Re: [Leaf-user] even more worried

[guitarlynn]

By chance you didn't leave IE on when you shut down???
I've seen some banner ads run something similar to a lease
type connection. Yahoo and flipside.com leave a lot of 
residual connections like that tied directly to Win32 clients.


On Wednesday 27 February 2002 22:24, Scott C. Best wrote:
> Anyone ever seen this one before: I shut down my
> WinNT server today to see what TCP/IP traffic a Windows
> machines makes at powerdown. That is, I was tcpdump'ing on
> another LAN member. And I saw this:
>
> 03:29:14.553849 192.168.123.130.1853 > 209.73.225.9.80: R
> 804849242:804849242(0) win 0 (DF) (ttl 128, id 7442)
> 03:29:14.553965 192.168.123.130.1852 > 209.73.225.9.80: R
> 804738457:804738457(0) win 0 (DF) (ttl 128, id 7698)
>
>   I did a whois on 209.73.225.9 and it came up with
> something from either "PFM Communications: or "Cydoor
> Technologies" (they seem to have overlapping IP space).
>
>   I've just started poking around to learn more
> about these, check for spy-ware reports, adding -vv to the
> tcpdump...but I thought I'd ask to see if anyone hear has
> seen it before.
>
> cheers,
> Scott
>
> PS: A Windows machine does spew some NetBIOS traffic to
> the broadcast address at shutdown. :) Of course...when
> *doesn't* it do that...
>
>
> ___
> Leaf-user mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user

-- 

~Lynn Avants
aka Guitarlynn

guitarlynn at users.sourceforge.net
http://leaf.sourceforge.net

If linux isn't the answer, you've probably got the wrong question!

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Will LaBrea work with dynamic IP addresses?

[Simon Bolduc]

Steve,

I long ago stopped logging hits on port 80, and just have them silently 
denied - it just made the whole messages file too hard to read - you might 
want to consider doing this.

S



_
Chat with friends online, try MSN Messenger: http://messenger.msn.com


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Will LaBrea work with dynamic IP addresses?

[Simon Bolduc]

Hey Craig,

Well to answer your first question, ae is the editor you use, just type ae 
at a command prompt and you should be good, then its just +W to save 
the file - so you could just type the file name at the prompt /etc/LaBrea.in 
or whatever the file name is

To edit the dhclient-exit-hooks you run lrcfg at a command prompt, then 
choose options "3) Package Settings", "4) dhclient" (at least its the 4th 
package on my box), and finally "5) dhclient-exit-hooks"  after you're done 
editing you just hit +Q and type y to save the changes.

The easiest way to copy and paste text to your box is to run Putty (at least 
in a windows environment).  You will need to be running SSH to use this.  
SSH is on your Dachstein CD (assuming you're using the CD version).  If you 
aren't running SSH already here is an (older) document that might help to 
get you started:

http://sourceforge.net/docman/display_doc.php?docid=1441&group_id=13751

you can also check the readme.txt contained on the CD:

http://lrp1.steinkuehler.net/files/diskimages/dachstein-CD/README.txt

assuming you are running SSH properly and are using putty, just highlite the 
text you want (from the email), right click on it and choose copy.  Then to 
paste it into the putty window right click on the window - and it 
automagically gets typed in.  Putty tends to mess tabs up tho - so you may 
have some deleting to do.

Putty is available here:

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html


HTH

S

>From: "Craig Caughlin" <[EMAIL PROTECTED]>
>To: "LEAF" <[EMAIL PROTECTED]>
>Subject: [Leaf-user] Will LaBrea work with dynamic IP addresses?
>Date: Wed, 27 Feb 2002 11:26:36 -0800
>
>Thank you Simon and Lynn for the responses. Unfortunately, I don't quite
>understand it all (I've taken a college class on Linux because I really
>enjoy this stuff, but please bear with my ignorance as I learn :-) ). 1.)
>First, how do I create the /etc/LaBrea.in that you refer to, and how do I
>create the /etc/LaBrea.scr. Do I do that from the command prompt of DCD by
>using the ae editor? 2.) How do I "edit the dhclient-exit-hooks to"? Is 
>that
>in the network.conf file or ??? Thank you for your help, have a great 
>day!!!
>
>Craig
>
>P.S. How do you copy and paste with Dachstein?
>
>
>
>___
>Leaf-user mailing list
>[EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/leaf-user




_
Send and receive Hotmail on your mobile device: http://mobile.msn.com


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] even more worried

[Scott C. Best]

Anyone ever seen this one before: I shut down my
WinNT server today to see what TCP/IP traffic a Windows
machines makes at powerdown. That is, I was tcpdump'ing on
another LAN member. And I saw this:

03:29:14.553849 192.168.123.130.1853 > 209.73.225.9.80: R
804849242:804849242(0) win 0 (DF) (ttl 128, id 7442)
03:29:14.553965 192.168.123.130.1852 > 209.73.225.9.80: R
804738457:804738457(0) win 0 (DF) (ttl 128, id 7698)

I did a whois on 209.73.225.9 and it came up with
something from either "PFM Communications: or "Cydoor
Technologies" (they seem to have overlapping IP space).

I've just started poking around to learn more
about these, check for spy-ware reports, adding -vv to the
tcpdump...but I thought I'd ask to see if anyone hear has
seen it before.

cheers,
Scott

PS: A Windows machine does spew some NetBIOS traffic to
the broadcast address at shutdown. :) Of course...when
*doesn't* it do that...


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] Re: [Leaf-devel] Question of principle: Are ProxyARP DMZ insecure?

[Charles Steinkuehler]

> I'm currently in a Watchguard training. I'm going to make the WCP
> Certificate.
>
> The trainer told me, that the "Drop-In configuration" (ProxyARP DMZ) is
less
> secure than the routed DMZ. I didn't say anything and thought "Uh, really?
> Why?".

Good for you!

> Is a ProxyARP DMZ less secure than a routed or staticNAT DMZ?
> Are there even any security related differents?
>
> She told me, that staticNAT with a private DMZ is the better solution if
you
> want to save public IP's. I don't think so.
> I think I run into problems with special applications/protocols if using
> staticNAT (passiveFTP, PPTP?)
>
> Discussion is opened

All three of the architecture you mention (static-NAT, routed, and
proxy-arp) have the same basic packet flow:


|
Firewall - DMZ net

Or possibly:


|
Firewall - DMZ net
|
Internal net

The only difference between the "flavors" of DMZ you mention is what IP
addresses and subnet lables get attached to each interface...the security
(or lack thereof) depends entirely on what the firewall is doing with the
packet data.

If you've got a flexible mechanism for building firewall rules, it shouldn't
matter which architecture you pick...you should be able to implement your
desired firewall functionality with any of the DMZ flavors.

NOTE:  There are specific things you need to watch for depending on the DMZ
architecture.  For instance, the Dachstein firewall rules implement routed,
static-nat, and proxy-arp DMZ rules in the forward chain, so the packets are
blindly accepted in the input chain (to be sorted later).  If you're running
static-NAT or proxy-arp, the firewall probably has an IP that overlaps with
the DMZ network, so you've just potentially opened your firewall's external
IP to the world with no filtering!  For the curious, that's why the dmz-in
and dmz-spoof ipchains are created in this situation...ip's destined for the
local box are routed back through the input rule chain, while packets truly
destined for the DMZ are accepted in the input chain, then filtered in the
forward chain.

Charles Steinkuehler
[EMAIL PROTECTED]


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] RE: [Leaf-devel] Question of principle: Are ProxyARP DMZ insecure?

[Sandro Minola]

Hi Charles, hi all

> > I'm currently in a Watchguard training. I'm going to make the WCP
> > Certificate.
> >
> > The trainer told me, that the "Drop-In configuration" (ProxyARP DMZ) is
> less
> > secure than the routed DMZ. I didn't say anything and thought
> "Uh, really?
> > Why?".
>
> Good for you!

Good for me that I didn't say anything or good for me that I'm going to make
the WCP? :)

Thanks a lot for your explenation!

Unfortunately, you can't define in which chain rules go. (Watchguard
Fireboxes run on a highly modified kernel 2.0.38)
I don't know in which chain the organize their DMZ stuff.

She told me, that she'll explain the whole DMZ stuff more exactly tomorrow.
Let's see if she knows what she's talking about... ;)

Other opinions than Charles'?

---
Sandro Minola   | LEAF Developer (http://leaf.sourceforge.net)
mailto:[EMAIL PROTECTED] | mailto:[EMAIL PROTECTED]
http://www.minola.ch| http://leaf.sourceforge.net/devel/sminola

> -Original Message-
> From: Charles Steinkuehler [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, February 27, 2002 7:43 PM
> To: Sandro Minola; Leaf-User; Leaf-Devel
> Subject: Re: [Leaf-devel] Question of principle: Are ProxyARP DMZ
> insecure?
>
>
>
> > Is a ProxyARP DMZ less secure than a routed or staticNAT DMZ?
> > Are there even any security related differents?
> >
> > She told me, that staticNAT with a private DMZ is the better solution if
> you
> > want to save public IP's. I don't think so.
> > I think I run into problems with special applications/protocols if using
> > staticNAT (passiveFTP, PPTP?)
> >
> > Discussion is opened
>
> All three of the architecture you mention (static-NAT, routed, and
> proxy-arp) have the same basic packet flow:
>
> 
> |
> Firewall - DMZ net
>
> Or possibly:
>
> 
> |
> Firewall - DMZ net
> |
> Internal net
>
> The only difference between the "flavors" of DMZ you mention is what IP
> addresses and subnet lables get attached to each interface...the security
> (or lack thereof) depends entirely on what the firewall is doing with the
> packet data.
>
> If you've got a flexible mechanism for building firewall rules,
> it shouldn't
> matter which architecture you pick...you should be able to implement your
> desired firewall functionality with any of the DMZ flavors.
>
> NOTE:  There are specific things you need to watch for depending
> on the DMZ
> architecture.  For instance, the Dachstein firewall rules
> implement routed,
> static-nat, and proxy-arp DMZ rules in the forward chain, so the
> packets are
> blindly accepted in the input chain (to be sorted later).  If
> you're running
> static-NAT or proxy-arp, the firewall probably has an IP that
> overlaps with
> the DMZ network, so you've just potentially opened your
> firewall's external
> IP to the world with no filtering!  For the curious, that's why the dmz-in
> and dmz-spoof ipchains are created in this situation...ip's
> destined for the
> local box are routed back through the input rule chain, while
> packets truly
> destined for the DMZ are accepted in the input chain, then filtered in the
> forward chain.
>
> Charles Steinkuehler
> [EMAIL PROTECTED]
>
>


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] Will LaBrea work with dynamic IP addresses?

