher Johnson <[EMAIL PR
I have my systems set up to monitor authentication failures. I want one
system to be able to automatically add a firewall rule to deny a particular
IP address. In the best of all worlds, that firewall rule would then expire
at some time in the future.
I.e. "Failed password for root from 35.8.1.1
I've got zenoss set up to monitor lots of systems in my network. It
includes network graphing capabilities as well.
You might want to give it a try. (I've even managed to set up a graphing
function of the amount of toner left in a network printer).
Best,
-Chris
On Wed, Feb 20, 2008 at 6:07 PM,
Hi Paul,
So far Debian hasn't packaged openl2tp yet, but if openl2tp works with
openswan, maybe we can look into that option in the future. Thanks for the info!
An-Cheng
Paul Wakeman wrote:
> You could use openl2tp instead of xl2tpd. I've used this on debian for
> months with openswan and it wo
Hi there,
Thank you for your email. I am currently away on reservist and will only be
back on the 3rd March 2008.
My access to email during this period will be limited.
If there is any urgent matter that require attention, please contact Choon Kiat
([EMAIL PROTECTED]) during this period and cc
Hi Adrian,
You're right that xl2tpd fixed both issues. However, the email you mentioned
said the fixes were for "openswan's new KLIPS code". The manpage for
"xl2tpd.conf" says essentially the same thing:
...allows tracking of multiple clients using the
same internal NATed IP address, an
Hi Paul,
To be honest, I did not use before openl2tp. I was reading yesterday
about it regarding the multiple L2TP/IPsec clients behind NAT situation.
But looks like Vyatta opted for xl2tpd.
I was testing further today the Glendale Remote Access with L2TP and
certs scenario.
This time I've build
You could use openl2tp instead of xl2tpd. I've used this on debian for
months with openswan and it works well. Multiple L2TP/IPsec clients
behind NAT works. Openl2tp's config files are different to xl2tpd -
openl2tp comes with its own cli with command completion etc.
-paul
Adrian F. Dimcev wrote:
Hi An-Cheng,
Yesterday I was reading the xelerance xl2tpd change log:
http://www.xelerance.com/software/xl2tpd/CHANGES
And I was under the impression that both issues you've mentioned are fixed.
v1.1.05 references these changes.
In this mail, Paul Wouters, also mentions the same things:
http://list
17 matches
Mail list logo