Re: [Leaf-user] even more worried
By chance you didn't leave IE on when you shut down??? I've seen some banner ads run something similar to a lease type connection. Yahoo and flipside.com leave a lot of residual connections like that tied directly to Win32 clients. On Wednesday 27 February 2002 22:24, Scott C. Best wrote: > Anyone ever seen this one before: I shut down my > WinNT server today to see what TCP/IP traffic a Windows > machines makes at powerdown. That is, I was tcpdump'ing on > another LAN member. And I saw this: > > 03:29:14.553849 192.168.123.130.1853 > 209.73.225.9.80: R > 804849242:804849242(0) win 0 (DF) (ttl 128, id 7442) > 03:29:14.553965 192.168.123.130.1852 > 209.73.225.9.80: R > 804738457:804738457(0) win 0 (DF) (ttl 128, id 7698) > > I did a whois on 209.73.225.9 and it came up with > something from either "PFM Communications: or "Cydoor > Technologies" (they seem to have overlapping IP space). > > I've just started poking around to learn more > about these, check for spy-ware reports, adding -vv to the > tcpdump...but I thought I'd ask to see if anyone hear has > seen it before. > > cheers, > Scott > > PS: A Windows machine does spew some NetBIOS traffic to > the broadcast address at shutdown. :) Of course...when > *doesn't* it do that... > > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Will LaBrea work with dynamic IP addresses?
Steve, I long ago stopped logging hits on port 80, and just have them silently denied - it just made the whole messages file too hard to read - you might want to consider doing this. S _ Chat with friends online, try MSN Messenger: http://messenger.msn.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Will LaBrea work with dynamic IP addresses?
Hey Craig, Well to answer your first question, ae is the editor you use, just type ae at a command prompt and you should be good, then its just +W to save the file - so you could just type the file name at the prompt /etc/LaBrea.in or whatever the file name is To edit the dhclient-exit-hooks you run lrcfg at a command prompt, then choose options "3) Package Settings", "4) dhclient" (at least its the 4th package on my box), and finally "5) dhclient-exit-hooks" after you're done editing you just hit +Q and type y to save the changes. The easiest way to copy and paste text to your box is to run Putty (at least in a windows environment). You will need to be running SSH to use this. SSH is on your Dachstein CD (assuming you're using the CD version). If you aren't running SSH already here is an (older) document that might help to get you started: http://sourceforge.net/docman/display_doc.php?docid=1441&group_id=13751 you can also check the readme.txt contained on the CD: http://lrp1.steinkuehler.net/files/diskimages/dachstein-CD/README.txt assuming you are running SSH properly and are using putty, just highlite the text you want (from the email), right click on it and choose copy. Then to paste it into the putty window right click on the window - and it automagically gets typed in. Putty tends to mess tabs up tho - so you may have some deleting to do. Putty is available here: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html HTH S >From: "Craig Caughlin" <[EMAIL PROTECTED]> >To: "LEAF" <[EMAIL PROTECTED]> >Subject: [Leaf-user] Will LaBrea work with dynamic IP addresses? >Date: Wed, 27 Feb 2002 11:26:36 -0800 > >Thank you Simon and Lynn for the responses. Unfortunately, I don't quite >understand it all (I've taken a college class on Linux because I really >enjoy this stuff, but please bear with my ignorance as I learn :-) ). 1.) >First, how do I create the /etc/LaBrea.in that you refer to, and how do I >create the /etc/LaBrea.scr. Do I do that from the command prompt of DCD by >using the ae editor? 2.) How do I "edit the dhclient-exit-hooks to"? Is >that >in the network.conf file or ??? Thank you for your help, have a great >day!!! > >Craig > >P.S. How do you copy and paste with Dachstein? > > > >___ >Leaf-user mailing list >[EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/leaf-user _ Send and receive Hotmail on your mobile device: http://mobile.msn.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] even more worried
Anyone ever seen this one before: I shut down my WinNT server today to see what TCP/IP traffic a Windows machines makes at powerdown. That is, I was tcpdump'ing on another LAN member. And I saw this: 03:29:14.553849 192.168.123.130.1853 > 209.73.225.9.80: R 804849242:804849242(0) win 0 (DF) (ttl 128, id 7442) 03:29:14.553965 192.168.123.130.1852 > 209.73.225.9.80: R 804738457:804738457(0) win 0 (DF) (ttl 128, id 7698) I did a whois on 209.73.225.9 and it came up with something from either "PFM Communications: or "Cydoor Technologies" (they seem to have overlapping IP space). I've just started poking around to learn more about these, check for spy-ware reports, adding -vv to the tcpdump...but I thought I'd ask to see if anyone hear has seen it before. cheers, Scott PS: A Windows machine does spew some NetBIOS traffic to the broadcast address at shutdown. :) Of course...when *doesn't* it do that... ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Re: [Leaf-devel] Question of principle: Are ProxyARP DMZ insecure?
> I'm currently in a Watchguard training. I'm going to make the WCP > Certificate. > > The trainer told me, that the "Drop-In configuration" (ProxyARP DMZ) is less > secure than the routed DMZ. I didn't say anything and thought "Uh, really? > Why?". Good for you! > Is a ProxyARP DMZ less secure than a routed or staticNAT DMZ? > Are there even any security related differents? > > She told me, that staticNAT with a private DMZ is the better solution if you > want to save public IP's. I don't think so. > I think I run into problems with special applications/protocols if using > staticNAT (passiveFTP, PPTP?) > > Discussion is opened All three of the architecture you mention (static-NAT, routed, and proxy-arp) have the same basic packet flow: | Firewall - DMZ net Or possibly: | Firewall - DMZ net | Internal net The only difference between the "flavors" of DMZ you mention is what IP addresses and subnet lables get attached to each interface...the security (or lack thereof) depends entirely on what the firewall is doing with the packet data. If you've got a flexible mechanism for building firewall rules, it shouldn't matter which architecture you pick...you should be able to implement your desired firewall functionality with any of the DMZ flavors. NOTE: There are specific things you need to watch for depending on the DMZ architecture. For instance, the Dachstein firewall rules implement routed, static-nat, and proxy-arp DMZ rules in the forward chain, so the packets are blindly accepted in the input chain (to be sorted later). If you're running static-NAT or proxy-arp, the firewall probably has an IP that overlaps with the DMZ network, so you've just potentially opened your firewall's external IP to the world with no filtering! For the curious, that's why the dmz-in and dmz-spoof ipchains are created in this situation...ip's destined for the local box are routed back through the input rule chain, while packets truly destined for the DMZ are accepted in the input chain, then filtered in the forward chain. Charles Steinkuehler [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] RE: [Leaf-devel] Question of principle: Are ProxyARP DMZ insecure?
Hi Charles, hi all > > I'm currently in a Watchguard training. I'm going to make the WCP > > Certificate. > > > > The trainer told me, that the "Drop-In configuration" (ProxyARP DMZ) is > less > > secure than the routed DMZ. I didn't say anything and thought > "Uh, really? > > Why?". > > Good for you! Good for me that I didn't say anything or good for me that I'm going to make the WCP? :) Thanks a lot for your explenation! Unfortunately, you can't define in which chain rules go. (Watchguard Fireboxes run on a highly modified kernel 2.0.38) I don't know in which chain the organize their DMZ stuff. She told me, that she'll explain the whole DMZ stuff more exactly tomorrow. Let's see if she knows what she's talking about... ;) Other opinions than Charles'? --- Sandro Minola | LEAF Developer (http://leaf.sourceforge.net) mailto:[EMAIL PROTECTED] | mailto:[EMAIL PROTECTED] http://www.minola.ch| http://leaf.sourceforge.net/devel/sminola > -Original Message- > From: Charles Steinkuehler [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, February 27, 2002 7:43 PM > To: Sandro Minola; Leaf-User; Leaf-Devel > Subject: Re: [Leaf-devel] Question of principle: Are ProxyARP DMZ > insecure? > > > > > Is a ProxyARP DMZ less secure than a routed or staticNAT DMZ? > > Are there even any security related differents? > > > > She told me, that staticNAT with a private DMZ is the better solution if > you > > want to save public IP's. I don't think so. > > I think I run into problems with special applications/protocols if using > > staticNAT (passiveFTP, PPTP?) > > > > Discussion is opened > > All three of the architecture you mention (static-NAT, routed, and > proxy-arp) have the same basic packet flow: > > > | > Firewall - DMZ net > > Or possibly: > > > | > Firewall - DMZ net > | > Internal net > > The only difference between the "flavors" of DMZ you mention is what IP > addresses and subnet lables get attached to each interface...the security > (or lack thereof) depends entirely on what the firewall is doing with the > packet data. > > If you've got a flexible mechanism for building firewall rules, > it shouldn't > matter which architecture you pick...you should be able to implement your > desired firewall functionality with any of the DMZ flavors. > > NOTE: There are specific things you need to watch for depending > on the DMZ > architecture. For instance, the Dachstein firewall rules > implement routed, > static-nat, and proxy-arp DMZ rules in the forward chain, so the > packets are > blindly accepted in the input chain (to be sorted later). If > you're running > static-NAT or proxy-arp, the firewall probably has an IP that > overlaps with > the DMZ network, so you've just potentially opened your > firewall's external > IP to the world with no filtering! For the curious, that's why the dmz-in > and dmz-spoof ipchains are created in this situation...ip's > destined for the > local box are routed back through the input rule chain, while > packets truly > destined for the DMZ are accepted in the input chain, then filtered in the > forward chain. > > Charles Steinkuehler > [EMAIL PROTECTED] > > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Will LaBrea work with dynamic IP addresses?
