[Leaf-user] VPN Architecture Options
Hi all, I have a client with an interesting situation, regarding VPN needs. They are a small database consulting group, who need secure remote access across a variety of scenarios: 1. Sitting in their US office, accessing multi-vendor VPN systems at major corporations. 2. Sitting at the customer site, accessing their own US office LAN: a. using their own laptops (Linux and Windows) b. using "borrowed" machines (Linux and Windows) on the customers' LAN 3. One employee in Australia needs to: a. do all of the above, for both the US office and US customers b. have the local AU LAN securely access the US LAN, Windows shares and all c. Have his laptop access local Australia customers Given the nature of IPSec, it seems NAT'd addresses can't be relied upon in all scenarios. This tends to indicate we would be better off running routable addresses on the LANs in questions --- but are the risks of that manageable? They own a /25 subnet, but I'm not sure we want to expose the entire range to the Internet. Having read some about FreeS/WAN, I am still confused on what it takes to connect from a roaming laptop --- with a varying IP. Most of the instructions tend to be focused on gateway-to-gateway connections, not laptop-to-gateway -- and almost all doc uses non-routable IPs in the examples. Any pointers to configuring a single-address client to FreeS/WAN on LRP would be helpful. Has anyone used LRP routers in this varied a scenario? Any recommendations on VPN clients for roaming connections, both for Windows and Linux laptops? Any wisdom, advice, pointers? :) Thanks, Dan ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ipsec gateways & same private networks ???
On the topic of re-numbering networks: I have recently installed DachCD, and noticed the comments in network.conf for eth1 specify "DO NOT CHANGE." I assume this is due to some hard-coded instances of this explicit IP, rather than a variable. I noticed in the weblet config, 192.168.1.254 is given explicitly. Where might I find a resource listing all script reconfigs necessary to re- number the private network? I tried a search through the LEAF archives, but couldn't find anything that nailed it. I am also looking at an IPSec tunnel between two sites, and I'd like to have a clean "from scratch" start on it. Thanks, Dan ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ipsec gateways & same private networks ???
Charles, I will poke around in the places you mentioned, and document what I find. I also caught part of a November thread in which there was talk of formalizing some beginner-level doc for the CD distro --- did that ever come about? If not, I could be talked into it --- I'm an infinitely qualified beginner :) That kind of stuff helps cement my own knowledge, and if the doc helps people, it's icing on the cake. If someone has already done it, I won't try to reinvent, though... Dan Quoting Charles Steinkuehler <[EMAIL PROTECTED]>: > > On the topic of re-numbering networks: > > > > I have recently installed DachCD, and noticed the comments in > network.conf > for > > eth1 specify "DO NOT CHANGE." I assume this is due to some > hard-coded > > instances of this explicit IP, rather than a variable. I noticed in > the > weblet > > config, 192.168.1.254 is given explicitly. > > > > Where might I find a resource listing all script reconfigs necessary > to > re- > > number the private network? I tried a search through the LEAF > archives, > but > > couldn't find anything that nailed it. I am also looking at an > IPSec > tunnel > > between two sites, and I'd like to have a clean "from scratch" start > on > it. > > There's no complete list...perhaps you could take notes and start one? > Off > the top of my head, you will need to edit/re-configure the following > files/services if you change the internal network settings: > > - /etc/network.conf > - /etc/hosts.allow > - weblet > - dhcpd > - dnscache > > There may be others...if you could take notes on exactly what > files/settings > require changing, I'll add it to the documentation. > > Thanks, and good luck! > > Charles Steinkuehler > http://lrp.steinkuehler.net > http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) > > > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Network Card Problem
Well, it seems like you could *try* copying the working 3c5x9.o file to the LEAF disk --- but with kernel differences it may not work. Another thing you might try is the preconfigured modules.lrp for the 3c5x9 from www.pigtail.net/LRP. In my experience, Nicholas does a great job of testing these modules and keeping them current. Although I haven't seen him contribute in this forum, he does maintain an extensive library of modules, and he'd probably respond to an email if you sent him a query. Best of luck, Dan Quoting Patrick Nixon <[EMAIL PROTECTED]>: > Hello All, > I briefly mentioned a few weeks ago a problem I'm having with a > specific network card, however, no one had any solid advice and I wasn't > > sure what the exact problem was so I'm reposting with a bit more > information I hope. > > NIC: 3Com 3C920 Integrated network Card (lists as a 3c905C-TX in some > systems) > > System: Dell Optiplex GX150 > > Problem: Despite a successful loading of the module 3c59x.o I am unable > to > receive any data over the network interface. from netstat -i I can see > > that it's transmitting, just not receiving properly. > > I have RedHat 7.2 with Kernel 2.4.3-7 running on an identical system, > with a 'different' 3c59x.o module and that system is happyhappy. > > Ideas/suggestions/whathaveyous? > > --Pat > > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Changing Internal Address References for IPSec