[Craig Caughlin]

Thank you Simon and Lynn for the responses. Unfortunately, I don't quite
understand it all (I've taken a college class on Linux because I really
enjoy this stuff, but please bear with my ignorance as I learn :-) ). 1.)
First, how do I create the /etc/LaBrea.in that you refer to, and how do I
create the /etc/LaBrea.scr. Do I do that from the command prompt of DCD by
using the ae editor? 2.) How do I "edit the dhclient-exit-hooks to"? Is that
in the network.conf file or ??? Thank you for your help, have a great day!!!

Craig

P.S. How do you copy and paste with Dachstein?



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] Will LaBrea work with dynamic IP addresses?

[Craig Caughlin]

Thank you Simon and Lynn for the responses. Unfortunately, I don't quite
understand it all (I've taken a college class on Linux because I really
enjoy this stuff, but please bear with my ignorance as I learn :-) ). 1.)
First, how do I create the /etc/LaBrea.in that you refer to, and how do I
create the /etc/LaBrea.scr. Do I do that from the command prompt of DCD by
using the ae editor? 2.) How do I "edit the dhclient-exit-hooks to"? Is that
in the network.conf file or ??? Thank you for your help, have a great day!!!

Craig

P.S. How do you copy and paste with Dachstein?



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] Re: [Leaf-devel] Question of principle: Are ProxyARP DMZ insecure?

[Charles Steinkuehler]

> > > The trainer told me, that the "Drop-In configuration" (ProxyARP DMZ)
is
> > less
> > > secure than the routed DMZ. I didn't say anything and thought
> > "Uh, really?
> > > Why?".
> >
> > Good for you!
>
> Good for me that I didn't say anything or good for me that I'm going to
make
> the WCP? :)

Good for you that you question rather than simply believe...

> Unfortunately, you can't define in which chain rules go. (Watchguard
> Fireboxes run on a highly modified kernel 2.0.38)
> I don't know in which chain the organize their DMZ stuff.
>
> She told me, that she'll explain the whole DMZ stuff more exactly
tomorrow.
> Let's see if she knows what she's talking about... ;)

Ah...with a 2.0 series kernel, you do *NOT* have a very flexible platform.
As there are things you can do with 2.4 kernels and iptables that are
difficult or impossible with ipchains, there's a *LOT* you can't do with a
2.0 kernel's packet filtering.  I'm not familiar enough with the 2.0 stuff
to know for sure, but that could very well be why a proxy-arp based DMZ
isn't as secure.  If so, just note that it's an artifical limitation of the
firewall, and not a basic problem with the topology.

Charles Steinkuehler
[EMAIL PROTECTED]


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] ramdisk_size question...

[Adrian Stovall]

Hi again all...I have a new question...I made sure (repeatedly) that I had
entered "ramdisk_size=32768" in my syslinux.cfg file, however, df -k reports
that /dev/root has 6144 blocks allocated (which are 100% used).  How do I
convince my router that it's supposed to use what I told it to?

I have 256 Meg installed in this machine, so I'm fairly sure that's a valid
number to use for ramdisk_size...am I missing something? 

I've been searching the 'net for info, and will continue to do so, but
haven't found anything yet.

TIA

Adrian

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] DCD, proxy dmz, snmp & icmp ???

[Michael D. Schleif]

Charles Steinkuehler wrote:
> 
> > I was not certain what it is that you want to see -- see below.
> >
> > tcpdump output, run on the local DCD :
> 
> OK, this helps, but I'm still not sure what I'm looking at.  Which interface
> did you run the tcpdump on?  I'm guessing from the packet traffic we're
> looking at the upstream interface, and not the DMZ interface, but it's hard
> to be sure...
> 
> Your first case:
> 
> > [1] Internet host (a.b.c.d) query -> dmz host (w.x.y.66) via DCD external
> port (w.x.z.157)
> >
> > 14:47:11.577976 a.b.c.d.64861 > w.x.y.66.161: C=privateCommunity
> GetNextRequest(17) [|snmp]
> > 14:47:11.578411 w.x.z.157.64943 > a.b.c.d.64861: udp 107
> > 14:47:11.598985 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861
> unreachable [tos 0xc0]
> > 14:47:12.600050 a.b.c.d.64861 > w.x.y.66.161: C=privateCommunity
> GetNextRequest(17) [|snmp]
> > 14:47:12.600443 w.x.z.157.64943 > a.b.c.d.64861: udp 107
> > 14:47:12.686292 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861
> unreachable [tos 0xc0]
> 
> 
> This is just wacky...looks like the remote system sends an SNMP query,
> followed by your firewall sending a UDP query back to the remote system.
> Finally, the remote system replies with a "destination unreachable" packet,
> probalby meaning inbound UDP packets are firewalled (or connection tracked).

Hence, my confusion . . .

> My best guess at this point is that your outbound UDP traffic is being
> masqueraded, and the packet:
> 14:47:11.578411 w.x.z.157.64943 > a.b.c.d.64861: udp 107
> is actually the SNMP response, being masqueraded by your firewall...
> 
> NOTE:  All UDP traffic (other than DNS) is masqueraded from the DMZ using
> the default Dachstein firewall rules, which could explain the above traffic.
> Even so, the difference between [1], above, and [2], below, has me
> confused...something had to change between these two samples (or perhaps an
> unnoted change in the test procedure?).

Yes, same test; but, tcpdump on different interface -- see below.

> Your second case:
> 
> > [2] Internet host (a.b.c.d) query -> dmz host (w.x.y.66) via DCD dmz port
> (w.x.z.157)
> >
> > 14:50:05.672129 a.b.c.d.64919 > w.x.y.66.161: C=privateCommunity
> GetNextRequest(3)[|snmp]
> > 14:50:05.672360 w.x.y.66.161 > a.b.c.d.64919: C=privateCommunity
> GetResponse(3)[|snmp]
> > 14:50:05.692707 a.b.c.d > w.x.y.66: icmp: a.b.c.d udp port 64919
> unreachable [tos 0xc0]
> > 14:50:06.682834 a.b.c.d.64919 > w.x.y.66.161: C=privateCommunity
> GetNextRequest(3)[|snmp]
> > 14:50:06.683065 w.x.y.66.161 > a.b.c.d.64919: C=privateCommunity
> GetResponse(3)[|snmp]
> > 14:50:06.702159 a.b.c.d > w.x.y.66: icmp: a.b.c.d udp port 64919
> unreachable [tos 0xc0]
> 
> 
> This looks a bit more normal...what changed between this trace and the first
> trace?  Your description is identical.
> 
> Here you're seeing the SNMP request, followed by an SNMP response, and
> finally the ICMP "destination unreachable" message back from the remote
> host.  It sure looks like "a.b.c.d" is firewalling or otherwise dropping
> your response packets...

a.b.c.d is an internet address on the external IF of a remote DCD,
behind which is the debian potato from which I tried to snmpwalk the
subject dmz hosts.

> Finally, we get to:
> 
> > [3] DCD external port (w.x.y.65 - alias) query -> dmz host (w.x.y.66) via
> DCD external port (w.x.z.157)
> >
> > 14:51:46.455695 w.x.y.65.4709 > w.x.y.66.161: C=privateCommunity
> GetNextRequest(3)[|snmp]
> > 14:51:47.460138 w.x.y.65.4709 > w.x.y.66.161: C=privateCommunity
> GetNextRequest(3)[|snmp]
> 
> 
> Here we've got nothing but the query packets...no response traffic at all.

This is local DCD to local dmz attempted snmpwalk -- identical query to
the previous, remote queries.

> Without knowing which port you're running tcpdump on, and some more details
> about your test, I can't help much more...
> 
> Try to forget everything you know about your network architecture, and look
> at line [3], above.  To me, this is saying you're trying to access your
> internal DMZ host via SNMP from the firewall's external port.  For one, this
> doesn't really even make sense...if the firewall's talking SNMP to the DMZ,
> the traffic will be going out the DMZ interface, with a source IP of the
> DMZ's primary address.  I'm not even sure how you'd get snmpwalk or
> something to use the external IP over the default interface IP.  Not knowing
> which interface the tcpdump came from is also kind of limiting.

See ip addr and ip route output below.

> Any interesting results when looking at the packet counts in your ipchains
> rules?

No -- nothing is logged and when I subtract the obvious:
# ipchains -nvL | grep -v '\(ACCEPT\|-l-\)'
there is nothing that I find interesting in remaining output.

=

I am sorry; but, I thought that I differentiated each of my examples. 
Is there away to get tcpdump to listen to more than one (1) interface at
a time?  -i any does *not* work . . .

This is the invocation, al

[Leaf-user] No firewall / more networks

[brooksp]

Kindest greetings,
Can anyone help me out and give me some information on the following two
points.
I currently run Dachstein CD and it works a treat, fair play to all
involved.
Firstly,I want to know if it is possible to run as a general router without
firewalling.
And secondly, if it is possible to route between 3or4 different networks,
and if so, how can it be done?
Does setting the IP Filter Switch to 'router' in network.conf disable the
firewall scripts?
Any help on details of how to add settings for more eth cards in
network.conf would be appreciated.
Only static IP addresses will be used and the box will be firewalled from
the internet.