Thank you Simon and Lynn for the responses. Unfortunately, I don't quite understand it all (I've taken a college class on Linux because I really enjoy this stuff, but please bear with my ignorance as I learn :-) ). 1.) First, how do I create the /etc/LaBrea.in that you refer to, and how do I create the /etc/LaBrea.scr. Do I do that from the command prompt of DCD by using the ae editor? 2.) How do I "edit the dhclient-exit-hooks to"? Is that in the network.conf file or ??? Thank you for your help, have a great day!!! Craig P.S. How do you copy and paste with Dachstein? ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Will LaBrea work with dynamic IP addresses?
Thank you Simon and Lynn for the responses. Unfortunately, I don't quite understand it all (I've taken a college class on Linux because I really enjoy this stuff, but please bear with my ignorance as I learn :-) ). 1.) First, how do I create the /etc/LaBrea.in that you refer to, and how do I create the /etc/LaBrea.scr. Do I do that from the command prompt of DCD by using the ae editor? 2.) How do I "edit the dhclient-exit-hooks to"? Is that in the network.conf file or ??? Thank you for your help, have a great day!!! Craig P.S. How do you copy and paste with Dachstein? ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Re: [Leaf-devel] Question of principle: Are ProxyARP DMZ insecure?
> > > The trainer told me, that the "Drop-In configuration" (ProxyARP DMZ) is > > less > > > secure than the routed DMZ. I didn't say anything and thought > > "Uh, really? > > > Why?". > > > > Good for you! > > Good for me that I didn't say anything or good for me that I'm going to make > the WCP? :) Good for you that you question rather than simply believe... > Unfortunately, you can't define in which chain rules go. (Watchguard > Fireboxes run on a highly modified kernel 2.0.38) > I don't know in which chain the organize their DMZ stuff. > > She told me, that she'll explain the whole DMZ stuff more exactly tomorrow. > Let's see if she knows what she's talking about... ;) Ah...with a 2.0 series kernel, you do *NOT* have a very flexible platform. As there are things you can do with 2.4 kernels and iptables that are difficult or impossible with ipchains, there's a *LOT* you can't do with a 2.0 kernel's packet filtering. I'm not familiar enough with the 2.0 stuff to know for sure, but that could very well be why a proxy-arp based DMZ isn't as secure. If so, just note that it's an artifical limitation of the firewall, and not a basic problem with the topology. Charles Steinkuehler [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] ramdisk_size question...
Hi again all...I have a new question...I made sure (repeatedly) that I had entered "ramdisk_size=32768" in my syslinux.cfg file, however, df -k reports that /dev/root has 6144 blocks allocated (which are 100% used). How do I convince my router that it's supposed to use what I told it to? I have 256 Meg installed in this machine, so I'm fairly sure that's a valid number to use for ramdisk_size...am I missing something? I've been searching the 'net for info, and will continue to do so, but haven't found anything yet. TIA Adrian ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] DCD, proxy dmz, snmp & icmp ???
Charles Steinkuehler wrote: > > > I was not certain what it is that you want to see -- see below. > > > > tcpdump output, run on the local DCD : > > OK, this helps, but I'm still not sure what I'm looking at. Which interface > did you run the tcpdump on? I'm guessing from the packet traffic we're > looking at the upstream interface, and not the DMZ interface, but it's hard > to be sure... > > Your first case: > > > [1] Internet host (a.b.c.d) query -> dmz host (w.x.y.66) via DCD external > port (w.x.z.157) > > > > 14:47:11.577976 a.b.c.d.64861 > w.x.y.66.161: C=privateCommunity > GetNextRequest(17) [|snmp] > > 14:47:11.578411 w.x.z.157.64943 > a.b.c.d.64861: udp 107 > > 14:47:11.598985 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861 > unreachable [tos 0xc0] > > 14:47:12.600050 a.b.c.d.64861 > w.x.y.66.161: C=privateCommunity > GetNextRequest(17) [|snmp] > > 14:47:12.600443 w.x.z.157.64943 > a.b.c.d.64861: udp 107 > > 14:47:12.686292 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861 > unreachable [tos 0xc0] > > > This is just wacky...looks like the remote system sends an SNMP query, > followed by your firewall sending a UDP query back to the remote system. > Finally, the remote system replies with a "destination unreachable" packet, > probalby meaning inbound UDP packets are firewalled (or connection tracked). Hence, my confusion . . . > My best guess at this point is that your outbound UDP traffic is being > masqueraded, and the packet: > 14:47:11.578411 w.x.z.157.64943 > a.b.c.d.64861: udp 107 > is actually the SNMP response, being masqueraded by your firewall... > > NOTE: All UDP traffic (other than DNS) is masqueraded from the DMZ using > the default Dachstein firewall rules, which could explain the above traffic. > Even so, the difference between [1], above, and [2], below, has me > confused...something had to change between these two samples (or perhaps an > unnoted change in the test procedure?). Yes, same test; but, tcpdump on different interface -- see below. > Your second case: > > > [2] Internet host (a.b.c.d) query -> dmz host (w.x.y.66) via DCD dmz port > (w.x.z.157) > > > > 14:50:05.672129 a.b.c.d.64919 > w.x.y.66.161: C=privateCommunity > GetNextRequest(3)[|snmp] > > 14:50:05.672360 w.x.y.66.161 > a.b.c.d.64919: C=privateCommunity > GetResponse(3)[|snmp] > > 14:50:05.692707 a.b.c.d > w.x.y.66: icmp: a.b.c.d udp port 64919 > unreachable [tos 0xc0] > > 14:50:06.682834 a.b.c.d.64919 > w.x.y.66.161: C=privateCommunity > GetNextRequest(3)[|snmp] > > 14:50:06.683065 w.x.y.66.161 > a.b.c.d.64919: C=privateCommunity > GetResponse(3)[|snmp] > > 14:50:06.702159 a.b.c.d > w.x.y.66: icmp: a.b.c.d udp port 64919 > unreachable [tos 0xc0] > > > This looks a bit more normal...what changed between this trace and the first > trace? Your description is identical. > > Here you're seeing the SNMP request, followed by an SNMP response, and > finally the ICMP "destination unreachable" message back from the remote > host. It sure looks like "a.b.c.d" is firewalling or otherwise dropping > your response packets... a.b.c.d is an internet address on the external IF of a remote DCD, behind which is the debian potato from which I tried to snmpwalk the subject dmz hosts. > Finally, we get to: > > > [3] DCD external port (w.x.y.65 - alias) query -> dmz host (w.x.y.66) via > DCD external port (w.x.z.157) > > > > 14:51:46.455695 w.x.y.65.4709 > w.x.y.66.161: C=privateCommunity > GetNextRequest(3)[|snmp] > > 14:51:47.460138 w.x.y.65.4709 > w.x.y.66.161: C=privateCommunity > GetNextRequest(3)[|snmp] > > > Here we've got nothing but the query packets...no response traffic at all. This is local DCD to local dmz attempted snmpwalk -- identical query to the previous, remote queries. > Without knowing which port you're running tcpdump on, and some more details > about your test, I can't help much more... > > Try to forget everything you know about your network architecture, and look > at line [3], above. To me, this is saying you're trying to access your > internal DMZ host via SNMP from the firewall's external port. For one, this > doesn't really even make sense...if the firewall's talking SNMP to the DMZ, > the traffic will be going out the DMZ interface, with a source IP of the > DMZ's primary address. I'm not even sure how you'd get snmpwalk or > something to use the external IP over the default interface IP. Not knowing > which interface the tcpdump came from is also kind of limiting. See ip addr and ip route output below. > Any interesting results when looking at the packet counts in your ipchains > rules? No -- nothing is logged and when I subtract the obvious: # ipchains -nvL | grep -v '\(ACCEPT\|-l-\)' there is nothing that I find interesting in remaining output. = I am sorry; but, I thought that I differentiated each of my examples. Is there away to get tcpdump to listen to more than one (1) interface at a time? -i any does *not* work . . . This is the invocation, al
[Leaf-user] No firewall / more networks
Kindest greetings, Can anyone help me out and give me some information on the following two points. I currently run Dachstein CD and it works a treat, fair play to all involved. Firstly,I want to know if it is possible to run as a general router without firewalling. And secondly, if it is possible to route between 3or4 different networks, and if so, how can it be done? Does setting the IP Filter Switch to 'router' in network.conf disable the firewall scripts? Any help on details of how to add settings for more eth cards in network.conf would be appreciated. Only static IP addresses will be used and the box will be firewalled from the internet. Thanks in advance, Paul. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] LRP's firewalling capbility
Hi gurus, I just set up a LRP box using Eiger 2.2.16 with pppoe support by Mike Leone. It's working fine with Bell Canada's Symaptico adsl service. Thanks to all who have put efforts on this image and LRP! Here is my question though. How strong is its firewalling capability? Is it just doing stateless packet filering by using ipchain? Can it do statefull fitering?(know which session a packet belongs to). Can it do proxy level of filtering as well? (e.g, application level filtering such as url blocking, email scanning, virus filtering, etc.) Thanks in advance! Andy ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