Quoting Charles Steinkuehler <[EMAIL PROTECTED]>: > There's no complete list...perhaps you could take notes and start one? > Off > the top of my head, you will need to edit/re-configure the following > files/services if you change the internal network settings: > > - /etc/network.conf > - /etc/hosts.allow > - weblet > - dhcpd > - dnscache > > There may be others...if you could take notes on exactly what > files/settings > require changing, I'll add it to the documentation. > OK, sanity check this: I did an rsync of the entire running config, so I could play with the directory structure on a full distro. I ran 'rgrep -rnB 192.168.1 ./* >ref.txt' against the directory, and got back: ./dhcpd.conf:Line 4 ./dhcpd.conf:Line 5 ./dhcpd.conf:Line 7 ./dhcpd.conf:Line 8 ./hosts: Line 2: ./hosts.allow:Line 9 ./network.conf:Line 133 ./network.conf:Line 164 ./network.conf:Line 349 ./network.conf:Line 350 ./network.conf:Line 372 ./network.conf:Line 376 ./network.conf:Line 377 ./network.conf:Line 378 ./network.conf:Line 379 ./network.conf:Line 380 ./network.conf:Line 381 ./network.conf:Line 389 ./network.conf:Line 620 ./sh-httpd.conf:Line 2 ./sh-httpd.conf:Line 3 ./sh-httpd.conf:Line 7 No mention in my output of anything in dnscache. I also poked around in there manually, and didn't find anything. Does this approach sound accurate and complete? Thanks, Dan ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] dachstein cd 1.0.2: modules are unavailable
This is an excellent How-to --- one I plan to base my upcoming docs off of --- IF it ever comes back on line. I have tried accessing it for the last few days, and it comes up dead Dan Quoting Greg Morgan <[EMAIL PROTECTED]>: > One more idea is to use some of the other documentation. Take a look > at > http://nw-hoosier.dyndns.org/rlohman/linux/firewall/index.html. Don't > forget to wonder around leaf.sourceforge.net. > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] need help with port forwarding
Do you have the corresponding ports *open* in the EXTERN_TCP_PORTS section? If
not, the forwarding rules are inside waiting for a bride that's locked out of
the church ;)
Also, since it looks like you have re-numbered your network from the default
(changed 192.168.1 to 192.168.0) you should have a stroll back thru your
configs, to make sure you have changed every instance of 192.168.1.
Dan
Quoting Peter Jay Salzman <[EMAIL PROTECTED]>:
> i'm using dachstein 1.0.2 on a home network firewall. everything
> seems
> hunky dory:
>
> network cards are both recognized and configured correctly
> masquerading works on the internal machines
> everyone can ping everyone, both inside and out.
>
> the last hurdle is port forwarding -- it looks ok, but isn't working
> (i'm not receiving mail, and i can't telnet to the smtp port from a
> remote machine). note that the internal server that handles mail, ftp
> and apache is satan.diablo.net (192.168.0.2). the firewall is
> mephisto.diablo.net (eth0: 64.164.47.8 eth1: 192.168.0.1).
>
> modules:
>ip_masq_user3708 0 (unused)
>ip_masq_portfw 2416 4
>ip_masq_ftp 3576 0 (unused)
>ip_masq_mfw 3196 0 (unused)
>ip_masq_autofw 2476 0 (unused)
>rtl813910856 1
>tulip 32424 1
>pci-scan2300 0 [rtl8139 tulip]
>isofs 17692 0
>ide-cd 22672 0
>cdrom 26712 0 [ide-cd]
>
> forwarded ports:
> # ipmasqadm portfw -l
> prot localaddrrediraddr lportrport pcnt
> pref
> TCP adsl-64-164-47-8.dsl.scrm01.pacbell.net satan.diablo.localnet 24
> ssh 10 10
> TCP adsl-64-164-47-8.dsl.scrm01.pacbell.net satan.diablo.localnet smtp
> smtp 10 10
> TCP adsl-64-164-47-8.dsl.scrm01.pacbell.net satan.diablo.localnet www
> www 10 10
> TCP adsl-64-164-47-8.dsl.scrm01.pacbell.net satan.diablo.localnet ftp
> ftp 10 10
>
> here are the relevent variables i've set. i'm wondering what the
> difference between them is. they look to do the same thing to me:
>
>INTERN_SERVERS="tcp_${EXTERN_IP}_ftp_192.168.0.2_ftp
> tcp_${EXTERN_IP}_smtp_192.168.0.2_smtp"
>
># These lines use the primary external IP address...if you need to
># port-forward
># an aliased IP address, use the INTERN_SERVERS setting above
>INTERN_FTP_SERVER=192.168.0.2 # Internal FTP server to make
> available
>INTERN_WWW_SERVER=192.168.0.2 # Internal WWW server to make
> available
>INTERN_SMTP_SERVER=192.168.0.2 # Internal SMTP server to make
> available
>#INTERN_POP3_SERVER=192.168.0.2 # Internal POP3 server to make
> available
>#INTERN_IMAP_SERVER=192.168.0.2 # Internal IMAP server to make
> available
>INTERN_SSH_SERVER=192.168.0.2 # Internal SSH server to make
> available
>EXTERN_SSH_PORT=24 # External port to use for internal
> SSH
>
> i'm looking at this, and i can't see anything that's wrong. the
> output
> of ipmasqadm looks compelling. it LOOKS like it should be working.
>
> help! any advice? what exactly is the difference between
> INTERN_SERVERS and INTER_.*_SERVER? i'm not too sure what an
> "aliased IP address" is. does that refer to a masqueraded ip address
> (like 192.168.0.2)?