Thanks in advance,

Paul.


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] LRP's firewalling capbility

[Antai Ning]

Hi gurus,

I just set up a LRP box using Eiger 2.2.16 with pppoe support by Mike Leone.
It's working fine with Bell Canada's Symaptico adsl service. Thanks to all
who have put efforts on this image and LRP!   

Here is my question though.

How strong is its firewalling capability? Is it just doing stateless packet
filering by using ipchain? Can it do statefull fitering?(know which session
a packet belongs to). Can it do proxy level of filtering as well? (e.g,
application level filtering such as url blocking, email scanning, virus
filtering, etc.)

Thanks in advance!


Andy





___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

SUMMARY?: [Leaf-user] newbie question (Bering/2.4/IDE)

[Adrian Stovall]

Whew! today was an adventure...I decided that I wanted to try to compile all
the modules that I need/use into my own 2.4 kernel (ide, eepro, pci, etc).  

I grabbed the latest kernel source, put it on my old, rusty Pentium Pro
200/redhat 6.2 box, and followed the instructions in the readme (spent a
while updating gcc and other packages that were a bit out-of-date in my
distro).  

I used the bering.config as my starting point, and started changing m's,
y's, and n's as appropriate and copied it as .config in the dir I untarred
the kernel stuff in.  I ran make oldconfig and make dep, made a bzImage,
copied it to the HD of my router as "linux", etc...several hours and a few
passes of syslinux later, I managed to get 2.4 to boot from the HD without
having to include modules.lrp.  Next up is some more slimming...

I am a very happy man.  If I can get the perl package to load successfully,
I'll be a very happy man (and I'll work on getting a configuration utility
I've been writing in perl to go).

I want to thank everyone who responded...I may not follow everyones advice,
but seeing the suggestions that people had made it easier for me to decide
what road to travel.  If I come up with any useful utilities, I'll be sure
to let everybody in on it.


-Original Message-
From: Brad Fritz [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 27, 2002 6:41 AM
To: Adrian Stovall
Cc: LEAF (E-mail)
Subject: Re: [Leaf-user] newbie question (Bering/2.4/IDE) 



On Tue, 26 Feb 2002 14:48:09 CST Adrian wrote:

> Hi all...I had successfully finished a previous install with a 2.2.19-IDE
> kernel and run from a small IDE HD.  

Cool.
 
> What I would like to do is repeat this with a 2.4 kernel (currently
messing
> around with Bering Beta4...no probs running from floppy).  What do I need
to
> do to make this run from a hard drive? 
> 
> I'm hoping for something other than "compile a 2.4 kernel with IDE support
> enabled", but I'll try to if I have no choice (severe lack of experience
> with compiling a kernel on my own).

Compiling a 2.4 kernel with IDE support using Jacques' kernel
config [1] as a starting point shouldn't be too bad.  For an
alternative solution, read on...

> Is there a 2.4-IDE kernel out there?  Am I stupid, and there's some simple
> config option to make the Bering 2.4 kernel boot from my HD?

I recently setup Bering (beta 3) on a compact flash card plugged
into an CF-to-IDE adaptor.  I use the stock kernel with with the
IDE modules loaded via the initrd image.  This isn't necessarily
easier than recompiling the kernel, but if you *really* want to
avoid re-compiling the kernel, the procedure below should work.

Disclaimer:
This is mostly from memory, so there may be a few mistakes.  I am
also assuming the hard disk is /dev/hdc and is temporarily
installed in a full-blown Linux system for installation of Bering.

  1. Format a partition of your HDD with an MS-DOS filesystem
 as described in Charles' LRP Hard Disk HOTWO [2] or with
 the Linux fdisk and mkfs.msdos commands [3].

  2. Mount a copy of the Bering image somewhere convenient:

   mount -o loop /tmp/bering-1680-b4.bin /mnt/disk/

  3. Uncompress a copy of the Bering initrd.lrp:

   gunzip -c < /mnt/disk/initrd.lrp > /tmp/initrd

  4. Mount the uncompressed ramdisk image:

   mount -o loop /tmp/initrd /mnt/initrd

  5. Copy the ide-disk.o, ide-mod.o, and ide-probe-mod.o modules
 from the ide directory of Jacques' modules directory [4] to
 the mounted initrd image:

   cp /tmp/ide-disk.o /tmp/ide-mod.o /tmp/ide-probe-mod.o \
  /mnt/initrd/boot/lib/modules/

  6. Add lines to boot/etc/modules of the initrd image to load
 the ide modules:

   echo ide-mod   >> /mnt/initrd/boot/etc/modules
   echo ide-disk  >> /mnt/initrd/boot/etc/modules
   echo ide-probe-mod >> /mnt/initrd/boot/etc/modules

  7. Unmount the initrd image:

   umount /mnt/initrd

  8. Mount the MS-DOS partition you created on the hard drive:

   mount /dev/hdc1 /mnt/newdisk

  9. Copy all files from the Bering image to the new disk:

   cp /mnt/disk/* /mnt/newdisk

 10. Replace the old initrd.lrp with the new one:

   gzip -9 < /tmp/initrd > /mnt/newdisk/initrd.lrp

 11. Edit syslinux.cfg on the new disk and change the fd0u1680
 references to hdc1.

 12. Unmount the hard drive:
   umount /mnt/newdisk

 13. Run syslinux on the hard drive partition:

   syslinux /dev/hdc1

 14. Cross your fingers and try to boot from the new image. :)
 If you run into problems, setting the VERBOSE and DEBUG
 flags in /linuxrc (in the initrd file system) may help
 debugging them.


> I'm running this on a Dell PowerApp Web 100 (single PIII-73/256MB/dual
> EEPro100) and using Bering Beta4/Syslinux 1.66 on my HD.
> 
> Any info is *greatly* appreciated.

I've probably missed a few details here or there, but it should
give you an idea for an approach that doesn't require a kernel
recompilealthough r

Re: [Leaf-user] Will LaBrea work with dynamic IP addresses?

[Steve Jeppesen]

I have to say - Simon, along with Charles posted on the list about a week
ago
and this is how I set mine up last week.  I did pretty much the same thing
Simon posted, except I took out the v (Verbosely log activity to syslog)
out of the OPTIONS=" and I disabled logging on port 80 - My ramdisk was 
pushing 98% capacity in a matter of a few hours!

 #1 Seems LaBrea is working just fine, too good actually because it is
drawing
in some active port scanning as well, just increases after they
realized something (LaBrea) answered them back.

could just change
 and tcp[2:2] & 0xfc00 == 0 in /etc/LaBrea.bpf
to read
 tcp dst port 80 or 21)
however I think I would rather just keep it the way it is.

 #2 It would work even better - say that when any IP that gets teergrubed
LaBrea (or some other package?) could run a small script to stop logging
anything else to do with 
that IP..

Feb 27 05:44:12 firewall /usr/sbin/LaBrea: Teergrubing: 80.13.85.237 4427
-> 24.118.176.41 21

preferably I would not want this to show up in the log after the previous
msg;

Feb 27 05:44:12 firewall kernel: Packet log: input DENY eth0 PROTO=6
80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=15884 F=0x4000 T=25 (#67)
Feb 27 05:44:17 firewall kernel: Packet log: input DENY eth0 PROTO=6
80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=16298 F=0x4000 T=25 (#67)
Feb 27 05:44:20 firewall kernel: Packet log: input DENY eth0 PROTO=6
80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=16508 F=0x4000 T=25 (#67)
Feb 27 05:44:26 firewall kernel: Packet log: input DENY eth0 PROTO=6
80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=16875 F=0x4000 T=25 (#67)

On Wed, 27 Feb 2002 11:14:28 -0500

Now with the changes I made, and uptime is over three days;
Uptime:
 12:46:30 up 3 Days (94h), load average: 0.16 0.03 0.01

my ramdisk is fine; 
/dev/ram1 4049   359  3690   9% /var/log

That I can live with.

Thanks again to all your help!
Steve

"Simon Bolduc" <[EMAIL PROTECTED]> wrote:

> This is from the mailing list (modified slightly) - it is a little
script 
> that greps your external IP and reconfigures LaBrea on an IP change:
> 
> 1.  Create /etc/LaBrea.in  have it contain the following:
> 
> dst host 
>  and tcp[2:2] & 0xfc00 == 0
>  and not dst port (port # of any services you run that use ports
below 
> 1024 like ssh or ftp or www)
> 
> 2.  Create /etc/LaBrea.scr   it should contain the following:
> 
> #!/bin/sh
> 
> IPADDR=`ip addr list label eth0 | grep inet | \
> sed '1!d;s/^[^.0-9]*\([.0-9]*\).*$/\1/'`
> 
> sed "s//$IPADDR/g" /etc/LaBrea.in >/etc/LaBrea.bpf
> 
> 
> 3.  Allow LaBrea.scr to be executable:
> 
> chmod 744 /etc/LaBrea.scr
> 
> 4.  Edit the dhclient-exit-hooks to with the following changes:
> 
> # Reload networking to see new address
>reload_all
> 
> Add a few lines so you have
> 
> # Reload networking to see new address
>reload_all
>/etc/LaBrea.scr
>svi LaBrea stop
>svi LaBrea start
> 
> 5.  Back up dhclient and LaBrea - all done :)
> 
> Just so you know the filter will block all ports below 1024 (which are
the 
> ports that are normally denied automatically by Dachstein), make sure
you 
> aren't running any services on those ports - or alter the bpf
accordingly.  
> If you only have one IP address like I do here are the options that I
use to 
> make sure my box doesn't proactively look for unused IPs (contained in
the 
> LaBrea startup script):
> 
> OPTIONS="-i eth0 -l -v -p 8 -z -x -F /etc/LaBrea.bpf"
> 
> 
> Also everything is case sensitive in Linux - thus labrea and LaBrea are
two 
> totally different words to the OS - so make sure you are typing things 
> correctly.  You may just want to cut and paste.
> 
> 
> HTH
> S
> 
> 
> 
> >From: "Craig Caughlin" <[EMAIL PROTECTED]>
> >To: "LEAF" <[EMAIL PROTECTED]>
> >Subject: [Leaf-user] Will LaBrea work with dynamic IP addresses?
> >Date: Wed, 27 Feb 2002 07:33:33 -0800
> >
> >Hi folks,
> >I'm confused (what else is new :-) ). Will LaBrea work with the
"default"
> >Dachstein CD (which acts as both a DHCP client & Server)? or would I
need 
> >to
> >change DCD for static addresses? I have my generic, Dachstein CD
working
> >O.K., and would like to incorporate LaBrea...but I can't seem to figure
out
> >if it will work with the default DCD. Thank you, have a great day!
> >
> >Craig
> >
> >
> >
> >___
> >Leaf-user mailing list
> >[EMAIL PROTECTED]
> >https://lists.sourceforge.net/lists/listinfo/leaf-user
> 
> 
> 
> 
> _
> Join the world’s largest e-mail service with MSN Hotmail. 
> http://www.hotmail.com
> 
> 
> ___
> Leaf-user mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] DCD, proxy dmz, snmp & icmp ???