SUMMARY?: [Leaf-user] newbie question (Bering/2.4/IDE)
Whew! today was an adventure...I decided that I wanted to try to compile all the modules that I need/use into my own 2.4 kernel (ide, eepro, pci, etc). I grabbed the latest kernel source, put it on my old, rusty Pentium Pro 200/redhat 6.2 box, and followed the instructions in the readme (spent a while updating gcc and other packages that were a bit out-of-date in my distro). I used the bering.config as my starting point, and started changing m's, y's, and n's as appropriate and copied it as .config in the dir I untarred the kernel stuff in. I ran make oldconfig and make dep, made a bzImage, copied it to the HD of my router as "linux", etc...several hours and a few passes of syslinux later, I managed to get 2.4 to boot from the HD without having to include modules.lrp. Next up is some more slimming... I am a very happy man. If I can get the perl package to load successfully, I'll be a very happy man (and I'll work on getting a configuration utility I've been writing in perl to go). I want to thank everyone who responded...I may not follow everyones advice, but seeing the suggestions that people had made it easier for me to decide what road to travel. If I come up with any useful utilities, I'll be sure to let everybody in on it. -Original Message- From: Brad Fritz [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 27, 2002 6:41 AM To: Adrian Stovall Cc: LEAF (E-mail) Subject: Re: [Leaf-user] newbie question (Bering/2.4/IDE) On Tue, 26 Feb 2002 14:48:09 CST Adrian wrote: > Hi all...I had successfully finished a previous install with a 2.2.19-IDE > kernel and run from a small IDE HD. Cool. > What I would like to do is repeat this with a 2.4 kernel (currently messing > around with Bering Beta4...no probs running from floppy). What do I need to > do to make this run from a hard drive? > > I'm hoping for something other than "compile a 2.4 kernel with IDE support > enabled", but I'll try to if I have no choice (severe lack of experience > with compiling a kernel on my own). Compiling a 2.4 kernel with IDE support using Jacques' kernel config [1] as a starting point shouldn't be too bad. For an alternative solution, read on... > Is there a 2.4-IDE kernel out there? Am I stupid, and there's some simple > config option to make the Bering 2.4 kernel boot from my HD? I recently setup Bering (beta 3) on a compact flash card plugged into an CF-to-IDE adaptor. I use the stock kernel with with the IDE modules loaded via the initrd image. This isn't necessarily easier than recompiling the kernel, but if you *really* want to avoid re-compiling the kernel, the procedure below should work. Disclaimer: This is mostly from memory, so there may be a few mistakes. I am also assuming the hard disk is /dev/hdc and is temporarily installed in a full-blown Linux system for installation of Bering. 1. Format a partition of your HDD with an MS-DOS filesystem as described in Charles' LRP Hard Disk HOTWO [2] or with the Linux fdisk and mkfs.msdos commands [3]. 2. Mount a copy of the Bering image somewhere convenient: mount -o loop /tmp/bering-1680-b4.bin /mnt/disk/ 3. Uncompress a copy of the Bering initrd.lrp: gunzip -c < /mnt/disk/initrd.lrp > /tmp/initrd 4. Mount the uncompressed ramdisk image: mount -o loop /tmp/initrd /mnt/initrd 5. Copy the ide-disk.o, ide-mod.o, and ide-probe-mod.o modules from the ide directory of Jacques' modules directory [4] to the mounted initrd image: cp /tmp/ide-disk.o /tmp/ide-mod.o /tmp/ide-probe-mod.o \ /mnt/initrd/boot/lib/modules/ 6. Add lines to boot/etc/modules of the initrd image to load the ide modules: echo ide-mod >> /mnt/initrd/boot/etc/modules echo ide-disk >> /mnt/initrd/boot/etc/modules echo ide-probe-mod >> /mnt/initrd/boot/etc/modules 7. Unmount the initrd image: umount /mnt/initrd 8. Mount the MS-DOS partition you created on the hard drive: mount /dev/hdc1 /mnt/newdisk 9. Copy all files from the Bering image to the new disk: cp /mnt/disk/* /mnt/newdisk 10. Replace the old initrd.lrp with the new one: gzip -9 < /tmp/initrd > /mnt/newdisk/initrd.lrp 11. Edit syslinux.cfg on the new disk and change the fd0u1680 references to hdc1. 12. Unmount the hard drive: umount /mnt/newdisk 13. Run syslinux on the hard drive partition: syslinux /dev/hdc1 14. Cross your fingers and try to boot from the new image. :) If you run into problems, setting the VERBOSE and DEBUG flags in /linuxrc (in the initrd file system) may help debugging them. > I'm running this on a Dell PowerApp Web 100 (single PIII-73/256MB/dual > EEPro100) and using Bering Beta4/Syslinux 1.66 on my HD. > > Any info is *greatly* appreciated. I've probably missed a few details here or there, but it should give you an idea for an approach that doesn't require a kernel recompilealthough r
Re: [Leaf-user] Will LaBrea work with dynamic IP addresses?
I have to say - Simon, along with Charles posted on the list about a week ago and this is how I set mine up last week. I did pretty much the same thing Simon posted, except I took out the v (Verbosely log activity to syslog) out of the OPTIONS=" and I disabled logging on port 80 - My ramdisk was pushing 98% capacity in a matter of a few hours! #1 Seems LaBrea is working just fine, too good actually because it is drawing in some active port scanning as well, just increases after they realized something (LaBrea) answered them back. could just change and tcp[2:2] & 0xfc00 == 0 in /etc/LaBrea.bpf to read tcp dst port 80 or 21) however I think I would rather just keep it the way it is. #2 It would work even better - say that when any IP that gets teergrubed LaBrea (or some other package?) could run a small script to stop logging anything else to do with that IP.. Feb 27 05:44:12 firewall /usr/sbin/LaBrea: Teergrubing: 80.13.85.237 4427 -> 24.118.176.41 21 preferably I would not want this to show up in the log after the previous msg; Feb 27 05:44:12 firewall kernel: Packet log: input DENY eth0 PROTO=6 80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=15884 F=0x4000 T=25 (#67) Feb 27 05:44:17 firewall kernel: Packet log: input DENY eth0 PROTO=6 80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=16298 F=0x4000 T=25 (#67) Feb 27 05:44:20 firewall kernel: Packet log: input DENY eth0 PROTO=6 80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=16508 F=0x4000 T=25 (#67) Feb 27 05:44:26 firewall kernel: Packet log: input DENY eth0 PROTO=6 80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=16875 F=0x4000 T=25 (#67) On Wed, 27 Feb 2002 11:14:28 -0500 Now with the changes I made, and uptime is over three days; Uptime: 12:46:30 up 3 Days (94h), load average: 0.16 0.03 0.01 my ramdisk is fine; /dev/ram1 4049 359 3690 9% /var/log That I can live with. Thanks again to all your help! Steve "Simon Bolduc" <[EMAIL PROTECTED]> wrote: > This is from the mailing list (modified slightly) - it is a little script > that greps your external IP and reconfigures LaBrea on an IP change: > > 1. Create /etc/LaBrea.in have it contain the following: > > dst host > and tcp[2:2] & 0xfc00 == 0 > and not dst port (port # of any services you run that use ports below > 1024 like ssh or ftp or www) > > 2. Create /etc/LaBrea.scr it should contain the following: > > #!/bin/sh > > IPADDR=`ip addr list label eth0 | grep inet | \ > sed '1!d;s/^[^.0-9]*\([.0-9]*\).*$/\1/'` > > sed "s//$IPADDR/g" /etc/LaBrea.in >/etc/LaBrea.bpf > > > 3. Allow LaBrea.scr to be executable: > > chmod 744 /etc/LaBrea.scr > > 4. Edit the dhclient-exit-hooks to with the following changes: > > # Reload networking to see new address >reload_all > > Add a few lines so you have > > # Reload networking to see new address >reload_all >/etc/LaBrea.scr >svi LaBrea stop >svi LaBrea start > > 5. Back up dhclient and LaBrea - all done :) > > Just so you know the filter will block all ports below 1024 (which are the > ports that are normally denied automatically by Dachstein), make sure you > aren't running any services on those ports - or alter the bpf accordingly. > If you only have one IP address like I do here are the options that I use to > make sure my box doesn't proactively look for unused IPs (contained in the > LaBrea startup script): > > OPTIONS="-i eth0 -l -v -p 8 -z -x -F /etc/LaBrea.bpf" > > > Also everything is case sensitive in Linux - thus labrea and LaBrea are two > totally different words to the OS - so make sure you are typing things > correctly. You may just want to cut and paste. > > > HTH > S > > > > >From: "Craig Caughlin" <[EMAIL PROTECTED]> > >To: "LEAF" <[EMAIL PROTECTED]> > >Subject: [Leaf-user] Will LaBrea work with dynamic IP addresses? > >Date: Wed, 27 Feb 2002 07:33:33 -0800 > > > >Hi folks, > >I'm confused (what else is new :-) ). Will LaBrea work with the "default" > >Dachstein CD (which acts as both a DHCP client & Server)? or would I need > >to > >change DCD for static addresses? I have my generic, Dachstein CD working > >O.K., and would like to incorporate LaBrea...but I can't seem to figure out > >if it will work with the default DCD. Thank you, have a great day! > > > >Craig > > > > > > > >___ > >Leaf-user mailing list > >[EMAIL PROTECTED] > >https://lists.sourceforge.net/lists/listinfo/leaf-user > > > > > _ > Join the worlds largest e-mail service with MSN Hotmail. > http://www.hotmail.com > > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] DCD, proxy dmz, snmp & icmp ???