>
> any help greatly appreciated. i've been staring at this for far too
> long. :)
>
> pete
>
> --
> PGP Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D
> PGP Public Key: finger [EMAIL PROTECTED]
>
> ___
> Leaf-user mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
>
___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] need help with port forwarding
Quoting Peter Jay Salzman <[EMAIL PROTECTED]>: > once the lock was opened, she came screaming down the isle, rushed the > altar and now the deed is done. i'm running a fully operational > dachstein cd firewall. > Aye! She's a randy lass, that one ;) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Ping Problem
I have two DachCD systems setup to begin testing IPSec. Both are assigned external IPs in my 209.98.58.0/29 range, plugged into a hub that allows them to share the outbound router. The first system, .244, can ping .246 with no problem, and it can ping the router at .241. The system at .246 can't ping anything in 209.98.58.0/29 --- getting instead: # ping 209.98.58.241 PING 209.98.58.241 (209.98.58.241): 56 data bytes ping: sendto: Invalid argument This system, .246, can ping PAST the router, out to hosts on the internet, and the hosts on the 192.168.2.0/24 subnet behind it can get thru .246 and access the internet. Something in my configs just seems to be hosing the ping command for my external network on this box. The machine in question has had the internal IPs renumbered to avoid ipsec conflicts in the final layout. Any tips? Dan ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Ping Problem
Ray & Charles, Thanks for the direction. I will take a gander back thru the configs, and probably start over with a clean floppy if it doesn't jump out at me. Likely I nicked the code somewhere when I was changing the 192.168.1 references. It'll be another learning experience :) Dan Quoting Ray Olszewski <[EMAIL PROTECTED]>: > I've not seen that particular error from sendto: before, but Charles' > suggestions are probably the right place to start (even though routing > problems normally generate a different ping error). > > One thing, though: if your hosts are numbered 209.98.58.241, > 209.98.58.244, > and 209.98.58.246, then they are on network 209.98.58.240/29, NOT > 209.98.58.0/29. When checking your setup, you might look for errors > associated with this misspecification (assuming it wasn't just a typo > in > your e-mail). > > At 05:03 PM 1/3/02 -0600, [EMAIL PROTECTED] wrote: > [...] > >...The system at .246 can't ping > >anything in 209.98.58.0/29 --- getting instead: > > > ># ping 209.98.58.241 > >PING 209.98.58.241 (209.98.58.241): 56 data bytes > >ping: sendto: Invalid argument > > > >This system, .246, can ping PAST the router, out to hosts on the > internet, and > >the hosts on the 192.168.2.0/24 subnet behind it can get thru .246 and > access > >the internet. Something in my configs just seems to be hosing the > ping > command > >for my external network on this box. > [...] > > > -- > "Never tell me the odds!"--- > Ray Olszewski-- Han Solo > Palo Alto, CA [EMAIL PROTECTED] > > > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Completely Routable Subnet
Hi all, I am not sure really how to describe what I am after, but I'll try to sketch it. In a situation in which a network needs to have broad compatibility with multi- vendor VPN solutions (from clients sites to home office, and vice versa), it appears that fully routable, legal IP addresses will be required. One client in particular declares that NAT will not work with its "aggressive mode" system, and cannot be made to. The systems on the local subnet need to be able to communicate as a full workgroup, sharing files and printers. The VPN connections need to be intiated from both external locations coming in, and from internal hosts going out. As I understand it, systems in a DMZ in Eiger/Dachstein cannot be made to communicate with each other without routing tweaks --- so I'm assuming this won't do the trick. Here are my questions: 1. Is it still true that some systems absolutely cannot be made to work with NAT? 2. Anyone care to comment on the security and adminstration issues with managing a network of routable addresses from behind a LEAF box? 3. Are there any architectural "tricks" that can be used to create VPN gateways that allow full access into a private network from only one trusted host outside --- and is this a good idea? 4. Are there example configs around where a LEAF distro has been setup to do such things? Thanks, Dan ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Saving IPSec Configuration on DCD...??
OK, I give up. What is the magic combination for getting the ipsec.conf and ipsec.secrets files to backup with DCD? I am thick, dense, and very frustrated Thanks, Dan ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Observations on DCD/IPSec Setup & Documentation
After yanking several handfulls of hair from my head, I finally got my VPN lab fully functional and tested. Thanks to all those here who helped. I am in the process of documenting the process I used --- skipping all the false starts, dead-ends, and hand-wringing ;-) I'll be interested in the opinions of list members on how this works out. It is intended to be very similar to Richard Lohmans very fine "baby-steps" documentation -- kind of cookbook style, with no assumptions built in. Anyone interested in participating, please let me know. One key observation that I'd like clarification on: Routing Non-routable Addresses in Dachstein. I followed a rough lab setup I found on the 'net, that used generic Red Hat boxes for each tunnel endpoint, with a dual NIC Red Hat box between them doing vanilla ip forwarding. I followed the diagrams to the letter so I couldn't get lost, but in the end, nothing worked. It appears to me that using the author's private IPs on eth0 of a DCD box just doesn't work. DCD seems to be enforcing the non-routable rule. I changed all my 172.16 networks to 174.16 networks, and the floodgates opened up. Questions: 1. Is my observation correct? Is the LRP/DCD code enforcing the non-routable rule? 2. Where does this code live/how can it be deactivated or reconfigured? Thanks, Dan ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Forwarding broadcast traffic?