[Charles Steinkuehler]

> I was not certain what it is that you want to see -- see below.
>
> tcpdump output, run on the local DCD :

OK, this helps, but I'm still not sure what I'm looking at.  Which interface
did you run the tcpdump on?  I'm guessing from the packet traffic we're
looking at the upstream interface, and not the DMZ interface, but it's hard
to be sure...

Your first case:

> [1] Internet host (a.b.c.d) query -> dmz host (w.x.y.66) via DCD external
port (w.x.z.157)
>
> 14:47:11.577976 a.b.c.d.64861 > w.x.y.66.161: C=privateCommunity
GetNextRequest(17) [|snmp]
> 14:47:11.578411 w.x.z.157.64943 > a.b.c.d.64861: udp 107
> 14:47:11.598985 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861
unreachable [tos 0xc0]
> 14:47:12.600050 a.b.c.d.64861 > w.x.y.66.161: C=privateCommunity
GetNextRequest(17) [|snmp]
> 14:47:12.600443 w.x.z.157.64943 > a.b.c.d.64861: udp 107
> 14:47:12.686292 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861
unreachable [tos 0xc0]


This is just wacky...looks like the remote system sends an SNMP query,
followed by your firewall sending a UDP query back to the remote system.
Finally, the remote system replies with a "destination unreachable" packet,
probalby meaning inbound UDP packets are firewalled (or connection tracked).

My best guess at this point is that your outbound UDP traffic is being
masqueraded, and the packet:
14:47:11.578411 w.x.z.157.64943 > a.b.c.d.64861: udp 107
is actually the SNMP response, being masqueraded by your firewall...

NOTE:  All UDP traffic (other than DNS) is masqueraded from the DMZ using
the default Dachstein firewall rules, which could explain the above traffic.
Even so, the difference between [1], above, and [2], below, has me
confused...something had to change between these two samples (or perhaps an
unnoted change in the test procedure?).

Your second case:

> [2] Internet host (a.b.c.d) query -> dmz host (w.x.y.66) via DCD dmz port
(w.x.z.157)
>
> 14:50:05.672129 a.b.c.d.64919 > w.x.y.66.161: C=privateCommunity
GetNextRequest(3)[|snmp]
> 14:50:05.672360 w.x.y.66.161 > a.b.c.d.64919: C=privateCommunity
GetResponse(3)[|snmp]
> 14:50:05.692707 a.b.c.d > w.x.y.66: icmp: a.b.c.d udp port 64919
unreachable [tos 0xc0]
> 14:50:06.682834 a.b.c.d.64919 > w.x.y.66.161: C=privateCommunity
GetNextRequest(3)[|snmp]
> 14:50:06.683065 w.x.y.66.161 > a.b.c.d.64919: C=privateCommunity
GetResponse(3)[|snmp]
> 14:50:06.702159 a.b.c.d > w.x.y.66: icmp: a.b.c.d udp port 64919
unreachable [tos 0xc0]


This looks a bit more normal...what changed between this trace and the first
trace?  Your description is identical.

Here you're seeing the SNMP request, followed by an SNMP response, and
finally the ICMP "destination unreachable" message back from the remote
host.  It sure looks like "a.b.c.d" is firewalling or otherwise dropping
your response packets...

Finally, we get to:

> [3] DCD external port (w.x.y.65 - alias) query -> dmz host (w.x.y.66) via
DCD external port (w.x.z.157)
>
> 14:51:46.455695 w.x.y.65.4709 > w.x.y.66.161: C=privateCommunity
GetNextRequest(3)[|snmp]
> 14:51:47.460138 w.x.y.65.4709 > w.x.y.66.161: C=privateCommunity
GetNextRequest(3)[|snmp]


Here we've got nothing but the query packets...no response traffic at all.

Without knowing which port you're running tcpdump on, and some more details
about your test, I can't help much more...

Try to forget everything you know about your network architecture, and look
at line [3], above.  To me, this is saying you're trying to access your
internal DMZ host via SNMP from the firewall's external port.  For one, this
doesn't really even make sense...if the firewall's talking SNMP to the DMZ,
the traffic will be going out the DMZ interface, with a source IP of the
DMZ's primary address.  I'm not even sure how you'd get snmpwalk or
something to use the external IP over the default interface IP.  Not knowing
which interface the tcpdump came from is also kind of limiting.

Any interesting results when looking at the packet counts in your ipchains
rules?

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] DCD, proxy dmz, snmp & icmp ???

[Charles Steinkuehler]

> We have a DCD setup, including a proxy dmz.
>
> SNMP queries work everywhere, excepting systems residing on that dmz.
> Let me clarify that: snmp queries respond properly from clients inside
> the private network; but, *not* from the DCD firewall nor internet
> hosts.
>
> Running iptraf on the firewall, we see the snmp queries properly
> forwarded to the dmz host; but, *nothing* returns from that host.
> Instead, we see a flurry of these:
>
>  ICMP; lo; 99 bytes; from bluetrout.private.network \
> to bluetrout.private.network; dest unrch (port)
>
> Notice that bluetrout is the firewall.
>
> We're unclear as to why snmp queries have anything to do with icmp.
>
> What is going on here?  What are possible solutions?
>
> What do you think?

Do you have SNMP_BLOCK and SNMP_MANAGER_IPS set properly?

Since it sounds like the packets may actually be getting to the DMZ host, do
you maybe have a network configuration issue on that system?

Your error report lacks enough detail for me to figure out exactly what's
happening...not only am I unfamiliar with iptraf output (more of a tcpdump
man), IP addresses would be more helpful (does the above really indacate
your firewall is pinging itself over the loopback interface, like I think it
does?), as well as other details (like details on the packets that you think
were OK and went through to the DMZ host).

If your local net can see SNMP services on the DMZ host (you indicate it
can), but the firewall cannot, something wierd is going on.  The internal
snmp requests should be using the same query IP as the firewall, since the
internal net is masqueraded to the DMZ.  Are your firewall rules blocking
anything?  Did you remember to check (watch the byte/packet counts before
and after trying to access your non-working service)?

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] FW: [Leaf-devel] Question of principle: Are ProxyARP DMZ insecure?

[Sandro Minola]

Hi Charles, hi all

> Good for you that you question rather than simply believe...
Ahh.. OK :)

> > Unfortunately, you can't define in which chain rules go. (Watchguard
> > Fireboxes run on a highly modified kernel 2.0.38)
> > I don't know in which chain the organize their DMZ stuff.

> Ah...with a 2.0 series kernel, you do *NOT* have a very flexible platform.
> As there are things you can do with 2.4 kernels and iptables that are
> difficult or impossible with ipchains, there's a *LOT* you can't do with a
> 2.0 kernel's packet filtering.  I'm not familiar enough with the 2.0 stuff
> to know for sure, but that could very well be why a proxy-arp based DMZ
> isn't as secure.  If so, just note that it's an artifical
> limitation of the
> firewall, and not a basic problem with the topology.

Please note that, referring to my trainer, Watchguard don't use a standard
2.0 kernel at all. They rewrote the whole TCP/IP stack and the firewalling
part. I don't know how far this is true. I'm sure they've still some parts
of the original 2.0 code in their stack.

I'll ask her for more details and let you know.

---
Sandro Minola   | LEAF Developer (http://leaf.sourceforge.net)
mailto:[EMAIL PROTECTED] | mailto:[EMAIL PROTECTED]
http://www.minola.ch| http://leaf.sourceforge.net/devel/sminola


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Will LaBrea work with dynamic IP addresses?