> I was not certain what it is that you want to see -- see below. > > tcpdump output, run on the local DCD : OK, this helps, but I'm still not sure what I'm looking at. Which interface did you run the tcpdump on? I'm guessing from the packet traffic we're looking at the upstream interface, and not the DMZ interface, but it's hard to be sure... Your first case: > [1] Internet host (a.b.c.d) query -> dmz host (w.x.y.66) via DCD external port (w.x.z.157) > > 14:47:11.577976 a.b.c.d.64861 > w.x.y.66.161: C=privateCommunity GetNextRequest(17) [|snmp] > 14:47:11.578411 w.x.z.157.64943 > a.b.c.d.64861: udp 107 > 14:47:11.598985 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861 unreachable [tos 0xc0] > 14:47:12.600050 a.b.c.d.64861 > w.x.y.66.161: C=privateCommunity GetNextRequest(17) [|snmp] > 14:47:12.600443 w.x.z.157.64943 > a.b.c.d.64861: udp 107 > 14:47:12.686292 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861 unreachable [tos 0xc0] This is just wacky...looks like the remote system sends an SNMP query, followed by your firewall sending a UDP query back to the remote system. Finally, the remote system replies with a "destination unreachable" packet, probalby meaning inbound UDP packets are firewalled (or connection tracked). My best guess at this point is that your outbound UDP traffic is being masqueraded, and the packet: 14:47:11.578411 w.x.z.157.64943 > a.b.c.d.64861: udp 107 is actually the SNMP response, being masqueraded by your firewall... NOTE: All UDP traffic (other than DNS) is masqueraded from the DMZ using the default Dachstein firewall rules, which could explain the above traffic. Even so, the difference between [1], above, and [2], below, has me confused...something had to change between these two samples (or perhaps an unnoted change in the test procedure?). Your second case: > [2] Internet host (a.b.c.d) query -> dmz host (w.x.y.66) via DCD dmz port (w.x.z.157) > > 14:50:05.672129 a.b.c.d.64919 > w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] > 14:50:05.672360 w.x.y.66.161 > a.b.c.d.64919: C=privateCommunity GetResponse(3)[|snmp] > 14:50:05.692707 a.b.c.d > w.x.y.66: icmp: a.b.c.d udp port 64919 unreachable [tos 0xc0] > 14:50:06.682834 a.b.c.d.64919 > w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] > 14:50:06.683065 w.x.y.66.161 > a.b.c.d.64919: C=privateCommunity GetResponse(3)[|snmp] > 14:50:06.702159 a.b.c.d > w.x.y.66: icmp: a.b.c.d udp port 64919 unreachable [tos 0xc0] This looks a bit more normal...what changed between this trace and the first trace? Your description is identical. Here you're seeing the SNMP request, followed by an SNMP response, and finally the ICMP "destination unreachable" message back from the remote host. It sure looks like "a.b.c.d" is firewalling or otherwise dropping your response packets... Finally, we get to: > [3] DCD external port (w.x.y.65 - alias) query -> dmz host (w.x.y.66) via DCD external port (w.x.z.157) > > 14:51:46.455695 w.x.y.65.4709 > w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] > 14:51:47.460138 w.x.y.65.4709 > w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] Here we've got nothing but the query packets...no response traffic at all. Without knowing which port you're running tcpdump on, and some more details about your test, I can't help much more... Try to forget everything you know about your network architecture, and look at line [3], above. To me, this is saying you're trying to access your internal DMZ host via SNMP from the firewall's external port. For one, this doesn't really even make sense...if the firewall's talking SNMP to the DMZ, the traffic will be going out the DMZ interface, with a source IP of the DMZ's primary address. I'm not even sure how you'd get snmpwalk or something to use the external IP over the default interface IP. Not knowing which interface the tcpdump came from is also kind of limiting. Any interesting results when looking at the packet counts in your ipchains rules? Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] DCD, proxy dmz, snmp & icmp ???
> We have a DCD setup, including a proxy dmz. > > SNMP queries work everywhere, excepting systems residing on that dmz. > Let me clarify that: snmp queries respond properly from clients inside > the private network; but, *not* from the DCD firewall nor internet > hosts. > > Running iptraf on the firewall, we see the snmp queries properly > forwarded to the dmz host; but, *nothing* returns from that host. > Instead, we see a flurry of these: > > ICMP; lo; 99 bytes; from bluetrout.private.network \ > to bluetrout.private.network; dest unrch (port) > > Notice that bluetrout is the firewall. > > We're unclear as to why snmp queries have anything to do with icmp. > > What is going on here? What are possible solutions? > > What do you think? Do you have SNMP_BLOCK and SNMP_MANAGER_IPS set properly? Since it sounds like the packets may actually be getting to the DMZ host, do you maybe have a network configuration issue on that system? Your error report lacks enough detail for me to figure out exactly what's happening...not only am I unfamiliar with iptraf output (more of a tcpdump man), IP addresses would be more helpful (does the above really indacate your firewall is pinging itself over the loopback interface, like I think it does?), as well as other details (like details on the packets that you think were OK and went through to the DMZ host). If your local net can see SNMP services on the DMZ host (you indicate it can), but the firewall cannot, something wierd is going on. The internal snmp requests should be using the same query IP as the firewall, since the internal net is masqueraded to the DMZ. Are your firewall rules blocking anything? Did you remember to check (watch the byte/packet counts before and after trying to access your non-working service)? Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] FW: [Leaf-devel] Question of principle: Are ProxyARP DMZ insecure?
Hi Charles, hi all > Good for you that you question rather than simply believe... Ahh.. OK :) > > Unfortunately, you can't define in which chain rules go. (Watchguard > > Fireboxes run on a highly modified kernel 2.0.38) > > I don't know in which chain the organize their DMZ stuff. > Ah...with a 2.0 series kernel, you do *NOT* have a very flexible platform. > As there are things you can do with 2.4 kernels and iptables that are > difficult or impossible with ipchains, there's a *LOT* you can't do with a > 2.0 kernel's packet filtering. I'm not familiar enough with the 2.0 stuff > to know for sure, but that could very well be why a proxy-arp based DMZ > isn't as secure. If so, just note that it's an artifical > limitation of the > firewall, and not a basic problem with the topology. Please note that, referring to my trainer, Watchguard don't use a standard 2.0 kernel at all. They rewrote the whole TCP/IP stack and the firewalling part. I don't know how far this is true. I'm sure they've still some parts of the original 2.0 code in their stack. I'll ask her for more details and let you know. --- Sandro Minola | LEAF Developer (http://leaf.sourceforge.net) mailto:[EMAIL PROTECTED] | mailto:[EMAIL PROTECTED] http://www.minola.ch| http://leaf.sourceforge.net/devel/sminola ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Will LaBrea work with dynamic IP addresses?