Building off of Charles' comment: If you *are* looking to enable subnet-to- subnet browsing of Windows shares, Samba does the trick without much heartache at all. I have an SME/e-smith box on one end of my VPN lab setup, and a remote machine on the other end. The remote-end clients simply have the IP address of the SME box (default configured as a Master) in the WINS server configuration of the Windows IP configuration. The remote clients report themselves to the Master, and it in turn re-advertises their existence to the local subnet. So all Windows clients on a 10.1.2.0/24 network can see all Windows clients thru the tunnel on a 192.168.1.0/24 subnet (and vice versa), thru an intervening 174.16.1.0/24 "simulated internet." Works slick. If you want a braindead-easy Samba server (and really a complete drop-in Linux replacement for NT server) see the details at www.e-smith.org. It's open source and freely distributed, with commercial support if desired. My primary fileserver runs 2 60 GB disk RAID 1, on a P100 throw-away. Free. And I mean, braindead easy... Dan Quoting Ed Zahurak <[EMAIL PROTECTED]>: > > Is it possible to configure a set of LRP/LEAF routers to forward > broadcast > traffic accross a vpn link between the two subnets? If so, how would I > go > about configuring the boxes to take the traffic? > > Thanks, > Ed Z. > > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dachstein-CD v1.0.2 as a router only (no firewall)
eth0 on Dachstein will not route private IP addresses without the folloing change, quoted from a recent reply from Charles on a related question: [this behavior is controlled by]The stopMartians () procedure of /etc/ipfilter.conf. You can comment out the private IP blocks in this procedure if you want to send/recieve from reserved private IP addresses on your "external" interface. HTH, Dan Quoting Kenneth Hadley <[EMAIL PROTECTED]>: > > - Original Message - > From: "guitarlynn" <[EMAIL PROTECTED]> > To: "Kenneth Hadley" <[EMAIL PROTECTED]> > Sent: Saturday, January 12, 2002 1:49 PM > Subject: Re: [Leaf-user] Dachstein-CD v1.0.2 as a router only (no > firewall) > > > > On Saturday 12 January 2002 14:52, Kenneth Hadley wrote: > > > > > If having some limited success in getting Dachstein 1.02 to run as > > > just a router between to private networks, 192.168.1.0 and > > > 192.168.2.0, with 192.168.2.0 being a expansion to the 192.168.1.0 > > > network which is just about full. > > > Some of the options on my Dachstein box: > > > > > > IPFILTER_SWITCH=router > > > > > > Does anyone have any thoughts on what I might have configured > wrong? > > > > > > Change IPFILTER_SWITCH=none > > The router option still has some ip spoofing and RFC blocking, but > > setting it to none leaves a straight-through router w/o any > protection > > if I understand things right hopefully I do! > > -- > > > > ~Lynn Avants > > aka Guitarlynn > > > > guitarlynn at users.sourceforge.net > > http://leaf.sourceforge.net > > > > If linux isn't the answer, you've probably got the wrong question! > > I'm guessing the my problems are related to some of the filter's too > but > unfortunately changing IPFILTER_SWITCH to "none" completely kills all > traffic between 192.168.1.0 and 192.168.2.0 > Worth a shot > > Thanks though! > > -Kenneth Hadley > > > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Linux 2.4 based Firewalls made in Switzerland
> > That's neat, but I don't know of any micro sized 10/100 switches > > that people can put into a pc. Do you? > http://www.trust.com/products/frame-product.htm?artnr=12034 > unfortunatly, only 10MBits... > Regards, > Etienne 10/100 PCI card switch: http://www.trendware.com/products/TE100-S4PCI.htm Linux driver, too... ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Forwarding broadcast traffic?