[Simon Bolduc]

The reason I have the verbose logging is because I remotely log the 
information and generate a web page that lists the time frames I was hit by 
an IP and how many packets have been sent to me by each IP.  I suppose I 
should have left that out - as I have to reset my log files every 2 hours or 
so. :)

Oops

Simon


>From: Steve Jeppesen <[EMAIL PROTECTED]>
>To: "Simon Bolduc" <[EMAIL PROTECTED]>, leaf-user 
><[EMAIL PROTECTED]>
>Subject: Re: [Leaf-user] Will LaBrea work with dynamic IP addresses?
>Date: Wed, 27 Feb 2002 12:50:36 -0600
>
>I have to say - Simon, along with Charles posted on the list about a week
>ago
>and this is how I set mine up last week.  I did pretty much the same thing
>Simon posted, except I took out the v (Verbosely log activity to syslog)
>out of the OPTIONS=" and I disabled logging on port 80 - My ramdisk was
>pushing 98% capacity in a matter of a few hours!
>
>  #1 Seems LaBrea is working just fine, too good actually because it is
>drawing
>in some active port scanning as well, just increases after they
>realized something (LaBrea) answered them back.
>
>could just change
>  and tcp[2:2] & 0xfc00 == 0 in /etc/LaBrea.bpf
>to read
>  tcp dst port 80 or 21)
>however I think I would rather just keep it the way it is.
>
>  #2 It would work even better - say that when any IP that gets teergrubed
>LaBrea (or some other package?) could run a small script to stop logging
>anything else to do with
>that IP..
>
>Feb 27 05:44:12 firewall /usr/sbin/LaBrea: Teergrubing: 80.13.85.237 4427
>-> 24.118.176.41 21
>
>preferably I would not want this to show up in the log after the previous
>msg;
>
>Feb 27 05:44:12 firewall kernel: Packet log: input DENY eth0 PROTO=6
>80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=15884 F=0x4000 T=25 (#67)
>Feb 27 05:44:17 firewall kernel: Packet log: input DENY eth0 PROTO=6
>80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=16298 F=0x4000 T=25 (#67)
>Feb 27 05:44:20 firewall kernel: Packet log: input DENY eth0 PROTO=6
>80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=16508 F=0x4000 T=25 (#67)
>Feb 27 05:44:26 firewall kernel: Packet log: input DENY eth0 PROTO=6
>80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=16875 F=0x4000 T=25 (#67)
>
>On Wed, 27 Feb 2002 11:14:28 -0500
>
>Now with the changes I made, and uptime is over three days;
>Uptime:
>  12:46:30 up 3 Days (94h), load average: 0.16 0.03 0.01
>
>my ramdisk is fine;
>/dev/ram1 4049   359  3690   9% /var/log
>
>That I can live with.
>
>Thanks again to all your help!
>Steve
>
>"Simon Bolduc" <[EMAIL PROTECTED]> wrote:
>
> > This is from the mailing list (modified slightly) - it is a little
>script
> > that greps your external IP and reconfigures LaBrea on an IP change:
> >
> > 1.  Create /etc/LaBrea.in  have it contain the following:
> >
> > dst host 
> >  and tcp[2:2] & 0xfc00 == 0
> >  and not dst port (port # of any services you run that use ports
>below
> > 1024 like ssh or ftp or www)
> >
> > 2.  Create /etc/LaBrea.scr   it should contain the following:
> >
> > #!/bin/sh
> >
> > IPADDR=`ip addr list label eth0 | grep inet | \
> > sed '1!d;s/^[^.0-9]*\([.0-9]*\).*$/\1/'`
> >
> > sed "s//$IPADDR/g" /etc/LaBrea.in >/etc/LaBrea.bpf
> >
> >
> > 3.  Allow LaBrea.scr to be executable:
> >
> > chmod 744 /etc/LaBrea.scr
> >
> > 4.  Edit the dhclient-exit-hooks to with the following changes:
> >
> > # Reload networking to see new address
> >reload_all
> >
> > Add a few lines so you have
> >
> > # Reload networking to see new address
> >reload_all
> >/etc/LaBrea.scr
> >svi LaBrea stop
> >svi LaBrea start
> >
> > 5.  Back up dhclient and LaBrea - all done :)
> >
> > Just so you know the filter will block all ports below 1024 (which are
>the
> > ports that are normally denied automatically by Dachstein), make sure
>you
> > aren't running any services on those ports - or alter the bpf
>accordingly.
> > If you only have one IP address like I do here are the options that I
>use to
> > make sure my box doesn't proactively look for unused IPs (contained in
>the
> > LaBrea startup script):
> >
> > OPTIONS="-i eth0 -l -v -p 8 -z -x -F /etc/LaBrea.bpf"
> >
> >
> > Also everything is case sensitive in Linux - thus labrea and LaBrea are
>two
> > totally different words to the OS - so make sure you are typing things
> > correctly.  You may just want to cut and paste.
> >
> >
> > HTH
> > S
> >
> >
> >
> > >From: "Craig Caughlin" <[EMAIL PROTECTED]>
> > >To: "LEAF" <[EMAIL PROTECTED]>
> > >Subject: [Leaf-user] Will LaBrea work with dynamic IP addresses?
> > >Date: Wed, 27 Feb 2002 07:33:33 -0800
> > >
> > >Hi folks,
> > >I'm confused (what else is new :-) ). Will LaBrea work with the
>"default"
> > >Dachstein CD (which acts as both a DHCP client & Server)? or would I
>need
> > >to
> > >change DCD for static addresses? I have my generic, Dachstein CD
>working
> > >O.K., and would like to incorporate LaBrea...but I can't seem to figure
>out
> > >if it will work with the 

Re: [Leaf-user] DCD, proxy dmz, snmp & icmp ???

[Michael D. Schleif]

Charles Steinkuehler wrote:
> 
> > We have a DCD setup, including a proxy dmz.
> >
> > SNMP queries work everywhere, excepting systems residing on that dmz.
> > Let me clarify that: snmp queries respond properly from clients inside
> > the private network; but, *not* from the DCD firewall nor internet
> > hosts.
> >
> > Running iptraf on the firewall, we see the snmp queries properly
> > forwarded to the dmz host; but, *nothing* returns from that host.
> > Instead, we see a flurry of these:
> >
> >  ICMP; lo; 99 bytes; from bluetrout.private.network \
> > to bluetrout.private.network; dest unrch (port)
> >
> > Notice that bluetrout is the firewall.
> >
> > We're unclear as to why snmp queries have anything to do with icmp.
> >
> > What is going on here?  What are possible solutions?
> >
> > What do you think?
> 
> Do you have SNMP_BLOCK and SNMP_MANAGER_IPS set properly?

Yes -- that's how it works everywhere, excepting the dmz . . .

> Since it sounds like the packets may actually be getting to the DMZ host, do
> you maybe have a network configuration issue on that system?

Actually, it is two (2) systems (netware ;<) on that dmz . . .

> Your error report lacks enough detail for me to figure out exactly what's
> happening...not only am I unfamiliar with iptraf output (more of a tcpdump
> man), IP addresses would be more helpful (does the above really indacate
> your firewall is pinging itself over the loopback interface, like I think it
> does?), as well as other details (like details on the packets that you think
> were OK and went through to the DMZ host).

I was not certain what it is that you want to see -- see below.

> If your local net can see SNMP services on the DMZ host (you indicate it
> can), but the firewall cannot, something wierd is going on.  The internal
> snmp requests should be using the same query IP as the firewall, since the
> internal net is masqueraded to the DMZ.  Are your firewall rules blocking
> anything?  Did you remember to check (watch the byte/packet counts before
> and after trying to access your non-working service)?

tcpdump output, run on the local DCD :

[1] Internet host (a.b.c.d) query -> dmz host (w.x.y.66)
via DCD external port (w.x.z.157)

14:47:11.577976 a.b.c.d.64861 > w.x.y.66.161:  C=privateCommunity
GetNextRequest(17) [|snmp]
14:47:11.578411 w.x.z.157.64943 > a.b.c.d.64861:  udp 107
14:47:11.598985 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861
unreachable [tos 0xc0]
14:47:12.600050 a.b.c.d.64861 > w.x.y.66.161:  C=privateCommunity
GetNextRequest(17) [|snmp]
14:47:12.600443 w.x.z.157.64943 > a.b.c.d.64861:  udp 107
14:47:12.686292 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861
unreachable [tos 0xc0]
14:47:13.592798 a.b.c.d.64861 > w.x.y.66.161:  C=privateCommunity
GetNextRequest(17) [|snmp]
14:47:13.593156 w.x.z.157.64943 > a.b.c.d.64861:  udp 107
14:47:13.621180 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861
unreachable [tos 0xc0]
14:47:14.607662 a.b.c.d.64861 > w.x.y.66.161:  C=privateCommunity
GetNextRequest(17) [|snmp]
14:47:14.608002 w.x.z.157.64943 > a.b.c.d.64861:  udp 107
14:47:14.629095 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861
unreachable [tos 0xc0]
14:47:15.611646 a.b.c.d.64861 > w.x.y.66.161:  C=privateCommunity
GetNextRequest(17) [|snmp]
14:47:15.611993 w.x.z.157.64943 > a.b.c.d.64861:  udp 107
14:47:15.630231 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861
unreachable [tos 0xc0]
14:47:16.623665 a.b.c.d.64861 > w.x.y.66.161:  C=privateCommunity
GetNextRequest(17) [|snmp]
14:47:16.624025 w.x.z.157.64943 > a.b.c.d.64861:  udp 107
14:47:16.647831 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861
unreachable [tos 0xc0]



[2] Internet host (a.b.c.d) query -> dmz host (w.x.y.66)
via DCD dmz port (w.x.z.157)

14:50:05.672129 a.b.c.d.64919 > w.x.y.66.161:  C=privateCommunity
GetNextRequest(3)[|snmp]
14:50:05.672360 w.x.y.66.161 > a.b.c.d.64919:  C=privateCommunity
GetResponse(3)[|snmp]
14:50:05.692707 a.b.c.d > w.x.y.66: icmp: a.b.c.d udp port 64919
unreachable [tos 0xc0]
14:50:06.682834 a.b.c.d.64919 > w.x.y.66.161:  C=privateCommunity
GetNextRequest(3)[|snmp]
14:50:06.683065 w.x.y.66.161 > a.b.c.d.64919:  C=privateCommunity
GetResponse(3)[|snmp]
14:50:06.702159 a.b.c.d > w.x.y.66: icmp: a.b.c.d udp port 64919
unreachable [tos 0xc0]
14:50:07.689494 a.b.c.d.64919 > w.x.y.66.161:  C=privateCommunity
GetNextRequest(3)[|snmp]
14:50:07.689727 w.x.y.66.161 > a.b.c.d.64919:  C=privateCommunity
GetResponse(3)[|snmp]
14:50:07.707398 a.b.c.d > w.x.y.66: icmp: a.b.c.d udp port 64919
unreachable [tos 0xc0]
14:50:08.702497 a.b.c.d.64919 > w.x.y.66.161:  C=privateCommunity
GetNextRequest(3)[|snmp]
14:50:08.702724 w.x.y.66.161 > a.b.c.d.64919:  C=privateCommunity
GetResponse(3)[|snmp]
14:50:08.721155 a.b.c.d > w.x.y.66: icmp: a.b.c.d udp port 64919
unreachable [tos 0xc0]
14:50:09.712075 a.b.c.d.64919 > w.x.y.66.161:  C=privateCommunity
GetNextRequest(3)[|snmp]
14:50:09.712311 w.x.y.66.161 > a.b.c.d.64919:  C=privateCommunity
GetR

Re: [Leaf-user] A(nother) security question (was angry and venting)

[Matt Schalit]

[EMAIL PROTECTED] wrote:
> 
> > Ok.  That's better than their being always on.  A DMZ for your
> > servers would be safer, but is not necessary.
> >
> 
> As soon as I'm able to get DSL, I'll be setting up a DMZ for my servers.  A
> question: what are the pros and cons of using a third NIC on my Oxygen box
> for a DMZ to setting up a second Oxygen box and having both internal and
> external firewalls?  