The reason I have the verbose logging is because I remotely log the information and generate a web page that lists the time frames I was hit by an IP and how many packets have been sent to me by each IP. I suppose I should have left that out - as I have to reset my log files every 2 hours or so. :) Oops Simon >From: Steve Jeppesen <[EMAIL PROTECTED]> >To: "Simon Bolduc" <[EMAIL PROTECTED]>, leaf-user ><[EMAIL PROTECTED]> >Subject: Re: [Leaf-user] Will LaBrea work with dynamic IP addresses? >Date: Wed, 27 Feb 2002 12:50:36 -0600 > >I have to say - Simon, along with Charles posted on the list about a week >ago >and this is how I set mine up last week. I did pretty much the same thing >Simon posted, except I took out the v (Verbosely log activity to syslog) >out of the OPTIONS=" and I disabled logging on port 80 - My ramdisk was >pushing 98% capacity in a matter of a few hours! > > #1 Seems LaBrea is working just fine, too good actually because it is >drawing >in some active port scanning as well, just increases after they >realized something (LaBrea) answered them back. > >could just change > and tcp[2:2] & 0xfc00 == 0 in /etc/LaBrea.bpf >to read > tcp dst port 80 or 21) >however I think I would rather just keep it the way it is. > > #2 It would work even better - say that when any IP that gets teergrubed >LaBrea (or some other package?) could run a small script to stop logging >anything else to do with >that IP.. > >Feb 27 05:44:12 firewall /usr/sbin/LaBrea: Teergrubing: 80.13.85.237 4427 >-> 24.118.176.41 21 > >preferably I would not want this to show up in the log after the previous >msg; > >Feb 27 05:44:12 firewall kernel: Packet log: input DENY eth0 PROTO=6 >80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=15884 F=0x4000 T=25 (#67) >Feb 27 05:44:17 firewall kernel: Packet log: input DENY eth0 PROTO=6 >80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=16298 F=0x4000 T=25 (#67) >Feb 27 05:44:20 firewall kernel: Packet log: input DENY eth0 PROTO=6 >80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=16508 F=0x4000 T=25 (#67) >Feb 27 05:44:26 firewall kernel: Packet log: input DENY eth0 PROTO=6 >80.13.85.237:4427 24.118.176.41:21 L=40 S=0x00 I=16875 F=0x4000 T=25 (#67) > >On Wed, 27 Feb 2002 11:14:28 -0500 > >Now with the changes I made, and uptime is over three days; >Uptime: > 12:46:30 up 3 Days (94h), load average: 0.16 0.03 0.01 > >my ramdisk is fine; >/dev/ram1 4049 359 3690 9% /var/log > >That I can live with. > >Thanks again to all your help! >Steve > >"Simon Bolduc" <[EMAIL PROTECTED]> wrote: > > > This is from the mailing list (modified slightly) - it is a little >script > > that greps your external IP and reconfigures LaBrea on an IP change: > > > > 1. Create /etc/LaBrea.in have it contain the following: > > > > dst host > > and tcp[2:2] & 0xfc00 == 0 > > and not dst port (port # of any services you run that use ports >below > > 1024 like ssh or ftp or www) > > > > 2. Create /etc/LaBrea.scr it should contain the following: > > > > #!/bin/sh > > > > IPADDR=`ip addr list label eth0 | grep inet | \ > > sed '1!d;s/^[^.0-9]*\([.0-9]*\).*$/\1/'` > > > > sed "s//$IPADDR/g" /etc/LaBrea.in >/etc/LaBrea.bpf > > > > > > 3. Allow LaBrea.scr to be executable: > > > > chmod 744 /etc/LaBrea.scr > > > > 4. Edit the dhclient-exit-hooks to with the following changes: > > > > # Reload networking to see new address > >reload_all > > > > Add a few lines so you have > > > > # Reload networking to see new address > >reload_all > >/etc/LaBrea.scr > >svi LaBrea stop > >svi LaBrea start > > > > 5. Back up dhclient and LaBrea - all done :) > > > > Just so you know the filter will block all ports below 1024 (which are >the > > ports that are normally denied automatically by Dachstein), make sure >you > > aren't running any services on those ports - or alter the bpf >accordingly. > > If you only have one IP address like I do here are the options that I >use to > > make sure my box doesn't proactively look for unused IPs (contained in >the > > LaBrea startup script): > > > > OPTIONS="-i eth0 -l -v -p 8 -z -x -F /etc/LaBrea.bpf" > > > > > > Also everything is case sensitive in Linux - thus labrea and LaBrea are >two > > totally different words to the OS - so make sure you are typing things > > correctly. You may just want to cut and paste. > > > > > > HTH > > S > > > > > > > > >From: "Craig Caughlin" <[EMAIL PROTECTED]> > > >To: "LEAF" <[EMAIL PROTECTED]> > > >Subject: [Leaf-user] Will LaBrea work with dynamic IP addresses? > > >Date: Wed, 27 Feb 2002 07:33:33 -0800 > > > > > >Hi folks, > > >I'm confused (what else is new :-) ). Will LaBrea work with the >"default" > > >Dachstein CD (which acts as both a DHCP client & Server)? or would I >need > > >to > > >change DCD for static addresses? I have my generic, Dachstein CD >working > > >O.K., and would like to incorporate LaBrea...but I can't seem to figure >out > > >if it will work with the
Re: [Leaf-user] DCD, proxy dmz, snmp & icmp ???
Charles Steinkuehler wrote: > > > We have a DCD setup, including a proxy dmz. > > > > SNMP queries work everywhere, excepting systems residing on that dmz. > > Let me clarify that: snmp queries respond properly from clients inside > > the private network; but, *not* from the DCD firewall nor internet > > hosts. > > > > Running iptraf on the firewall, we see the snmp queries properly > > forwarded to the dmz host; but, *nothing* returns from that host. > > Instead, we see a flurry of these: > > > > ICMP; lo; 99 bytes; from bluetrout.private.network \ > > to bluetrout.private.network; dest unrch (port) > > > > Notice that bluetrout is the firewall. > > > > We're unclear as to why snmp queries have anything to do with icmp. > > > > What is going on here? What are possible solutions? > > > > What do you think? > > Do you have SNMP_BLOCK and SNMP_MANAGER_IPS set properly? Yes -- that's how it works everywhere, excepting the dmz . . . > Since it sounds like the packets may actually be getting to the DMZ host, do > you maybe have a network configuration issue on that system? Actually, it is two (2) systems (netware ;<) on that dmz . . . > Your error report lacks enough detail for me to figure out exactly what's > happening...not only am I unfamiliar with iptraf output (more of a tcpdump > man), IP addresses would be more helpful (does the above really indacate > your firewall is pinging itself over the loopback interface, like I think it > does?), as well as other details (like details on the packets that you think > were OK and went through to the DMZ host). I was not certain what it is that you want to see -- see below. > If your local net can see SNMP services on the DMZ host (you indicate it > can), but the firewall cannot, something wierd is going on. The internal > snmp requests should be using the same query IP as the firewall, since the > internal net is masqueraded to the DMZ. Are your firewall rules blocking > anything? Did you remember to check (watch the byte/packet counts before > and after trying to access your non-working service)? tcpdump output, run on the local DCD : [1] Internet host (a.b.c.d) query -> dmz host (w.x.y.66) via DCD external port (w.x.z.157) 14:47:11.577976 a.b.c.d.64861 > w.x.y.66.161: C=privateCommunity GetNextRequest(17) [|snmp] 14:47:11.578411 w.x.z.157.64943 > a.b.c.d.64861: udp 107 14:47:11.598985 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861 unreachable [tos 0xc0] 14:47:12.600050 a.b.c.d.64861 > w.x.y.66.161: C=privateCommunity GetNextRequest(17) [|snmp] 14:47:12.600443 w.x.z.157.64943 > a.b.c.d.64861: udp 107 14:47:12.686292 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861 unreachable [tos 0xc0] 14:47:13.592798 a.b.c.d.64861 > w.x.y.66.161: C=privateCommunity GetNextRequest(17) [|snmp] 14:47:13.593156 w.x.z.157.64943 > a.b.c.d.64861: udp 107 14:47:13.621180 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861 unreachable [tos 0xc0] 14:47:14.607662 a.b.c.d.64861 > w.x.y.66.161: C=privateCommunity GetNextRequest(17) [|snmp] 14:47:14.608002 w.x.z.157.64943 > a.b.c.d.64861: udp 107 14:47:14.629095 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861 unreachable [tos 0xc0] 14:47:15.611646 a.b.c.d.64861 > w.x.y.66.161: C=privateCommunity GetNextRequest(17) [|snmp] 14:47:15.611993 w.x.z.157.64943 > a.b.c.d.64861: udp 107 14:47:15.630231 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861 unreachable [tos 0xc0] 14:47:16.623665 a.b.c.d.64861 > w.x.y.66.161: C=privateCommunity GetNextRequest(17) [|snmp] 14:47:16.624025 w.x.z.157.64943 > a.b.c.d.64861: udp 107 14:47:16.647831 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861 unreachable [tos 0xc0] [2] Internet host (a.b.c.d) query -> dmz host (w.x.y.66) via DCD dmz port (w.x.z.157) 14:50:05.672129 a.b.c.d.64919 > w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] 14:50:05.672360 w.x.y.66.161 > a.b.c.d.64919: C=privateCommunity GetResponse(3)[|snmp] 14:50:05.692707 a.b.c.d > w.x.y.66: icmp: a.b.c.d udp port 64919 unreachable [tos 0xc0] 14:50:06.682834 a.b.c.d.64919 > w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] 14:50:06.683065 w.x.y.66.161 > a.b.c.d.64919: C=privateCommunity GetResponse(3)[|snmp] 14:50:06.702159 a.b.c.d > w.x.y.66: icmp: a.b.c.d udp port 64919 unreachable [tos 0xc0] 14:50:07.689494 a.b.c.d.64919 > w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] 14:50:07.689727 w.x.y.66.161 > a.b.c.d.64919: C=privateCommunity GetResponse(3)[|snmp] 14:50:07.707398 a.b.c.d > w.x.y.66: icmp: a.b.c.d udp port 64919 unreachable [tos 0xc0] 14:50:08.702497 a.b.c.d.64919 > w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] 14:50:08.702724 w.x.y.66.161 > a.b.c.d.64919: C=privateCommunity GetResponse(3)[|snmp] 14:50:08.721155 a.b.c.d > w.x.y.66: icmp: a.b.c.d udp port 64919 unreachable [tos 0xc0] 14:50:09.712075 a.b.c.d.64919 > w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] 14:50:09.712311 w.x.y.66.161 > a.b.c.d.64919: C=privateCommunity GetR
Re: [Leaf-user] A(nother) security question (was angry and venting)