As taken from the man page of dhcp-options, DHCP2 supports: 'option www-server [address-list]' As I understand it, this lists the Web servers available to the client, and is primarily useful for defining proxy Web servers that a client must use. ...and: 'option smtp-server [address-list]' Which from my reading are said to be useful to Windows clients --- but I have yet to test this. Also important to determine: does the dhcpd, as packaged in LRP support the full command set? I'll take a look at this, and report back what I find. Dan Quoting Richard Doyle <[EMAIL PROTECTED]>: > You might want to check the dhcp server mailing list: > http://www.isc.org/services/public/lists/dhcp-lists.html. > > Dhcpd 3 lets you define arbitrary options, but I don't know whether > that > will suffice. > AFAIK dhcpd 3 has not been lrp'd; it is much bigger than dhcpd 2. > > -Richard > > > Microsofts new dhcp server now supports setting internet > > explorers proxy > > address through dhcp, > > > > is there any linux dhcp server which already supports this? > > If thats a yes > > is there an lrp package for it. > > > > And yes I know they don't follow the official RFC by doing > > that but hey it > > would be practical in my environment and I > > am pretty much affraid that this will be the argument to go back to > a > > windows based dhcp server otherwise. > > > > Kim > > > > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Firewall Setup
What distribution are you using? What IP addresses are you using for your external interface? Quoting [EMAIL PROTECTED]: > While sifting through docs I found this error which I have been > receiving, while trying to > ping any internet IP from the LRP box: > sendto(): operation not permitted > It says that this is the result of incorrect setup of the Firewall > rules. Where can I find some > documentation on setting up a set of Firewall rules that will give me at > least minimal access > to the net (www & email for now). At least if I can get that working I > can slowly work > through the rest. > > My main problem is right now, to test out the router I have to switch my > cable modem to it. > Once that is done, it makes it difficult (currently impossible) to do > any research on > problems as they come up. > > Again, your help is greatly appreciated. > Sincerely, > > Justin Pease > N u a n c e N i n e > Web Usability, Development and Design > www.nuance9.com > > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Firewall Setup
A couple of things are happening. First, it seems that your Dach box is not obtaining a proper address from your ISP. If your address used to be 24.116.x.x, you should be seeing something similar now. Since it is getting assigned a 10.x.x.x address, the ipfilter code is generating the "operation not permitted" message --- as Dachstein disallows RFC 1918 addresses (of which the 10.x.x.x is). Since these are reserved for the "private" side of networks, the external interface will reject everything if an "illegal" address is configured on that interface. The thing to track down is why the external interface is not obtaining the proper IP from your ISP. That is outside of my experience, since I have always used static IPs. I'd recommend you walk very carefully thru the network.conf, paying close attention to the sections involving dynamic external IPs. A good step-by-step procedure for setting it up can be found at: http://www.pigtail.net/LRP/ --- about half way down the page is where the fun begins... Also note, some ISPs restrict your connection to a specific MAC address. If your ISP does that, it may be rejecting your attempt to obtain a DHCP lease. If that is the case, you will have to notify your ISP to give the MAC of your intended external NIC. I recall somewhere that some systems have "trick" for spoofing the MAC address, so you don't have to involve the ISP. Unfortunately, I haven't seen that approach in action, and I don't know if or how it would work. Good luck, Dan Quoting [EMAIL PROTECTED]: > I am using the most recent DachStein Floppy based distro. > The current install appears to have setup 10.x.x.x IP addresses for the > external NIC (eth0). > This seems strange to me, as in the past the ISP DHCP assigned IP was > 24.116.x.x. > > Thanks. > > Justin > > On 13 Jan 2002 at 20:02, [EMAIL PROTECTED] wrote: > > What distribution are you using? > What IP addresses are you using for your external interface? > > > Quoting [EMAIL PROTECTED]: > > > While sifting through docs I found this error which I have been > > receiving, while trying to > > ping any internet IP from the LRP box: > > sendto(): operation not permitted > > It says that this is the result of incorrect setup of the Firewall > > rules. Where can I find some > > documentation on setting up a set of Firewall rules that will give me > at > > least minimal access > > to the net (www & email for now). At least if I can get that working > I > > can slowly work > > through the rest. > > > > My main problem is right now, to test out the router I have to switch > my > > cable modem to it. > > Once that is done, it makes it difficult (currently impossible) to > do > > any research on > > problems as they come up. > > > > Again, your help is greatly appreciated. > > Sincerely, > > > > Justin Pease > > N u a n c e N i n e > > Web Usability, Development and Design > > www.nuance9.com > > > > > > ___ > > Leaf-user mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/leaf-user > > > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > > Sincerely, > > Justin Pease > N u a n c e N i n e > Web Usability, Development and Design > www.nuance9.com > > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Telstra ADSL PPPoE guide needed!
On another board to which I subscribe, they are tossing around this link http://www.synapticserver.com/bpalogin_2howto.html Supposedly, it has the low-down on your system. It is not specific to LEAF, but should at least tell you how Linux in general needs to talk to that ISP's system. Good luck, Dan PS: See how icky html messages come across? In unix-oriented circles, html email really, really frowned upon. Friendly tip ;) Quoting Stewart Adey <[EMAIL PROTECTED]>: > > Hi, I'm running Telstra ADSL and i want to route my internet to > 30-40 computers. Does anyone have an image already customized for this > kind of setup? Thank you very much in Advance, Stewart Adey. > By the way, Telstra uses their own customized program as a user > name/password login system. ( href="http://bpalogin.sourceforge.net";>http://bpalogin.sourceforge.net)( href="http://www.2dex.com/lrp/bpalogin.lrp";>www.2dex.com/lrp/bpalogin.lrp) > > > Get your FREE download of MSN > Explorer at href='http://go.msn.com/bql/hmtag_etl_EN.asp'>http://explorer.msn.com. > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] need help with port forwarding
I dont' know if you have received any reply to this yet --- I had a bit of
mailbox problem yesterday, and this post doesn't seem to appear in the
archives...
Anyway, it appears this is a simple typo:
HERE===> tcp_${EXTERN_IP}_smtp_192.168.1.1_smtp is where you port forward
^^NOTE DOT ONE DOT ONE
HERE===> INTERN_SMTP_SERVER=192.168.10.1 is where you defined your SMTP server
^^ NOTE DOT TEN DOT ONE
Someone correct me if I'm wrong, but I believe you only need to do the
forwarding for your mail server in one place --- the INTERN_SMTP_SERVER line.
I believe the INTERN_* variables are just common ports that are in there to
make configuration of common servers as easy as uncommenting and changing the
internal address. *correctly* ;-)
Good luck
Quoting "Reginald R. Richardson" <[EMAIL PROTECTED]>:
> Maybe u can help me out here...