Using two seperate firewalls is much better than three nics in one.
 
  1)  You would be following "least privilege."  The systems only
  enough privileges to do what they have to.  Either protect
  a server or protect your internal network.  Each firewall is
  responsible for a little.

  2)  You could be following "defense in depth."  You have redundant
  systems backing each other up.  If one part falls, you still
  have the second strongly defended firewall.

  3)  You'd have two "choke points," giving two very narrow, difficult,
  disparate channels the attacker has to go through that are being
  watched very carefully by you.

  4)  You'd have isolated the "weakest link," the server, between
  two differnt firewalls.

  5)  You'd have a failsafe stance, where one firewall could fail,
  but you'd have the other, still protecting the network.

  6)  You'd have reduced the complexity of each firewall, when it
  only has two nics.  A simple system is easier to deploy, and
  it is easier to recognize any inappropriate behavior on it.

  7)  There's no single vulnerable point that would comprimise
  the internal network.

  8)  If someone comprimises a server on the DMZ with two 
  two firewalls, the attacker can only sniff the DMZ,
  not the sensative internal network.


  The preferred method is to use two different hardware systems.
One could be a LEAF, the other a Cisco or FreeBSD.  The worst thing 
is to use identical firewalls with identical root passwords.  Crack 
one, and the other's cracked, you can imagine.




> Beside the fact that having two firewalls for a home
> network would be overkill... :)

It's only overkill until you lose a few years of work :)


 
> I haven't upgraded to the recent Oxygen yet (.8 I think?  Maybe x.8 --- I
> don't remember), 

1.8.1

Regards,
Matthew


> and I'm using Seawall for my firewall rules.  Seawall has
> built-in support for DMZ networks, so it would (should, anyway) be fairly
> trivial to set up a DMZ on a third NIC.  At some point in time, I'll also
> be upgrading to a 2.4.x kernel and using either Shorewall or Openwall.
> 
> While I'm asking, has anyone tried a halted firewall with a LEAF distro?
> It's a cool concept: http://www.samag.com/print/documentID=20294
> 
> ___
> Leaf-user mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] RE: [Leaf-devel] Question of principle: Are ProxyARP DMZ insecure?

[Sandro Minola]

Hi Charles, hi all
 
> Good for you that you question rather than simply believe...
Ahh.. OK :)

> > Unfortunately, you can't define in which chain rules go. (Watchguard
> > Fireboxes run on a highly modified kernel 2.0.38)
> > I don't know in which chain the organize their DMZ stuff.

> Ah...with a 2.0 series kernel, you do *NOT* have a very 
> flexible platform.
> As there are things you can do with 2.4 kernels and iptables that are
> difficult or impossible with ipchains, there's a *LOT* you 
> can't do with a
> 2.0 kernel's packet filtering.  I'm not familiar enough with 
> the 2.0 stuff
> to know for sure, but that could very well be why a proxy-arp based DMZ
> isn't as secure.  If so, just note that it's an artifical 
> limitation of the
> firewall, and not a basic problem with the topology.
 
Please note that, referring to my trainer, Watchguard don't use a 
standard 2.0 kernel at all. They rewrote the whole TCP/IP stack 
and the firewalling part. I don't know how far this is true. I'm 
sure they've still some parts of the original 2.0 code in their stack.
 
I'll ask her for more details and let you know.
 
---
Sandro Minola   | LEAF Developer (http://leaf.sourceforge.net)
mailto:[EMAIL PROTECTED] | mailto:[EMAIL PROTECTED]
http://www.minola.ch| http://leaf.sourceforge.net/devel/sminola 
 

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] DCD, proxy dmz, snmp & icmp ???

[Michael D. Schleif]

We have a DCD setup, including a proxy dmz.

SNMP queries work everywhere, excepting systems residing on that dmz. 
Let me clarify that: snmp queries respond properly from clients inside
the private network; but, *not* from the DCD firewall nor internet
hosts.

Running iptraf on the firewall, we see the snmp queries properly
forwarded to the dmz host; but, *nothing* returns from that host. 
Instead, we see a flurry of these:

 ICMP; lo; 99 bytes; from bluetrout.private.network \
to bluetrout.private.network; dest unrch (port)

Notice that bluetrout is the firewall.

We're unclear as to why snmp queries have anything to do with icmp.

What is going on here?  What are possible solutions?

What do you think?

-- 

Best Regards,

mds
mds resource
888.250.3987

Dare to fix things before they break . . .

Our capacity for understanding is inversely proportional to how much we
think we know.  The more I know, the more I know I don't know . . .

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] Question of principle: Are ProxyARP DMZ insecure?

[Sandro Minola]

Hi all

I'm currently in a Watchguard training. I'm going to make the WCP
Certificate.

The trainer told me, that the "Drop-In configuration" (ProxyARP DMZ) is less
secure than the routed DMZ. I didn't say anything and thought "Uh, really?
Why?".

Is a ProxyARP DMZ less secure than a routed or staticNAT DMZ?
Are there even any security related differents?

She told me, that staticNAT with a private DMZ is the better solution if you
want to save public IP's. I don't think so.
I think I run into problems with special applications/protocols if using
staticNAT (passiveFTP, PPTP?)

Discussion is opened

---
Sandro Minola   | LEAF Developer (http://leaf.sourceforge.net)
mailto:[EMAIL PROTECTED] | mailto:[EMAIL PROTECTED]
http://www.minola.ch| http://leaf.sourceforge.net/devel/sminola


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] PPPoE or Ethernet

[Victor McAllister]

[EMAIL PROTECTED] wrote:

> I have the opportunity to setup a firewall for a local
> non-profit organization.  They want Internet access for
> their office.  Both Cable and DSL are available in their
> area.  Prices and speed seem comparable.  I have been
> using Eiger and Dach 'steins for years with a cable
> connection.  I have not used DLS or PPPoE.  Are there
> any advantages/disadvantages with either option?  Thanks
> for your opinions!  I am mostly concerned with ease of
> administration.
>
> Sean
>

I recently helped a friend setup a DachsteinCD on PPPoE.  I don't like
the PPPoE protocol, but it was easy to setup and he runs services
through it.  We established a free dns name and used ez-ipupd.lrp.
That way he could access his network from the outside by name even
when the ip changes.  PPPoE makes the router processor work a lot
harder since it has to repackage the packets to ethernet so it is
advisable to run a pentium on the router.  Some PPPoE providers use
this protocol to do things that are not in the interests of the user.
Actually the principle reason why a provider chooses PPPoE is to limit
control you rather than give you unlimited access.

Cable on the other hand is probably faster.  Things to remember on a
cable is that every 13 year old on the cable loop with a sniffer may
be reading your unencrypted mail.  Cable systems sometimes block port
80 etc so you need to talk to users of the system.

Choosing an internet provider is not unlike choosing a wife.  You may
get stuck with an unwise choice (if you sign with them for a year)
that treats you like merchandise.  I would recommend taking the time
to find knowledgeable people who use both services.  A good isp, like
a good wife, is worth taking the time to find the right one.

Victor McAllister



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] PPPoE or Ethernet

[seanecovel]

In this case, I have convinced them to host their 
Website and Email with a service.  The local access 
would be for Email access (POP) and Web browsing only.

The local DSL provider (SNET telco) uses PPPoE last I 
checked.  None of the local cable providers do.  Good 
point about checking with the locals about service 
quality.  I think SNET is oversold.  The local cable 
provider (in my area at least) recently capped 1t 
1500/128.  Their area may differ...


Mostly I was concerned with PPPoE, since I have no 
experience with that type of connection.  Ethernet is a 
no-brainer.

Thanks!