[EMAIL PROTECTED] wrote: > > > Ok. That's better than their being always on. A DMZ for your > > servers would be safer, but is not necessary. > > > > As soon as I'm able to get DSL, I'll be setting up a DMZ for my servers. A > question: what are the pros and cons of using a third NIC on my Oxygen box > for a DMZ to setting up a second Oxygen box and having both internal and > external firewalls? Using two seperate firewalls is much better than three nics in one. 1) You would be following "least privilege." The systems only enough privileges to do what they have to. Either protect a server or protect your internal network. Each firewall is responsible for a little. 2) You could be following "defense in depth." You have redundant systems backing each other up. If one part falls, you still have the second strongly defended firewall. 3) You'd have two "choke points," giving two very narrow, difficult, disparate channels the attacker has to go through that are being watched very carefully by you. 4) You'd have isolated the "weakest link," the server, between two differnt firewalls. 5) You'd have a failsafe stance, where one firewall could fail, but you'd have the other, still protecting the network. 6) You'd have reduced the complexity of each firewall, when it only has two nics. A simple system is easier to deploy, and it is easier to recognize any inappropriate behavior on it. 7) There's no single vulnerable point that would comprimise the internal network. 8) If someone comprimises a server on the DMZ with two two firewalls, the attacker can only sniff the DMZ, not the sensative internal network. The preferred method is to use two different hardware systems. One could be a LEAF, the other a Cisco or FreeBSD. The worst thing is to use identical firewalls with identical root passwords. Crack one, and the other's cracked, you can imagine. > Beside the fact that having two firewalls for a home > network would be overkill... :) It's only overkill until you lose a few years of work :) > I haven't upgraded to the recent Oxygen yet (.8 I think? Maybe x.8 --- I > don't remember), 1.8.1 Regards, Matthew > and I'm using Seawall for my firewall rules. Seawall has > built-in support for DMZ networks, so it would (should, anyway) be fairly > trivial to set up a DMZ on a third NIC. At some point in time, I'll also > be upgrading to a 2.4.x kernel and using either Shorewall or Openwall. > > While I'm asking, has anyone tried a halted firewall with a LEAF distro? > It's a cool concept: http://www.samag.com/print/documentID=20294 > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] RE: [Leaf-devel] Question of principle: Are ProxyARP DMZ insecure?
Hi Charles, hi all > Good for you that you question rather than simply believe... Ahh.. OK :) > > Unfortunately, you can't define in which chain rules go. (Watchguard > > Fireboxes run on a highly modified kernel 2.0.38) > > I don't know in which chain the organize their DMZ stuff. > Ah...with a 2.0 series kernel, you do *NOT* have a very > flexible platform. > As there are things you can do with 2.4 kernels and iptables that are > difficult or impossible with ipchains, there's a *LOT* you > can't do with a > 2.0 kernel's packet filtering. I'm not familiar enough with > the 2.0 stuff > to know for sure, but that could very well be why a proxy-arp based DMZ > isn't as secure. If so, just note that it's an artifical > limitation of the > firewall, and not a basic problem with the topology. Please note that, referring to my trainer, Watchguard don't use a standard 2.0 kernel at all. They rewrote the whole TCP/IP stack and the firewalling part. I don't know how far this is true. I'm sure they've still some parts of the original 2.0 code in their stack. I'll ask her for more details and let you know. --- Sandro Minola | LEAF Developer (http://leaf.sourceforge.net) mailto:[EMAIL PROTECTED] | mailto:[EMAIL PROTECTED] http://www.minola.ch| http://leaf.sourceforge.net/devel/sminola ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] DCD, proxy dmz, snmp & icmp ???
We have a DCD setup, including a proxy dmz. SNMP queries work everywhere, excepting systems residing on that dmz. Let me clarify that: snmp queries respond properly from clients inside the private network; but, *not* from the DCD firewall nor internet hosts. Running iptraf on the firewall, we see the snmp queries properly forwarded to the dmz host; but, *nothing* returns from that host. Instead, we see a flurry of these: ICMP; lo; 99 bytes; from bluetrout.private.network \ to bluetrout.private.network; dest unrch (port) Notice that bluetrout is the firewall. We're unclear as to why snmp queries have anything to do with icmp. What is going on here? What are possible solutions? What do you think? -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Question of principle: Are ProxyARP DMZ insecure?
Hi all I'm currently in a Watchguard training. I'm going to make the WCP Certificate. The trainer told me, that the "Drop-In configuration" (ProxyARP DMZ) is less secure than the routed DMZ. I didn't say anything and thought "Uh, really? Why?". Is a ProxyARP DMZ less secure than a routed or staticNAT DMZ? Are there even any security related differents? She told me, that staticNAT with a private DMZ is the better solution if you want to save public IP's. I don't think so. I think I run into problems with special applications/protocols if using staticNAT (passiveFTP, PPTP?) Discussion is opened --- Sandro Minola | LEAF Developer (http://leaf.sourceforge.net) mailto:[EMAIL PROTECTED] | mailto:[EMAIL PROTECTED] http://www.minola.ch| http://leaf.sourceforge.net/devel/sminola ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] PPPoE or Ethernet
[EMAIL PROTECTED] wrote: > I have the opportunity to setup a firewall for a local > non-profit organization. They want Internet access for > their office. Both Cable and DSL are available in their > area. Prices and speed seem comparable. I have been > using Eiger and Dach 'steins for years with a cable > connection. I have not used DLS or PPPoE. Are there > any advantages/disadvantages with either option? Thanks > for your opinions! I am mostly concerned with ease of > administration. > > Sean > I recently helped a friend setup a DachsteinCD on PPPoE. I don't like the PPPoE protocol, but it was easy to setup and he runs services through it. We established a free dns name and used ez-ipupd.lrp. That way he could access his network from the outside by name even when the ip changes. PPPoE makes the router processor work a lot harder since it has to repackage the packets to ethernet so it is advisable to run a pentium on the router. Some PPPoE providers use this protocol to do things that are not in the interests of the user. Actually the principle reason why a provider chooses PPPoE is to limit control you rather than give you unlimited access. Cable on the other hand is probably faster. Things to remember on a cable is that every 13 year old on the cable loop with a sniffer may be reading your unencrypted mail. Cable systems sometimes block port 80 etc so you need to talk to users of the system. Choosing an internet provider is not unlike choosing a wife. You may get stuck with an unwise choice (if you sign with them for a year) that treats you like merchandise. I would recommend taking the time to find knowledgeable people who use both services. A good isp, like a good wife, is worth taking the time to find the right one. Victor McAllister ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] PPPoE or Ethernet
In this case, I have convinced them to host their Website and Email with a service. The local access would be for Email access (POP) and Web browsing only. The local DSL provider (SNET telco) uses PPPoE last I checked. None of the local cable providers do. Good point about checking with the locals about service quality. I think SNET is oversold. The local cable provider (in my area at least) recently capped 1t 1500/128. Their area may differ... Mostly I was concerned with PPPoE, since I have no experience with that type of connection. Ethernet is a no-brainer. Thanks! Sean > At 01:27 PM 2/27/02 +, [EMAIL PROTECTED] wrote: > >I have the opportunity to setup a firewall for a local > >non-profit organization. They want Internet access for > >their office. Both Cable and DSL are available in their > >area. Prices and speed seem comparable. I have been > >using Eiger and Dach 'steins for years with a cable > >connection. I have not used DLS or PPPoE. Are there > >any advantages/disadvantages with either option? Thanks > >for your opinions! I am mostly concerned with ease of > >administration. > > Before you can recommend a solution to them, you need to find out more about > what they want. "They want Internet access for their office" has too many > meanings to serve as a guide. > > The important question is whether they want to make services (like an onsite > Web server) available on the Internet. If they do, you want to recommend > that they get either (a) a service that offers static addresses -OR- (b) one > that offers dynamic addresses that don't change very often (making use of > dynamic-DNS service easier and more reliable). The first is better, but the > second will be cheaper, and since non-profits rarely have more monry than > they know what to do with, cost may be a big issue for them. > > If you need to opt for (b) above, this *probably* means going with cable. My > experience is that cable/DHCP leases change relatively rarely, while > DSL/PPPoE leases change multiple times per day. But those observations are > generalizations, and you need to find out what is true in your area. > > If they only need outgoing service, this consideration does not apply. LEAF > variants now support both DHCP addressing (used by cable-modem providers) > and PPPoE addressing (used by most DSL providers), but do allow for the fact > that PPPoE requires a bit higher level of hardware than true Ethernet-based > connections. > > The last thing to think about is service quality, both the frequency of > interruptions and the actual speed delivered. Cable connections use shared > bandwidth (they are functionally like a hub-based LAN in this respect), so > the actual speed delivered can be much lower (or, occasionally, higher) than > the service's nominal speed. DSL is point to point, so the promised speed > will be the real speed ... between the client site and the ISP. But > bandwidth is shared *after* that point, and can be underprovisioned by a DSL > ISP as easily as by a cable ISP. There is no general answer to this one; you > need to ask around locally to find out what the specific providers you are > considering actually do. > > Aside from that, the only advantage I can see to DSL is that you are likely > to have multiple DSL-based ISPs in your area, but only one cable-based ISP. > My observation is that this is an advantage of DSL only in theory, though, > as the low-price DSL provider always seems to be the telco. > > > -- > "Never tell me the odds!"--- > Ray Olszewski-- Han Solo > Palo Alto, CA [EMAIL PROTECTED] > > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Will LaBrea work with dynamic IP addresses?