>
> I have the same problem as you had, whereas the Bride was inside waiting
> while
> the groom stood outside behind the lockdoor..
>
> I tried all options that u were told to try, but still my portforwarding
> is
> giving problems..
>
> can u probably be so kind as to send me a copy of your network.conf..
>
> i'm using dachstein cd v1.02
> here's my loaded modules:
> ip_masq_autofw
> ip_masq_ftp
> ip_masq_icq
> ip_masq_mfw
> ip_masq_mms
> ip_masq_portfw
> ip_masq_pptp
> ip_masq_raudio
> ip_masq_user
> ip_gre
>
> This is where i think i open the door for the grooom:
> # TCP services open to outside world
> # Space seperated list: srcip/mask_dstport
>
> EXTERN_TCP_PORTS="0/0_1723 0/0_smtp 0/0_pop-3"
>
> And this is where i enable the portforwarding:
>
> #
> #INTERN_SERVERS="tcp_${EXTERN_IP}_ftp_192.168.1.1_ftp
> tcp_${EXTERN_IP}_smtp_192.168.1.1_smtp"
>
> # These lines use the primary external IP address...if you need to
> port-forward
> # an aliased IP address, use the INTERN_SERVERS setting above
>
> #INTERN_FTP_SERVER=192.168.1.1 # Internal FTP server to make
> available
> #INTERN_WWW_SERVER=192.168.10.5 # Internal WWW server to make
> available
> INTERN_SMTP_SERVER=192.168.10.1 # Internal SMTP server to make
> available
> INTERN_POP3_SERVER=192.168.10.1 # Internal POP3 server to make
> available
> #INTERN_IMAP_SERVER=192.168.1.1 # Internal IMAP server to make
> available
> #INTERN_SSH_SERVER=192.168.1.1 # Internal SSH server to make
> available
> #EXTERN_SSH_PORT=24 # External port to use for internal SSH
> access
>
>
> when i send a test e-mail to my e-mail server behind the firewall, and i
> use
> TCPDUMP to check, i can see the smtp packet arriving, but when i check
> the Mail
> Server SMTP log, i see no incoming connections...
>
> thnks for your help...
>
> On Thu, 3 Jan 2002 00:25:26 -0800, Peter Jay Salzman wrote:
> >dan, you hit the nail on the head. the bride was definitely locked
> >out
> >of the church.
> >
> >once the lock was opened, she came screaming down the isle, rushed
> >the
> >altar and now the deed is done. i'm running a fully operational
> >dachstein cd firewall.
> >
> >thank you!
> >
> >pete
> >
> >begin [EMAIL PROTECTED] <[EMAIL PROTECTED]>
> >> Do you have the corresponding ports *open* in the EXTERN_TCP_PORTS
> >>section? If
> >> not, the forwarding rules are inside waiting for a bride that's
> >>locked out of
> >> the church ;)
> >>
> >> Also, since it looks like you have re-numbered your network from
> >>the default
> >> (changed 192.168.1 to 192.168.0) you should have a stroll back
> >>thru your
> >> configs, to make sure you have changed every instance of 192.168.1.
> >>
> >> Dan
> >>
> >> Quoting Peter Jay Salzman <[EMAIL PROTECTED]>:
> >>
> >> > i'm using dachstein 1.0.2 on a home network firewall. everything
> >> > seems
> >> > hunky dory:
> >> >
> >> > network cards are both recognized and configured correctly
> >> > masquerading works on the internal machines
> >> > everyone can ping everyone, both inside and out.
> >> >
> >> > the last hurdle is port forwarding -- it looks ok, but isn't
> >>working
> >> > (i'm not receiving mail, and i can't telnet to the smtp port
> >>from a
> >> > remote machine). note that the internal server that handles
> >>mail, ftp
> >> > and apache is satan.diablo.net (192.168.0.2). the firewall is
> >> > mephisto.diablo.net (eth0: 64.164.47.8 eth1: 192.168.0.1).
> >> >
> >> > modules:
> >> > ip_masq_user
Re: [Leaf-user] ipsec on a floppy? managing packages in Windows?
If your hardware isn't too old, changing media is really the way to go. If your system's BIOS can support a bootable CD, that is unquestionably the way to go. I switched from a single-floppy Eiger box to a Dachstein-CD setup (with IPSec), and the flexibility is incredible. It's definitely worth consideration. As far as trimming space goes, it sounds like you've been pretty thorough --- you just can't get 10 lbs of corn in 5 lb sack ;) Dan Quoting Christopher Holmes <[EMAIL PROTECTED]>: > I'm running Dachstein & trying to fit the freeswain IPSEC pacakges onto > my > floppy, but don't have enough room. I've moved up to 1722K format & > removed > modules that I'm not using (dhclient, some ip-masq stuff, ethernet > card > drivers) but I'm still falling about 75K short. Any ideas where else I > can > trim some space? I've poked through the pacakges & can't find anything > else > that can be removed or that's big enough to make a difference. > > Also, I can unzip the package files with winzip. Anyone know a good way > to > re-pacakage them under windows 2K? I don't have a full linux box up > yet, > and my Dachstein box is in the grimy basement where I'd prefer not to > be > spending a lot of time. > > My other option is to move to a different media, but I'd prefer not to > do > that either. > > Thanks, > Chris > > > > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ipsec on a floppy? managing packages in Windows?