Sean
> At 01:27 PM 2/27/02 +, [EMAIL PROTECTED] wrote:
> >I have the opportunity to setup a firewall for a local 
> >non-profit organization.  They want Internet access for 
> >their office.  Both Cable and DSL are available in their 
> >area.  Prices and speed seem comparable.  I have been 
> >using Eiger and Dach 'steins for years with a cable 
> >connection.  I have not used DLS or PPPoE.  Are there 
> >any advantages/disadvantages with either option?  Thanks 
> >for your opinions!  I am mostly concerned with ease of 
> >administration.
> 
> Before you can recommend a solution to them, you need to find out more about
> what they want. "They want Internet access for their office" has too many
> meanings to serve as a guide.
> 
> The important question is whether they want to make services (like an onsite
> Web server) available on the Internet. If they do, you want to recommend
> that they get either (a) a service that offers static addresses -OR- (b) one
> that offers dynamic addresses that don't change very often (making use of
> dynamic-DNS service easier and more reliable). The first is better, but the
> second will be cheaper, and since non-profits rarely have more monry than
> they know what to do with, cost may be a big issue for them.
> 
> If you need to opt for (b) above, this *probably* means going with cable. My
> experience is that cable/DHCP leases change relatively rarely, while
> DSL/PPPoE leases change multiple times per day. But those observations are
> generalizations, and you need to find out what is true in your area.
> 
> If they only need outgoing service, this consideration does not apply. LEAF
> variants now support both DHCP addressing (used by cable-modem providers)
> and PPPoE addressing (used by most DSL providers), but do allow for the fact
> that PPPoE requires a bit higher level of hardware than true Ethernet-based
> connections.
> 
> The last thing to think about is service quality, both the frequency of
> interruptions and the actual speed delivered. Cable connections use shared
> bandwidth (they are functionally like a hub-based LAN in this respect), so
> the actual speed delivered can be much lower (or, occasionally, higher) than
> the service's nominal speed. DSL is point to point, so the promised speed
> will be the real speed ... between the client site and the ISP. But
> bandwidth is shared *after* that point, and can be underprovisioned by a DSL
> ISP as easily as by a cable ISP. There is no general answer to this one; you
> need to ask around locally to find out what the specific providers you are
> considering actually do.
> 
> Aside from that, the only advantage I can see to DSL is that you are likely
> to have multiple DSL-based ISPs in your area, but only one cable-based ISP.
> My observation is that this is an advantage of DSL only in theory, though,
> as the low-price DSL provider always seems to be the telco.
> 
> 
> --
> "Never tell me the odds!"---
> Ray Olszewski-- Han Solo
> Palo Alto, CA  [EMAIL PROTECTED]
> 
> 

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Will LaBrea work with dynamic IP addresses?

[guitarlynn]

On Wednesday 27 February 2002 10:14, Simon Bolduc wrote:

> 2.  Create /etc/LaBrea.scr   it should contain the following:
>
> #!/bin/sh
>
> IPADDR=`ip addr list label eth0 | grep inet | \
> sed '1!d;s/^[^.0-9]*\([.0-9]*\).*$/\1/'`
>
> sed "s//$IPADDR/g" /etc/LaBrea.in >/etc/LaBrea.bpf


Nice script. 

If you want something Dachstein specific that takes
the external ip addy and service ports from /etc/network.conf
let me know. 

It would eliminate the need to enter these ports twice in the config.

-- 

~Lynn Avants
aka Guitarlynn

guitarlynn at users.sourceforge.net
http://leaf.sourceforge.net

If linux isn't the answer, you've probably got the wrong question!

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Will LaBrea work with dynamic IP addresses?

[Simon Bolduc]

This is from the mailing list (modified slightly) - it is a little script 
that greps your external IP and reconfigures LaBrea on an IP change:

1.  Create /etc/LaBrea.in  have it contain the following:

dst host 
 and tcp[2:2] & 0xfc00 == 0
 and not dst port (port # of any services you run that use ports below 
1024 like ssh or ftp or www)

2.  Create /etc/LaBrea.scr   it should contain the following:

#!/bin/sh

IPADDR=`ip addr list label eth0 | grep inet | \
sed '1!d;s/^[^.0-9]*\([.0-9]*\).*$/\1/'`

sed "s//$IPADDR/g" /etc/LaBrea.in >/etc/LaBrea.bpf


3.  Allow LaBrea.scr to be executable:

chmod 744 /etc/LaBrea.scr

4.  Edit the dhclient-exit-hooks to with the following changes:

# Reload networking to see new address
   reload_all

Add a few lines so you have

# Reload networking to see new address
   reload_all
   /etc/LaBrea.scr
   svi LaBrea stop
   svi LaBrea start

5.  Back up dhclient and LaBrea - all done :)

Just so you know the filter will block all ports below 1024 (which are the 
ports that are normally denied automatically by Dachstein), make sure you 
aren't running any services on those ports - or alter the bpf accordingly.  
If you only have one IP address like I do here are the options that I use to 
make sure my box doesn't proactively look for unused IPs (contained in the 
LaBrea startup script):

OPTIONS="-i eth0 -l -v -p 8 -z -x -F /etc/LaBrea.bpf"


Also everything is case sensitive in Linux - thus labrea and LaBrea are two 
totally different words to the OS - so make sure you are typing things 
correctly.  You may just want to cut and paste.


HTH
S



>From: "Craig Caughlin" <[EMAIL PROTECTED]>
>To: "LEAF" <[EMAIL PROTECTED]>
>Subject: [Leaf-user] Will LaBrea work with dynamic IP addresses?
>Date: Wed, 27 Feb 2002 07:33:33 -0800
>
>Hi folks,
>I'm confused (what else is new :-) ). Will LaBrea work with the "default"
>Dachstein CD (which acts as both a DHCP client & Server)? or would I need 
>to
>change DCD for static addresses? I have my generic, Dachstein CD working
>O.K., and would like to incorporate LaBrea...but I can't seem to figure out
>if it will work with the default DCD. Thank you, have a great day!
>
>Craig
>
>
>
>___
>Leaf-user mailing list
>[EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/leaf-user




_
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] shell script problem

[Ray Olszewski]

You need to use backticks (`) around ls, not single-quotes ('), to
accomplish what you probably want. The script as written below works correctly.

At 04:10 PM 2/27/02 +0100, sylvain pelletier wrote:
>Hi,
>
>I would make a little script in sh on my lrp ( dachtein version)
>
>and i can't do this :
>
>for file in 'ls' ; do
>echo "$file"
>done
>
>the echo response is: ls
>
>what's wrong, the problem comes from lrp???



--
"Never tell me the odds!"---
Ray Olszewski-- Han Solo
Palo Alto, CA[EMAIL PROTECTED]



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] Will LaBrea work with dynamic IP addresses?

[Craig Caughlin]

Hi folks,
I'm confused (what else is new :-) ). Will LaBrea work with the "default"
Dachstein CD (which acts as both a DHCP client & Server)? or would I need to
change DCD for static addresses? I have my generic, Dachstein CD working
O.K., and would like to incorporate LaBrea...but I can't seem to figure out
if it will work with the default DCD. Thank you, have a great day!

Craig



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] PPPoE or Ethernet

[Ray Olszewski]

At 01:27 PM 2/27/02 +, [EMAIL PROTECTED] wrote:
>I have the opportunity to setup a firewall for a local 
>non-profit organization.  They want Internet access for 
>their office.  Both Cable and DSL are available in their 
>area.  Prices and speed seem comparable.  I have been 
>using Eiger and Dach 'steins for years with a cable 
>connection.  I have not used DLS or PPPoE.  Are there 
>any advantages/disadvantages with either option?  Thanks 
>for your opinions!  I am mostly concerned with ease of 
>administration.

Before you can recommend a solution to them, you need to find out more about
what they want. "They want Internet access for their office" has too many
meanings to serve as a guide.

The important question is whether they want to make services (like an onsite
Web server) available on the Internet. If they do, you want to recommend
that they get either (a) a service that offers static addresses -OR- (b) one
that offers dynamic addresses that don't change very often (making use of
dynamic-DNS service easier and more reliable). The first is better, but the
second will be cheaper, and since non-profits rarely have more monry than
they know what to do with, cost may be a big issue for them.

If you need to opt for (b) above, this *probably* means going with cable. My
experience is that cable/DHCP leases change relatively rarely, while
DSL/PPPoE leases change multiple times per day. But those observations are
generalizations, and you need to find out what is true in your area.

If they only need outgoing service, this consideration does not apply. LEAF
variants now support both DHCP addressing (used by cable-modem providers)
and PPPoE addressing (used by most DSL providers), but do allow for the fact
that PPPoE requires a bit higher level of hardware than true Ethernet-based
connections.

The last thing to think about is service quality, both the frequency of
interruptions and the actual speed delivered. Cable connections use shared
bandwidth (they are functionally like a hub-based LAN in this respect), so
the actual speed delivered can be much lower (or, occasionally, higher) than
the service's nominal speed. DSL is point to point, so the promised speed
will be the real speed ... between the client site and the ISP. But
bandwidth is shared *after* that point, and can be underprovisioned by a DSL
ISP as easily as by a cable ISP. There is no general answer to this one; you
need to ask around locally to find out what the specific providers you are
considering actually do.

Aside from that, the only advantage I can see to DSL is that you are likely
to have multiple DSL-based ISPs in your area, but only one cable-based ISP.
My observation is that this is an advantage of DSL only in theory, though,
as the low-price DSL provider always seems to be the telco.


--
"Never tell me the odds!"---
Ray Olszewski-- Han Solo
Palo Alto, CA[EMAIL PROTECTED]



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] shell script problem

[sylvain pelletier]

Hi,

I would make a little script in sh on my lrp ( dachtein version)

and i can't do this :

for file in 'ls' ; do
echo "$file"
done

the echo response is: ls

what's wrong, the problem comes from lrp???

Thanks
Sylvain



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] PPPoE or Ethernet

[seanecovel]

I have the opportunity to setup a firewall for a local 
non-profit organization.  They want Internet access for 
their office.  Both Cable and DSL are available in their 
area.  Prices and speed seem comparable.  I have been 
using Eiger and Dach 'steins for years with a cable 
connection.  I have not used DLS or PPPoE.  Are there 
any advantages/disadvantages with either option?  Thanks 
for your opinions!  I am mostly concerned with ease of 
administration.

Sean

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] ISDN modem choices?

[Peter Stokes]

Hi Richard

I use an ISDN T/A which emulates a normal modem (AT command set) so you can
use a serial port and standard modem stuff without having to worry about a
separate isdn driver. There are several around and most offer 128Kbits from
memory as an option.

Peter

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Dr. Richard
W. Tibbs
Sent: 26 February 2002 18:26
To: [EMAIL PROTECTED]
Subject: [Leaf-user] ISDN modem choices?


Anybody had any luck with ISDN modems and Dachstein?
I would like to take an old IBM Aptiva and make an ISDN firewall/router
out of it. This is for a friend who lives where no cable or dsl is
available (or probably ever will be). But, Bellsouth can supply 128K ISDN.