On Wednesday 27 February 2002 10:14, Simon Bolduc wrote: > 2. Create /etc/LaBrea.scr it should contain the following: > > #!/bin/sh > > IPADDR=`ip addr list label eth0 | grep inet | \ > sed '1!d;s/^[^.0-9]*\([.0-9]*\).*$/\1/'` > > sed "s//$IPADDR/g" /etc/LaBrea.in >/etc/LaBrea.bpf Nice script. If you want something Dachstein specific that takes the external ip addy and service ports from /etc/network.conf let me know. It would eliminate the need to enter these ports twice in the config. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Will LaBrea work with dynamic IP addresses?
This is from the mailing list (modified slightly) - it is a little script that greps your external IP and reconfigures LaBrea on an IP change: 1. Create /etc/LaBrea.in have it contain the following: dst host and tcp[2:2] & 0xfc00 == 0 and not dst port (port # of any services you run that use ports below 1024 like ssh or ftp or www) 2. Create /etc/LaBrea.scr it should contain the following: #!/bin/sh IPADDR=`ip addr list label eth0 | grep inet | \ sed '1!d;s/^[^.0-9]*\([.0-9]*\).*$/\1/'` sed "s//$IPADDR/g" /etc/LaBrea.in >/etc/LaBrea.bpf 3. Allow LaBrea.scr to be executable: chmod 744 /etc/LaBrea.scr 4. Edit the dhclient-exit-hooks to with the following changes: # Reload networking to see new address reload_all Add a few lines so you have # Reload networking to see new address reload_all /etc/LaBrea.scr svi LaBrea stop svi LaBrea start 5. Back up dhclient and LaBrea - all done :) Just so you know the filter will block all ports below 1024 (which are the ports that are normally denied automatically by Dachstein), make sure you aren't running any services on those ports - or alter the bpf accordingly. If you only have one IP address like I do here are the options that I use to make sure my box doesn't proactively look for unused IPs (contained in the LaBrea startup script): OPTIONS="-i eth0 -l -v -p 8 -z -x -F /etc/LaBrea.bpf" Also everything is case sensitive in Linux - thus labrea and LaBrea are two totally different words to the OS - so make sure you are typing things correctly. You may just want to cut and paste. HTH S >From: "Craig Caughlin" <[EMAIL PROTECTED]> >To: "LEAF" <[EMAIL PROTECTED]> >Subject: [Leaf-user] Will LaBrea work with dynamic IP addresses? >Date: Wed, 27 Feb 2002 07:33:33 -0800 > >Hi folks, >I'm confused (what else is new :-) ). Will LaBrea work with the "default" >Dachstein CD (which acts as both a DHCP client & Server)? or would I need >to >change DCD for static addresses? I have my generic, Dachstein CD working >O.K., and would like to incorporate LaBrea...but I can't seem to figure out >if it will work with the default DCD. Thank you, have a great day! > >Craig > > > >___ >Leaf-user mailing list >[EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/leaf-user _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] shell script problem
You need to use backticks (`) around ls, not single-quotes ('), to accomplish what you probably want. The script as written below works correctly. At 04:10 PM 2/27/02 +0100, sylvain pelletier wrote: >Hi, > >I would make a little script in sh on my lrp ( dachtein version) > >and i can't do this : > >for file in 'ls' ; do >echo "$file" >done > >the echo response is: ls > >what's wrong, the problem comes from lrp??? -- "Never tell me the odds!"--- Ray Olszewski-- Han Solo Palo Alto, CA[EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Will LaBrea work with dynamic IP addresses?
Hi folks, I'm confused (what else is new :-) ). Will LaBrea work with the "default" Dachstein CD (which acts as both a DHCP client & Server)? or would I need to change DCD for static addresses? I have my generic, Dachstein CD working O.K., and would like to incorporate LaBrea...but I can't seem to figure out if it will work with the default DCD. Thank you, have a great day! Craig ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] PPPoE or Ethernet
At 01:27 PM 2/27/02 +, [EMAIL PROTECTED] wrote: >I have the opportunity to setup a firewall for a local >non-profit organization. They want Internet access for >their office. Both Cable and DSL are available in their >area. Prices and speed seem comparable. I have been >using Eiger and Dach 'steins for years with a cable >connection. I have not used DLS or PPPoE. Are there >any advantages/disadvantages with either option? Thanks >for your opinions! I am mostly concerned with ease of >administration. Before you can recommend a solution to them, you need to find out more about what they want. "They want Internet access for their office" has too many meanings to serve as a guide. The important question is whether they want to make services (like an onsite Web server) available on the Internet. If they do, you want to recommend that they get either (a) a service that offers static addresses -OR- (b) one that offers dynamic addresses that don't change very often (making use of dynamic-DNS service easier and more reliable). The first is better, but the second will be cheaper, and since non-profits rarely have more monry than they know what to do with, cost may be a big issue for them. If you need to opt for (b) above, this *probably* means going with cable. My experience is that cable/DHCP leases change relatively rarely, while DSL/PPPoE leases change multiple times per day. But those observations are generalizations, and you need to find out what is true in your area. If they only need outgoing service, this consideration does not apply. LEAF variants now support both DHCP addressing (used by cable-modem providers) and PPPoE addressing (used by most DSL providers), but do allow for the fact that PPPoE requires a bit higher level of hardware than true Ethernet-based connections. The last thing to think about is service quality, both the frequency of interruptions and the actual speed delivered. Cable connections use shared bandwidth (they are functionally like a hub-based LAN in this respect), so the actual speed delivered can be much lower (or, occasionally, higher) than the service's nominal speed. DSL is point to point, so the promised speed will be the real speed ... between the client site and the ISP. But bandwidth is shared *after* that point, and can be underprovisioned by a DSL ISP as easily as by a cable ISP. There is no general answer to this one; you need to ask around locally to find out what the specific providers you are considering actually do. Aside from that, the only advantage I can see to DSL is that you are likely to have multiple DSL-based ISPs in your area, but only one cable-based ISP. My observation is that this is an advantage of DSL only in theory, though, as the low-price DSL provider always seems to be the telco. -- "Never tell me the odds!"--- Ray Olszewski-- Han Solo Palo Alto, CA[EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] shell script problem
Hi, I would make a little script in sh on my lrp ( dachtein version) and i can't do this : for file in 'ls' ; do echo "$file" done the echo response is: ls what's wrong, the problem comes from lrp??? Thanks Sylvain ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] PPPoE or Ethernet
I have the opportunity to setup a firewall for a local non-profit organization. They want Internet access for their office. Both Cable and DSL are available in their area. Prices and speed seem comparable. I have been using Eiger and Dach 'steins for years with a cable connection. I have not used DLS or PPPoE. Are there any advantages/disadvantages with either option? Thanks for your opinions! I am mostly concerned with ease of administration. Sean ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] ISDN modem choices?