Perhaps I should have been clearer :) My intent was to say that if it boots from the CD, you are a lot better off when loading packages, as the load time is significantly faster than a floppy. That's what makes it "unquestionably the way to go." Non-bootable CDs work, and give you the additional capacity, but less boost in load speed -- if that is important to you, as it is to me. Dan Quoting "Michael D. Schleif" <[EMAIL PROTECTED]>: > > [EMAIL PROTECTED] wrote: > > > > If your hardware isn't too old, changing media is really the way to > go. If > > your system's BIOS can support a bootable CD, that is unquestionably > the way to > > go. I switched from a single-floppy Eiger box to a Dachstein-CD setup > (with > > IPSec), and the flexibility is incredible. It's definitely worth > consideration. > > > > As far as trimming space goes, it sounds like you've been pretty > thorough --- > > you just can't get 10 lbs of corn in 5 lb sack ;) > > Actually, DCD does *not* require a bootable cdrom. > > One of my systems boots off of the floppy and then gets *all* of its > packages off of the cdrom. This scheme leaves little room for > subsequent backups on floppy; but, the partial backup schema saves > alot > of butt, in this regard. > > HTH ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] libz on Dach-CD
Hi All, Am I correct in assuming that Dachstein-CD will use the libz.lrp from the floppy if I copy it there, rather than the one burned onto the CD? I am also assuming J. Nilo's updated libz is suitable for this use -- is that the case? Thanks, Dan -- Optimum Networks, Inc. Small Business IT Services Serving Minneapolis/St. Paul Metro ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] libz on Dach-CD
Just for clarification, if my system boots from the CD, it will still give precedence to the libz.lrp from the floppy? Thanks again, Dan - Original Message - From: "Charles Steinkuehler" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; "Scott C. Best" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Thursday, March 21, 2002 4:47 PM Subject: Re: [Leaf-user] libz on Dach-CD > Longer answer: > If you have a libz.lrp on your boot= device (typically the floppy), > Dachstein CD will unzip this *LAST*, over-writing any pre-existing files, > assuming you haven't over-ridden the default search order for the package in > question (details on this behavior are in the CD README file). ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Bering Firewall without NAT
I had to do something similar recently, and I'm still amazed at how uncommon it seems to be -- there are not many examples around. I can't speak to Bering-specific configurations, as I have only used Shorewall on Red Hat and SuSE "minimal" installations, but I assume it is Shorewall that will take the lead in your scenario. The secret for Shorewall is the proxyarp file, since Proxy-arp must be used to do what you are looking to do. Getting the proxyarp file configured can be a bit time-consuming, as it must explicitly list each IP address for which it will proxy, plus a few other configuration parameters. To assist with this task, I created a short Perl script, that you can find here: http://www.optimumnetworks.com/PAconfig . A few other tips: 1. Assign an RFC1918 address to your internal interface, like 192.168.0.1 2. Create a host route to your default gateway, specifying the external NIC by device name, i.e.: route add -host DefGWIP dev ethX. Create the "init" file per Shorewall docs, and put your route command there. 3. Create host routes for any host NOT behind your firewall, but in the same network space as the external interface -- via the external interface. Since you are using legal addresses, your configs need to expressly indicate "these hosts are on THAT side of eth1, those hosts are on THAT side of eth0." 4. Control arp caches --- the single most blindingly frustrating hair-pulling make-you-think-you've-gone-insane part of Proxy-arp. If you can flush a device with a command, do it; if not power cycle any arp-caching devices (bridges/swithes/routers) within your control --- or be prepared to wait an undefined amount of time before all entries expire in the arp caches you can't control. ISP's upstream router on bridged DSL comes to mind... This is the part that really complicates troubleshooting, since you ALWAYS want your system up NOW, when you've rolled the dice by taking an entire subnet down. If you have a smaller piece of the network you can isolate as a test "zone," it will give you more breathing room to get comfortable with your configs, and the behavior of Proxy-arp. Resist the temptation to go back and make guesses in your configs --- since you are more likely to move from the right answer to the wrong one, due to a stuck arp entry "somewhere." 5. See http://www.optimumnetworks.com/proxyarp.txt for an example of a real Shorewall proxyarp config file. Notice I generated the entire /25 subnet, then commented out special-purpose addresses near the bottom. 