I will probably use Dachstein/Floppy, which has worked well for me
before. I just want to select the least difficult ISDN modem card to use.

Any suggestions?
TIA.


--
Dr. Richard W. Tibbs
Oak City Networks & Solutions
P.O. Box 10292
Raleigh NC 27605
919.510.9551


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] newbie question (Bering/2.4/IDE)

[Brad Fritz]

On Tue, 26 Feb 2002 14:48:09 CST Adrian wrote:

> Hi all...I had successfully finished a previous install with a 2.2.19-IDE
> kernel and run from a small IDE HD.  

Cool.
 
> What I would like to do is repeat this with a 2.4 kernel (currently messing
> around with Bering Beta4...no probs running from floppy).  What do I need to
> do to make this run from a hard drive? 
> 
> I'm hoping for something other than "compile a 2.4 kernel with IDE support
> enabled", but I'll try to if I have no choice (severe lack of experience
> with compiling a kernel on my own).

Compiling a 2.4 kernel with IDE support using Jacques' kernel
config [1] as a starting point shouldn't be too bad.  For an
alternative solution, read on...

> Is there a 2.4-IDE kernel out there?  Am I stupid, and there's some simple
> config option to make the Bering 2.4 kernel boot from my HD?

I recently setup Bering (beta 3) on a compact flash card plugged
into an CF-to-IDE adaptor.  I use the stock kernel with with the
IDE modules loaded via the initrd image.  This isn't necessarily
easier than recompiling the kernel, but if you *really* want to
avoid re-compiling the kernel, the procedure below should work.

Disclaimer:
This is mostly from memory, so there may be a few mistakes.  I am
also assuming the hard disk is /dev/hdc and is temporarily
installed in a full-blown Linux system for installation of Bering.

  1. Format a partition of your HDD with an MS-DOS filesystem
 as described in Charles' LRP Hard Disk HOTWO [2] or with
 the Linux fdisk and mkfs.msdos commands [3].

  2. Mount a copy of the Bering image somewhere convenient:

   mount -o loop /tmp/bering-1680-b4.bin /mnt/disk/

  3. Uncompress a copy of the Bering initrd.lrp:

   gunzip -c < /mnt/disk/initrd.lrp > /tmp/initrd

  4. Mount the uncompressed ramdisk image:

   mount -o loop /tmp/initrd /mnt/initrd

  5. Copy the ide-disk.o, ide-mod.o, and ide-probe-mod.o modules
 from the ide directory of Jacques' modules directory [4] to
 the mounted initrd image:

   cp /tmp/ide-disk.o /tmp/ide-mod.o /tmp/ide-probe-mod.o \
  /mnt/initrd/boot/lib/modules/

  6. Add lines to boot/etc/modules of the initrd image to load
 the ide modules:

   echo ide-mod   >> /mnt/initrd/boot/etc/modules
   echo ide-disk  >> /mnt/initrd/boot/etc/modules
   echo ide-probe-mod >> /mnt/initrd/boot/etc/modules

  7. Unmount the initrd image:

   umount /mnt/initrd

  8. Mount the MS-DOS partition you created on the hard drive:

   mount /dev/hdc1 /mnt/newdisk

  9. Copy all files from the Bering image to the new disk:

   cp /mnt/disk/* /mnt/newdisk

 10. Replace the old initrd.lrp with the new one:

   gzip -9 < /tmp/initrd > /mnt/newdisk/initrd.lrp

 11. Edit syslinux.cfg on the new disk and change the fd0u1680
 references to hdc1.

 12. Unmount the hard drive:
   umount /mnt/newdisk

 13. Run syslinux on the hard drive partition:

   syslinux /dev/hdc1

 14. Cross your fingers and try to boot from the new image. :)
 If you run into problems, setting the VERBOSE and DEBUG
 flags in /linuxrc (in the initrd file system) may help
 debugging them.


> I'm running this on a Dell PowerApp Web 100 (single PIII-73/256MB/dual
> EEPro100) and using Bering Beta4/Syslinux 1.66 on my HD.
> 
> Any info is *greatly* appreciated.

I've probably missed a few details here or there, but it should
give you an idea for an approach that doesn't require a kernel
recompilealthough recompiling the kernel with IDE support is
probably less work. ;)

--Brad

[1] http://leaf.sourceforge.net/devel/jnilo/bering/beta4/bering-b4.config
[2] http://lrp.steinkuehler.net/Documentation/LRPHardDiskHOWTO.txt
[3] I had trouble getting the mkfs.msdos created filesystem to boot
correctly using syslinux, but it was probably due to an error on
my part.
[4] http://leaf.sourceforge.net/devel/jnilo/bering/beta4/modules/drivers/ide/


> TIA
> 
> Adrian

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] dhclient interferes with weblet

[Keith Laidlaw]

Excellent suggestions for gathering data, Charles.  Unfortunately, data
indicates that nothing changes (with respect to those commands).

I still believe that it is related to changing the eth1 net to
192.168.3.0/24 because I have a similar system unchanged that doesn't fail
(mind you, it has w2k not w95 on the internal net).

I made one other discovery.  If I change the hosts.allow to:

sh-httpd: 0.0.0.0/0.0.0.0
sshd: 0.0.0.0/0.0.0.0

then I no longer have the problem!!!  BUT in the original failure, I didn't
get any such message as "connection refused" (or whatever it is when
hosts.deny disallows) in the logs.  VERY strange.  It's as if a cached copy
of hosts.allow is set for

ALL: 192.168.1.0/255.255.255.0
(as opposed to the "real"
ALL: 192.168.3.0/255.255.255.0

and it reverts to the cached copy when dnscache is restarted and rereads the
actual file when dhclient assigns an ip address???

Urgency is gone as I wanted to open up hosts.allow anyway.  I just hate to
think that there may be a problem lurking that may bite me later (e.g. when
I wish to tighten hosts.allow in the future?).

Any further ideas or diagnostics?

Keith

> -Original Message-
> From: Charles Steinkuehler [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, February 26, 2002 3:37 PM
> To: Keith Laidlaw
> Cc: LEAF
> Subject: Re: [Leaf-user] dhclient interferes with weblet
>
>
> > To the best of my knowledge (using winipcfg), all settings are
> same (since
> > they come from dhcpd and the conf file doesn't change.
> >
> > What I mean by "access" is that I can always ping 192.168.3.254
> but can't
> > get the web page by typing in the url "http://192.168.3.254"; in
> IE5.0.  I
> > get a long, long delay with hourglass (2minutes?) followed by
> an IE error
> > page (unable to something or other... sorry, don't know exactly and the
> > system is setup is elsewhere).
> >
> > Can't remember exactly but I think there were no entries at all in the
> logs.
> > Pretty sure of that.
>
> OK, so you re-load dnscache, and your internal system can't see the weblet
> server...is that correct?  What about the rest of the internet...can you
> ping/web-browse by IP and/or domain name to the internet in general?
>
> If you want to try to track down what's wrong, it's probably time to start
> gathering data.  Run the following commands and store the output:
>
> On the firewall:
> ip addr
> ip route
> ip neigh
> netstat -an
> net ipfilter list
>
> On the internal machine (NOTE: these are the commands for WinNT/2000...if
> you're using 9x you may have to translate):
> ipconfig /all
> arp -a
>
> Record the output in the normal (everything working) state, then
> again when
> you restart dnscache (and break the internal systems weblet access), and
> finally when everything is working again, after you release/renew
> your dhcp
> lease.
>
> Charles Steinkuehler
> http://lrp.steinkuehler.net
> http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
>
>



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] Re: [Shorewall-users] LEAF "Bering" beta4 available

[Christophe Zwecker]

On Fri, 2002-02-22 at 00:49, Jacques Nilo wrote:
> Changelog for beta4:

looks great, are there any plans to make that available on a CD for more
space ?

It try to access the documentation page, but I get unreachable.

Best regards,

Christophe
-- 
Christophe Zwecker
:Sysctl 
Susannenstr. 26-28  
20357 Hamburg   
phon/fax: +49 40 43099296/7 
mail: [EMAIL PROTECTED]


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] newbie question (Bering/2.4/IDE)

[Andy McLeod]

First familiarise yourself with the general methods for running from hard
disk via the excellent HOWTO on the LEAF site.

Bering's kernel has module support for IDE built in (always a good idea to
check the kernel config file which most developers provide with the dist so
you can check what is in and out of the kernel). This means that you need to
load the ide modules at boot time. The ide modules are available from
leaf.sourceforge.net/devel/jnilo/ and are called ide-mod.o, ide-disk.o and
ide-probe.mod.o. The procedure for adding modules to /boot/lib/modules is
described in the docs on Jacques' LEAF site.

Finally make sure you follow the HOWTO on the necessary changes to syslinux
and it works. How do I know? Because I happen to have done it on Monday.

Good luck

rgds/andy


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Adrian
Stovall
Sent: 26 February 2002 20:48
To: LEAF (E-mail)
Subject: [Leaf-user] newbie question (Bering/2.4/IDE)


Hi all...I had successfully finished a previous install with a 2.2.19-IDE
kernel and run from a small IDE HD.

What I would like to do is repeat this with a 2.4 kernel (currently messing
around with Bering Beta4...no probs running from floppy).  What do I need to
do to make this run from a hard drive?

I'm hoping for something other than "compile a 2.4 kernel with IDE support
enabled", but I'll try to if I have no choice (severe lack of experience
with compiling a kernel on my own).

Is there a 2.4-IDE kernel out there?  Am I stupid, and there's some simple
config option to make the Bering 2.4 kernel boot from my HD?

I'm running this on a Dell PowerApp Web 100 (single PIII-73/256MB/dual
EEPro100) and using Bering Beta4/Syslinux 1.66 on my HD.

Any info is *greatly* appreciated.

TIA

Adrian

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user