Hi Richard I use an ISDN T/A which emulates a normal modem (AT command set) so you can use a serial port and standard modem stuff without having to worry about a separate isdn driver. There are several around and most offer 128Kbits from memory as an option. Peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Dr. Richard W. Tibbs Sent: 26 February 2002 18:26 To: [EMAIL PROTECTED] Subject: [Leaf-user] ISDN modem choices? Anybody had any luck with ISDN modems and Dachstein? I would like to take an old IBM Aptiva and make an ISDN firewall/router out of it. This is for a friend who lives where no cable or dsl is available (or probably ever will be). But, Bellsouth can supply 128K ISDN. I will probably use Dachstein/Floppy, which has worked well for me before. I just want to select the least difficult ISDN modem card to use. Any suggestions? TIA. -- Dr. Richard W. Tibbs Oak City Networks & Solutions P.O. Box 10292 Raleigh NC 27605 919.510.9551 ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] newbie question (Bering/2.4/IDE)
On Tue, 26 Feb 2002 14:48:09 CST Adrian wrote: > Hi all...I had successfully finished a previous install with a 2.2.19-IDE > kernel and run from a small IDE HD. Cool. > What I would like to do is repeat this with a 2.4 kernel (currently messing > around with Bering Beta4...no probs running from floppy). What do I need to > do to make this run from a hard drive? > > I'm hoping for something other than "compile a 2.4 kernel with IDE support > enabled", but I'll try to if I have no choice (severe lack of experience > with compiling a kernel on my own). Compiling a 2.4 kernel with IDE support using Jacques' kernel config [1] as a starting point shouldn't be too bad. For an alternative solution, read on... > Is there a 2.4-IDE kernel out there? Am I stupid, and there's some simple > config option to make the Bering 2.4 kernel boot from my HD? I recently setup Bering (beta 3) on a compact flash card plugged into an CF-to-IDE adaptor. I use the stock kernel with with the IDE modules loaded via the initrd image. This isn't necessarily easier than recompiling the kernel, but if you *really* want to avoid re-compiling the kernel, the procedure below should work. Disclaimer: This is mostly from memory, so there may be a few mistakes. I am also assuming the hard disk is /dev/hdc and is temporarily installed in a full-blown Linux system for installation of Bering. 1. Format a partition of your HDD with an MS-DOS filesystem as described in Charles' LRP Hard Disk HOTWO [2] or with the Linux fdisk and mkfs.msdos commands [3]. 2. Mount a copy of the Bering image somewhere convenient: mount -o loop /tmp/bering-1680-b4.bin /mnt/disk/ 3. Uncompress a copy of the Bering initrd.lrp: gunzip -c < /mnt/disk/initrd.lrp > /tmp/initrd 4. Mount the uncompressed ramdisk image: mount -o loop /tmp/initrd /mnt/initrd 5. Copy the ide-disk.o, ide-mod.o, and ide-probe-mod.o modules from the ide directory of Jacques' modules directory [4] to the mounted initrd image: cp /tmp/ide-disk.o /tmp/ide-mod.o /tmp/ide-probe-mod.o \ /mnt/initrd/boot/lib/modules/ 6. Add lines to boot/etc/modules of the initrd image to load the ide modules: echo ide-mod >> /mnt/initrd/boot/etc/modules echo ide-disk >> /mnt/initrd/boot/etc/modules echo ide-probe-mod >> /mnt/initrd/boot/etc/modules 7. Unmount the initrd image: umount /mnt/initrd 8. Mount the MS-DOS partition you created on the hard drive: mount /dev/hdc1 /mnt/newdisk 9. Copy all files from the Bering image to the new disk: cp /mnt/disk/* /mnt/newdisk 10. Replace the old initrd.lrp with the new one: gzip -9 < /tmp/initrd > /mnt/newdisk/initrd.lrp 11. Edit syslinux.cfg on the new disk and change the fd0u1680 references to hdc1. 12. Unmount the hard drive: umount /mnt/newdisk 13. Run syslinux on the hard drive partition: syslinux /dev/hdc1 14. Cross your fingers and try to boot from the new image. :) If you run into problems, setting the VERBOSE and DEBUG flags in /linuxrc (in the initrd file system) may help debugging them. > I'm running this on a Dell PowerApp Web 100 (single PIII-73/256MB/dual > EEPro100) and using Bering Beta4/Syslinux 1.66 on my HD. > > Any info is *greatly* appreciated. I've probably missed a few details here or there, but it should give you an idea for an approach that doesn't require a kernel recompilealthough recompiling the kernel with IDE support is probably less work. ;) --Brad [1] http://leaf.sourceforge.net/devel/jnilo/bering/beta4/bering-b4.config [2] http://lrp.steinkuehler.net/Documentation/LRPHardDiskHOWTO.txt [3] I had trouble getting the mkfs.msdos created filesystem to boot correctly using syslinux, but it was probably due to an error on my part. [4] http://leaf.sourceforge.net/devel/jnilo/bering/beta4/modules/drivers/ide/ > TIA > > Adrian ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] dhclient interferes with weblet
Excellent suggestions for gathering data, Charles. Unfortunately, data indicates that nothing changes (with respect to those commands). I still believe that it is related to changing the eth1 net to 192.168.3.0/24 because I have a similar system unchanged that doesn't fail (mind you, it has w2k not w95 on the internal net). I made one other discovery. If I change the hosts.allow to: sh-httpd: 0.0.0.0/0.0.0.0 sshd: 0.0.0.0/0.0.0.0 then I no longer have the problem!!! BUT in the original failure, I didn't get any such message as "connection refused" (or whatever it is when hosts.deny disallows) in the logs. VERY strange. It's as if a cached copy of hosts.allow is set for ALL: 192.168.1.0/255.255.255.0 (as opposed to the "real" ALL: 192.168.3.0/255.255.255.0 and it reverts to the cached copy when dnscache is restarted and rereads the actual file when dhclient assigns an ip address??? Urgency is gone as I wanted to open up hosts.allow anyway. I just hate to think that there may be a problem lurking that may bite me later (e.g. when I wish to tighten hosts.allow in the future?). Any further ideas or diagnostics? Keith > -Original Message- > From: Charles Steinkuehler [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, February 26, 2002 3:37 PM > To: Keith Laidlaw > Cc: LEAF > Subject: Re: [Leaf-user] dhclient interferes with weblet > > > > To the best of my knowledge (using winipcfg), all settings are > same (since > > they come from dhcpd and the conf file doesn't change. > > > > What I mean by "access" is that I can always ping 192.168.3.254 > but can't > > get the web page by typing in the url "http://192.168.3.254"; in > IE5.0. I > > get a long, long delay with hourglass (2minutes?) followed by > an IE error > > page (unable to something or other... sorry, don't know exactly and the > > system is setup is elsewhere). > > > > Can't remember exactly but I think there were no entries at all in the > logs. > > Pretty sure of that. > > OK, so you re-load dnscache, and your internal system can't see the weblet > server...is that correct? What about the rest of the internet...can you > ping/web-browse by IP and/or domain name to the internet in general? > > If you want to try to track down what's wrong, it's probably time to start > gathering data. Run the following commands and store the output: > > On the firewall: > ip addr > ip route > ip neigh > netstat -an > net ipfilter list > > On the internal machine (NOTE: these are the commands for WinNT/2000...if > you're using 9x you may have to translate): > ipconfig /all > arp -a > > Record the output in the normal (everything working) state, then > again when > you restart dnscache (and break the internal systems weblet access), and > finally when everything is working again, after you release/renew > your dhcp > lease. > > Charles Steinkuehler > http://lrp.steinkuehler.net > http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) > > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Re: [Shorewall-users] LEAF "Bering" beta4 available
On Fri, 2002-02-22 at 00:49, Jacques Nilo wrote: > Changelog for beta4: looks great, are there any plans to make that available on a CD for more space ? It try to access the documentation page, but I get unreachable. Best regards, Christophe -- Christophe Zwecker :Sysctl Susannenstr. 26-28 20357 Hamburg phon/fax: +49 40 43099296/7 mail: [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] newbie question (Bering/2.4/IDE)
First familiarise yourself with the general methods for running from hard disk via the excellent HOWTO on the LEAF site. Bering's kernel has module support for IDE built in (always a good idea to check the kernel config file which most developers provide with the dist so you can check what is in and out of the kernel). This means that you need to load the ide modules at boot time. The ide modules are available from leaf.sourceforge.net/devel/jnilo/ and are called ide-mod.o, ide-disk.o and ide-probe.mod.o. The procedure for adding modules to /boot/lib/modules is described in the docs on Jacques' LEAF site. Finally make sure you follow the HOWTO on the necessary changes to syslinux and it works. How do I know? Because I happen to have done it on Monday. Good luck rgds/andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Adrian Stovall Sent: 26 February 2002 20:48 To: LEAF (E-mail) Subject: [Leaf-user] newbie question (Bering/2.4/IDE) Hi all...I had successfully finished a previous install with a 2.2.19-IDE kernel and run from a small IDE HD. What I would like to do is repeat this with a 2.4 kernel (currently messing around with Bering Beta4...no probs running from floppy). What do I need to do to make this run from a hard drive? I'm hoping for something other than "compile a 2.4 kernel with IDE support enabled", but I'll try to if I have no choice (severe lack of experience with compiling a kernel on my own). Is there a 2.4-IDE kernel out there? Am I stupid, and there's some simple config option to make the Bering 2.4 kernel boot from my HD? I'm running this on a Dell PowerApp Web 100 (single PIII-73/256MB/dual EEPro100) and using Bering Beta4/Syslinux 1.66 on my HD. Any info is *greatly* appreciated. TIA Adrian ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user