6. All other Shorewall configs are standard. Good luck! Dan Optimum Networks, Inc. www.optimumnetworks.com - Original Message - From: "Jonathan Monk" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, March 22, 2002 3:43 AM Subject: [Leaf-user] Bering Firewall without NAT > Hi, > > I was wondering if anyone had any idea about using Bering/Shorewall without > using Masqurading or NAT. We are at a University so we already have all the > machines on our network assigned to "real" addresses. I dont really want to > change all of them to private addresses but I am having problems in > configuring Bering Shorewall to do this. > > Currently we have a gateway 134.36.22.1 and our main switch connects to that > and its all very straight forward. Our plan was to add the firewall between > the gateway and the switch i.e. > > Gateway Firewall Ext Firewall Int Switch Hosts > 134.36.22.1 134.36.22.2 134.36.22.5 * 134.36.22.??? > gw=134.36.22.1 gw=134.36.22.5 > > We also need to enable access to our webserver for ssh, www and ftp access. I > was planning on doing this either via a separate zone/hosts or via rule > exceptions in Shorewall. > > I have a pair of machines that I have connected to the firewall so I can try > things but the only way I have go anything to work was adding static routes > on the firewall and even then I couldnt get very far as I was still running > NAT. > > My test setup worked well with NAT using private addresses. Bering was > straightforward to setup in this case. (Kudos to the authors) > Unfortunately I suspect my knowledge of TCP/IP has sort of run its course at > this point and I am a bit stuck for what to try next. I was considering > trying to chuck out the NAT kernel modules and set it up as a bridge but the > example configuration also used NAT > > Cheers, > > Jonathan > > -- > Dr Jonathan Monk, Dundee Satellite Receiving Station > University of Dundee, Dundee, DD1 4HN > tel: 44 (0)1382 344409 fax: 44 (0)1382 345415 > e-mail [EMAIL PROTECTED] http://www.sat.dundee.ac.uk > > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > - Original Message - From: "Jonathan Monk" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, March 22, 2002 3:43 AM Subject: [Leaf-user] Bering Firewall without NAT > Hi, > > I was wondering if anyone had any idea abo
Fw: [Leaf-user] Celeron/Pentium vs Duron/Athlon
Oopsreplyreply to allsame difference :P - Original Message - From: "dgilleece" <[EMAIL PROTECTED]> To: "Scott C. Best" <[EMAIL PROTECTED]> Sent: Sunday, March 31, 2002 11:05 AM Subject: Re: [Leaf-user] Celeron/Pentium vs Duron/Athlon > I love AMDrock solid performance:$ ratio --- with a catch. If you are > going to be meticulous in your handling of AMD chips, the will serve you > well. If you need to build systems to hand off to clients, you may want to > reconsider. The fact is this: AMD chips commit suicide if cooling fails > for any reason, Intel chips don't. Intel chips automagically throttle down > to save the system, where AMD chips just cook themselves to death. > Something to consider. > > In my situation, I use AMD for almost everything. If I build a system to > sell, it's an Intel chip. The reason is simple: I have to warrantly them. > If a customer decides to stick the firewall in closet, there will be an > eventual buildup of dust on the fans and heatsink, high ambient air temp in > the closet --- a recipe for failure. I won't take the chance on factors > outside my control. > > So, there's the balanced, non-religious, do-what-works perspective :) > > Dan > - Original Message - > From: "Scott C. Best" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Sunday, March 31, 2002 2:29 AM > Subject: Re: [Leaf-user] Celeron/Pentium vs Duron/Athlon > > > > Greg: > > Heya. A quick comment or two to your recent post: > > > > > > Is there a significant performance penalty when using a Celeron or > > > > Duron processor vs an Athlon or Pentium. Not just in speed but in in > > > > the ability to process. > > > > > > This is a really broad question. It all depends on what you want to > > > do. I read a performance review on www.tomshardware.com. I don't recall > > > the link but the data is almost a year old. It influenced how I look at > > > hardware now. > > > > I know the feeling. THG influenced the way that I look > > at *benchmarks*. Each of them (and there are many; typically THG's > > site uses a dozen or so different benchmarks when the review or > > compare & contrast multiple systems) is essentially restricted from > > demonstrating infinite performance because of a system bottleneck. > > That is, typically just one thing in the system will holdback a > > system's performance in any given benchmark. This could be cache > > size, FSB speed, CPU MHz, northbridge chipset vendor, memory bus > > bandwidth, memory latency, graphics card speed, etc. > > So the best way to see how "good" a system is is to run it > > against multiple benchmarks which evaluate performance against multiple > > bottlenecks. Then you can make an informed decision about where to > > spend your money to "go after" the cheapest bottleneck. I'd agree > > with what Tom said: for sub-1GHz machines, the most bang for a buck > > can most often be had by upgrading the graphics card. > > > > > > > Tom's Hardware has made other comparisons. He has found Duron and > > > Athlon's out perform Intel chips. I get the picture that the food chain > > > looks like celeron, pentium, duron, athlon...this is a genralization. > > > The other problem when looking at speed is that Intel use this a > > > marketing tool. AMD chips perform better at lower speeds suggesting > > > that "the ability to process" is held by AMD chips. > > > > > > You could start a religious war here. :) THG does a fairly > > good job of reporting about which systems are currently the top-dog > > at a given price target. I'd agree that AMD holds the lead here. > > However, THG also overclocks whatever they can get their hands on, > > to see whose system has more game left in it. In this category, Intel's > > P4 is out in front (though you'd pay more it). > > > > Also, I understand that there are multiple "reporters" who > > work for THG, and they each have their personal preferences. I > > recall reading one who was upset about paying $15 more for a stick > > of RDRAM than DDR SDRAM, but thought paying $20 more for CAS=2 > > memory instead of CAS=2.5 memory was "well worth it". Shrug. > > > > Lastly, surely both Intel and AMD use performance numbers as > > marketing tools: Intel boasts that they have the fastest CPU frequency, > > and AMD boasts that their design does more wo
